Skip to main content

Azure & Mondoo - Overview

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Microsoft Azure.

Gather vulnerability information during build-time​

Gather vulnerability information during run-time​


Sign in​

The Mondoo CLI leverages the configuration from Azure CLI. Install the Azure CLI and log in to your subscription.

  • Sign in with user credentials
  • Sign in using a service principal

Sign in with user credentials

Command Line
az login
az login

Sign in using a service principal​

Test the new service principal's credentials and permissions by signing in. To sign in with a service principal, you need the appId, tenant, and credentials.

To sign in with a service principal using a password:

az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID

To sign in with a certificate, it must be available locally as a PEM or DER file, in ASCII format. When using a PEM file, the PRIVATE KEY and CERTIFICATE must be appended together within the file.

Azure CLI

az login --service-principal --username APP_ID --tenant TENANT_ID --password /path/to/cert

Install Mondoo Client​

Follow our instructions to install the Mondoo Client on your workstation.

Scan Azure Subscription​

  1. Activate the CIS Microsoft Azure Foundations Benchmark Level 1 Profile

  2. Open your terminal and run

Command Line
mondoo scan -t az://subscriptions/{subscriptionid}
  1. See the results

Mondoo Azure Results

Scan Azure Subscriptions including Virtual Machines​

You need your subscription id and the resource group. Run az account list and az vm list to determine those values:

Command Line
az account list

Name CloudName SubscriptionId State IsDefault
-------------------- ----------- ------------------------------------ ------- -----------
Azure subscription 1 AzureCloud 10192451-09aa-4782-1016-1cdfede1026b Enabled True
Command Line
az vm list

Name ResourceGroup Location Zones
------- --------------- ---------- -------
centos DEMO westus
ubuntu DEMO westus
win2019 DEMO westus

Mondoo Client leverages ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

User chris

IdentityFile /your/path/keyname

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory


Mondoo supports scanning Windows instances configured to run SSH. In combination with auto-discovery, we rely on SSH Agent and SSH config. Neither method supports password authentication. To increase security, we recommend using public-key authentication for Windows machines that use SSH. Instances can also be scanned ad-hoc using `mondoo scan -t ssh://username@ --password 'mypassword'.

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

apiVersion: v1
kind: Inventory
name: mondoo-inventory
environment: production
credential_query: "return { user: 'azureuser', type: 'ssh_agent' }"
- name: azure
- backend: az
insecure: true # to allow missing host-keys
- all
subscriptionID: 56843d4a-b742-4917-abb6-7e7c9900d640
  • credential_query defines the way credentials are retrieved per discovered asset
  • discover defines if mondoo should look for assets within this cloud account
  • options.project defines the Azure project to scan

2. Scan the inventory

$ mondoo scan --inventory inventory.yml