Deployment Process Overview
To deploy a new AzureHound collector service:- Configure Entra ID and Azure: AzureHound Enterprise Azure Configuration
- Create your AzureHound configuration: Create an AzureHound Configuration
- Deploy and maintain AzureHound: Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)
Server Requirements
Hardware
Resource | Minimum | Recommended | Large enterprise |
---|---|---|---|
Processor Cores | 2 physical cores | 4 physical cores | 6 physical cores |
Memory | 4GB RAM | 16GB RAM | 32GB RAM |
Hard disk space | 1GB for logging | 5GB for logging | 20GB for logging |
Software
AzureHound Enterprise supports several deployment options:- Windows Server 2019+
- .NET 4.7.2+
- Docker
- Kubernetes
Network
- TLS on 443/TCP to your BloodHound Enterprise tenant URL (provided by your account team)
- TLS on 443/TCP to your Azure environment. Required domains are:
- login.microsoftonline.com
- Required for authentication to Entra ID and Azure.
- msidentity.com (CNAME of login.microsoftonline.com)
- Required for authentication to Entra ID and Azure.
- graph.microsoft.com
- Required for collection of attack path data from Microsoft Entra ID.
- management.azure.com
- Required for collection of attack path data from Microsoft Azure Resource Manager.
- login.microsoftonline.com
Service Principal Requirements
The AzureHound Enterprise service runs as an Entra ID registered application with a corresponding service principal (Enterprise application) and requires the following permissions:- Entra ID Directory Reader directory role, permanently active (not PIM-eligible only).
- Microsoft Graph Directory.Read.All application permission (admin consent required).
- Microsoft Graph RoleManagement.Read.All application permission (admin consent required).
- Azure Reader role on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.
Both the Directory Reader role and the Directory.Read.All permission are required. Although they overlap, they are distinct, and AzureHound relies on both to ensure complete attack path data collection.