Applies to BloodHound Enterprise only The AzureHound Enterprise service is a critical element in your deployment that collects and uploads data about your Microsoft Entra ID and Azure environments to your BloodHound Enterprise tenant for processing and analysis. AzureHound Enterprise is generally deployed as a service on a single Windows system per Entra ID tenant. You need to create (at least) a single AzureHound server for all the tenants in scope and one Entra ID Enterprise Application service instance for each tenant. Running multiple AzureHound collector instances on a single server requires the collectors to be installed as Scheduled Tasks instead of Windows Services. Installation instructions for such a configuration can be found at: Setting up multiple AzureHound collectors on the same server with scheduled tasks. While it is possible to run both AzureHound and SharpHound on the same machine, the hardware recommendations for each application persist.

Deployment Process Overview

To deploy a new AzureHound collector service:
  1. Configure Entra ID and Azure: AzureHound Enterprise Azure Configuration
  2. Create your AzureHound configuration: Create an AzureHound Configuration
  3. Deploy and maintain AzureHound: Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)

Server Requirements

Hardware

ResourceMinimumRecommendedLarge enterprise
Processor Cores2 physical cores4 physical cores6 physical cores
Memory4GB RAM16GB RAM32GB RAM
Hard disk space1GB for logging5GB for logging20GB for logging
These recommendations should be considered a baseline and may need to be increased depending on the size and complexity of your environments. Minimums apply to test or development deployments. Where multiple collectors are deployed on a single host, scaling wll be necessary to maintain performance.

Software

AzureHound Enterprise supports several deployment options:
  • Windows Server 2019+
  • .NET 4.7.2+
OR
  • Docker
OR
  • Kubernetes

Network

  • TLS on 443/TCP to your BloodHound Enterprise tenant URL (provided by your account team)
  • TLS on 443/TCP to your Azure environment. Required domains are:
    • login.microsoftonline.com
      • Required for authentication to Entra ID and Azure.
    • msidentity.com (CNAME of login.microsoftonline.com)
      • Required for authentication to Entra ID and Azure.
    • graph.microsoft.com
      • Required for collection of attack path data from Microsoft Entra ID.
    • management.azure.com
      • Required for collection of attack path data from Microsoft Azure Resource Manager.

Service Principal Requirements

The AzureHound Enterprise service runs as an Entra ID registered application with a corresponding service principal (Enterprise application) and requires the following permissions:
Both the Directory Reader role and the Directory.Read.All permission are required. Although they overlap, they are distinct, and AzureHound relies on both to ensure complete attack path data collection.