Mondoo
Docs
Integrate Your AssetsCloudAzure

Test or Troubleshoot an Azure Integration

Troubleshoot a Mondoo Azure integration by scanning from cnspec to isolate certificate, secret, and app registration issues.

If an Azure integration fails to scan, run the same checks from cnspec to isolate whether the issue is the certificate, the app registration, or your permissions.

Scan with cnspec

  1. Download the latest cnspec from releases.mondoo.com/cnspec. For example:

    wget https://releases.mondoo.com/cnspec/13.0.0/cnspec_13.0.0_linux_amd64.tar.gz
tar -xvf cnspec_13.0.0_linux_amd64.tar.gz

  2. Scan your Azure subscription:

    cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --tenant-id YOUR-TENANT-ID \
  --client-id YOUR-CLIENT-ID \
  --certificate-path certificate.combo.pem \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

    The client ID is the same as the application ID (or app ID).

Pay attention to queries with Error results. They usually point at missing permissions.

If the certificate scan fails, try a client secret

Authenticate with a client secret to isolate certificate issues:

  1. Create a client secret:

    1. In the Azure portal, open Microsoft Entra ID > App registrations.
    2. Select the Mondoo app.
    3. Select Certificates & secrets > New client secret.
    4. Enter a description and a Duration.
    5. Select Add and copy the Value immediately (it disappears shortly).

  2. Scan with the secret:

    cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --tenant-id YOUR-TENANT-ID \
  --client-id YOUR-CLIENT-ID \
  --client-secret YOUR-CLIENT-SECRET-VALUE \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

    If this scan succeeds, the issue is the certificate. Generate and upload a new one.

If the app scan fails, try direct authentication

To rule out the app registration itself, scan as your own user account. This only works if your account has the needed privileges.

cnspec scan azure \
  --subscription YOUR-SUBSCRIPTION-ID \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yaml

Still stuck?

If none of the above works, try Microsoft's manual app registration path: Manually Set Up Azure Continuous Scanning.

Automatically Set Up Continuous Scanning

Use the automated setup to configure the Mondoo Azure integration to scan Azure subscriptions

Overview

Secure your GCP projects by continuously scanning compute, GKE, Pub/Sub, and more for misconfigurations and vulnerabilities.

On this page

Scan with cnspecIf the certificate scan fails, try a client secretIf the app scan fails, try direct authenticationStill stuck?