Integrating Azure with ShadowMap

ShadowMap supports a secure, read-only integration with Microsoft Azure to automatically discover and continuously track your cloud-based internet-exposed assets. This integration enables ShadowMap to ingest authoritative asset inventory from Azure, ensuring complete coverage of your external attack surface.

This guide walks you through creating a Service Principal (App Registration) with least-privileged permissions and configuring ShadowMap to use these credentials.

To integrate Azure with ShadowMap, you will provide:

• Client ID (Application ID)

• Client Secret (or certificate, if you support that later)

Step 1: Create an Azure App Registration (Service Principal)

1. Sign in to the Azure Portal.

2. Go to Microsoft Entra ID (formerly Azure Active Directory).

3. Navigate to App registrations → New registration.

4. Provide:

   • Name: ShadowMap-Integration (example)

   • Supported account types: Single tenant (recommended)

   • Redirect URI: Not required for this use-case

5. Click Register.

After creation, note:

• Application (client) ID

• Directory (tenant) ID

Step 2: Create a Client Secret

1. In the same App Registration, go to Certificates & secrets.

2. Under Client secrets, click New client secret.

3. Add a description (e.g., ShadowMap Secret) and select an expiry period aligned to your policy.

4. Click Add.

5. Copy the secret value immediately (it will not be shown again).

You now have:

• Tenant ID

• Client ID

• Client Secret

Step 3: Grant Read-Only Access via Azure RBAC

ShadowMap needs read-only access to enumerate resources and extract relevant internet-exposed assets. This is granted via Azure RBAC at the appropriate scope.

1. Go to Subscriptions → select the target subscription.

2. Open Access control (IAM).

3. Click Add → Add role assignment.

4. Choose role: Reader

5. Assign access to: User, group, or service principal

6. Select your app: ShadowMap-Integration

7. Click Review + assign

Step 4: Configure Azure in ShadowMap

1. Log in to your ShadowMap account.

2. Navigate to Settings → Cloud Sources.

3. Select Microsoft Azure Integration.

4. Click Create New Configuration.

5. Enter:

   • Configuration Name

   • Tenant ID

   • Client ID

   • Client Secret

   • Subscription ID (or select/add subscriptions, if your UI supports multiple)

6. Click Create Source to save and enable the integration.

How Azure Data is Used in ShadowMap

Once the Azure integration is enabled, ShadowMap begins enumerating Azure resources and extracting data used to build and maintain an accurate external attack surface inventory.

Typical data ShadowMap can ingest and correlate includes:

Compute & Public Endpoints

• Virtual Machines (VMs) and associated network interfaces

• Public IP addresses linked to workloads

• App Services / Web Apps public hostnames (where applicable)

Networking & Exposure Mapping

• Load Balancers (public-facing frontends)

• Application Gateways (including WAF-enabled gateways)

• Azure Front Door endpoints

• Network Security Groups (NSGs) metadata (useful for exposure context)

DNS & Sub-domain Discovery

• Azure DNS Zones and DNS record sets (sub-domains, A/AAAA/CNAME records, etc.)

Storage & Internet-Accessible Services

• Storage Accounts and relevant public endpoints (e.g., blob endpoints)

• Additional services that expose public endpoints depending on what is deployed

These elements are then:

• Continuously monitored for changes.

• Automatically included in ShadowMap's scanning engine.

• Evaluated for vulnerabilities, misconfigurations, and threats.