Integrate Your AssetsCloudAzure

Test or Troubleshoot an Azure Integration

Troubleshoot a Mondoo Azure integration by scanning from cnspec to isolate certificate, secret, and app registration issues.

If an Azure integration fails to scan, run the same checks from cnspec to isolate whether the issue is the certificate, the app registration, or your permissions.

Scan with cnspec

  1. Download the latest cnspec from releases.mondoo.com/cnspec. For example:

    wget https://releases.mondoo.com/cnspec/13.0.0/cnspec_13.0.0_linux_amd64.tar.gz
tar -xvf cnspec_13.0.0_linux_amd64.tar.gz

  2. Scan your Azure subscription:

    cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --tenant-id YOUR-TENANT-ID \
  --client-id YOUR-CLIENT-ID \
  --certificate-path certificate.combo.pem \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

    The client ID is the same as the application ID (or app ID).

Pay attention to queries with Error results. They usually point at missing permissions.

If the certificate scan fails, try a client secret

Authenticate with a client secret to isolate certificate issues:

  1. Create a client secret:

    1. In the Azure portal, open Microsoft Entra ID > App registrations.
    2. Select the Mondoo app.
    3. Select Certificates & secrets > New client secret.
    4. Enter a description and a Duration.
    5. Select Add and copy the Value immediately (it disappears shortly).

  2. Scan with the secret:

    cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --tenant-id YOUR-TENANT-ID \
  --client-id YOUR-CLIENT-ID \
  --client-secret YOUR-CLIENT-SECRET-VALUE \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

    If this scan succeeds, the issue is the certificate. Generate and upload a new one.

If the app scan fails, try direct authentication

To rule out the app registration itself, scan as your own user account. This only works if your account has the needed privileges.

cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

Renew the application certificate

The application certificate created when you add the Azure integration has a limited lifetime (by default, 1 year). When it expires, the integration stops working. Renew it from the Azure CLI:

  1. Navigate to the app registration you created for Mondoo. Copy its application ID for the next step.

  2. Open Azure Cloud Shell (top right of the window) and create a new certificate, inserting the application ID you copied:

    az ad app credential reset --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX --create-cert

  3. The certificate is stored in your cloud shell. Download it using the Manage files button in Azure Cloud Shell.

  4. In the Mondoo App, navigate to Integrations > Azure > your Azure integration. Edit the integration and scroll to point 5, where you can upload the certificate:

    Refresh certificate image

  5. Upload the new certificate and save. The integration starts using it to communicate with Azure.

Still stuck?

If none of the above works, try Microsoft's manual app registration path: Manually Set Up Azure Continuous Scanning.

Automatically Set Up Continuous Scanning

Use the automated setup to configure the Mondoo Azure integration to scan Azure subscriptions

Overview

Secure your GCP projects by continuously scanning compute, GKE, Pub/Sub, and more for misconfigurations and vulnerabilities.

On this page

Scan with cnspecIf the certificate scan fails, try a client secretIf the app scan fails, try direct authenticationRenew the application certificateStill stuck?