AISEC

by CipherFort Security

Sign inGet started
Integration Guide · Azure Defender

Azure Defender Integration

The Azure Defender connector uses a service principal with Reader access to collect Defender for Cloud secure score, unhealthy resource assessments, and active security alerts. Authentication uses OAuth2 client credentials — no password or user account required.

Defender for Cloud secure scoreUnhealthy resource assessmentsActive security alertsPer-subscription evidence items

Reader

Minimum Azure RBAC role required

OAuth2

Authentication method

A.8.8, A.5.36

Example ISO 27001 control mappings

Prerequisites

Register an app in Azure AD

Create an app registration in your Azure AD tenant and grant it subscription-level Reader access.

Create the app registration

In Azure Portal → Azure Active Directory → App registrations → New registration.

  • Name: aisec-readonly (or similar)
  • Supported account types: Accounts in this organizational directory only
  • No redirect URI needed (this is a backend service principal)
  • After creating, note the Application (client) ID and the Directory (tenant) ID

Create a client secret

In the app registration, go to Certificates & secrets → Client secrets → New client secret.

  • Description: aisec-integration
  • Expiry: 12 months or 24 months (update in AISEC before it expires)
  • Copy the secret value immediately — it is only shown once
  • Store it in a password manager until you enter it in AISEC

Assign subscription Reader role

Go to Subscriptions → your subscription → Access control (IAM) → Add role assignment.

  • Role: Reader
  • Assign access to: User, group, or service principal
  • Select the app registration you just created
  • Repeat for each subscription you want to include

Grant Security Reader (optional but recommended)

For full alert access, also assign the Security Reader role at subscription scope.

  • Role: Security Reader
  • Same assignment flow as Reader above
  • Required to read /providers/Microsoft.Security/alerts

Configuration

Connect Azure Defender in AISEC

Enter the app registration details in Settings → Integrations → Azure Defender → Configure.

Step-by-step

  • Azure Tenant ID: the Directory (tenant) ID from your app registration overview
  • App Client ID: the Application (client) ID from your app registration overview
  • App Client Secret: the secret value you copied when creating the client secret
  • Subscription ID(s): one or more Azure subscription IDs, comma-separated (e.g. sub-id-1,sub-id-2)
  • Sync frequency: daily is sufficient for posture data; use hourly if you want near-real-time alert tracking
  • Click Connect, then Sync now for an immediate first collection

Evidence collected

What appears in your evidence register

Three evidence items are produced per subscription on each sync.

Secure Score

Percentage score and raw current/maximum values from the Defender for Cloud secure score endpoint.

  • Maps to ISO 27001: A.8.8, A.5.36
  • Maps to SOC 2: CC7.1

Resource Assessments

Total assessment count, unhealthy count, and high-severity recommendation names.

  • Maps to ISO 27001: A.8.8, A.8.9
  • Maps to SOC 2: CC7.1

Security Alerts

Active alert count broken down by severity, with sample alert display names.

  • Maps to ISO 27001: A.8.16, A.5.25
  • Maps to SOC 2: CC7.2

Troubleshooting

Common issues

  • AuthenticationError — verify the tenant ID, client ID, and client secret are entered correctly with no leading/trailing spaces.
  • 403 on assessments or alerts — the Security Reader role may not be assigned; add it at subscription scope.
  • Empty secure score response — Defender for Cloud may not be enabled on the subscription; enable the free tier in Azure Portal.
  • Expired client secret — re-enter the new secret value in AISEC before the old one expires to avoid sync failures.

Related

Keep exploring

All integrations

Microsoft 365 guide

Evidence section

Ready to connect?

Register the app in Azure AD, then enter the credentials in Settings → Integrations.