Integrations

Microsoft Azure

Configuring Azure integration

The Microsoft Azure integration enables Tidal Control to automatically execute compliance tests on your Azure environment and Entra ID configuration.

Requirements:

  • Super User role in Tidal Control
  • Entra ID app registration rights
  • Azure subscription access for role assignments

Required permissions

The Azure integration uses two distinct permission sets — one for Entra ID (Azure AD) and one for Azure resources. All access is read-only — Tidal Control never writes, modifies, or deletes anything in your Azure environment.

Microsoft Graph API permissions

These permissions give Tidal read access to your Entra ID configuration:

Permission(s)Why we need it
User.Read.All, Directory.Read.AllWe check for stale user accounts and pending forced password changes.
Policy.Read.All, Organization.Read.AllWe verify conditional access policies — such as MFA enforcement for administrators and access restrictions to the Entra admin portal.
Device.Read.All, DeviceManagementManagedDevices.Read.AllWe verify Intune MDM enrollment, device encryption status, and whether devices have synced recently.
Group.Read.All, GroupMember.Read.All, Application.Read.AllWe resolve group memberships used in conditional access policies and verify application registrations.

Reader role on Azure subscriptions

The Reader role gives Tidal read access to your Azure resource configurations:

Resource typeWhy we need access
Virtual machinesWe verify auto-patching configuration, Trusted Launch (Secure Boot), and disk encryption at rest.
Storage accountsWe check for public blob access, HTTPS enforcement, soft delete and retention policies, and encryption at rest.
Key VaultWe verify that key vaults do not have public network access enabled.
AKS (Kubernetes)We check whether Kubernetes API servers are publicly accessible and whether automatic upgrade channels are configured.
PostgreSQL Flexible ServerWe verify public network access, backup retention, maintenance window, TLS settings, and encryption at rest.

Microsoft Defender for Endpoint API permissions

The Microsoft Defender tests use the Microsoft Defender for Endpoint API. These are application permissions on the WindowsDefenderATP API — they are separate from the Microsoft Graph permissions and the Reader role above. Without them, the Defender tests fail with an authorization error even though the rest of the integration is connected.

PermissionWhy we need it
Machine.Read.AllWe retrieve onboarded devices and their antivirus health status.
Vulnerability.Read.AllWe read the vulnerabilities detected on your devices.
SecurityRecommendation.Read.AllWe read Defender security recommendations (Threat & Vulnerability Management).
Alert.Read.AllWe read Defender security alerts.

Configuration methods

App integration (recommended)

Benefits of app integration:

  • Faster and simpler - Fewer manual steps and configuration
  • Less error-prone - Automatic permissions setup
  • No credential management - Tidal manages authentication automatically

Setup process:

  1. Go to Settings → Integrations in Tidal Control
  2. Click Microsoft Azure tile
  3. Select "App integration (recommended)"
  4. Click "Click here to begin"
  5. Log in via Azure portal when redirected
  6. Review permissions and click "Accept"

Service Principal

When to use service principal:

  • Full control over app registration and permissions required
  • Organisation security policy doesn't allow external app integrations
  • Custom credential management desired

Service principal disadvantages:

  • More configuration steps and higher chance of errors
  • Manual credential management (expiration tracking)
  • Risk of incomplete permissions causing test failures

Service principal configuration:

The goal of these steps is to create a service principal in Azure and collect the required values to enter into Tidal later. Note the following values during configuration:

  • Tenant ID
  • Client ID
  • Client Secret
  • Integration name

Azure app registration:

  1. Go to Azure portal → Entra ID → App registrations
  2. Click "New registration"
    • Name: Tidal Control - Integration
    • Account types: Single tenant
  3. Note Application (client) ID (save for Tidal configuration)
  4. Note Directory (tenant) ID (save for Tidal configuration)

Generate client secret:

  1. Go to "Certificates & secrets"
  2. Click "New client secret"
    • Description: Tidal Control - Integration
    • Expires: 12 months
  3. Click "Add"
  4. Note secret value immediately (no longer visible after leaving page)
Warning

Important: Note all values (Tenant ID, Client ID, Secret) in a secure location. You'll need these for Tidal configuration and the client secret cannot be retrieved later.

Configure API permissions:

  1. Go to "API permissions" → "Add a permission"
  2. Select Microsoft Graph → Application permissions
  3. Add all permissions:
    • Directory.Read.All
    • User.Read.All
    • Device.Read.All
    • Application.Read.All
    • DeviceManagementManagedDevices.Read.All
    • GroupMember.Read.All
    • Group.Read.All
    • Organization.Read.All
    • Policy.Read.All
  4. Add the Microsoft Defender for Endpoint permissions (required for the Defender tests):
    • Add a permission → APIs my organization uses → search "WindowsDefenderATP" → Application permissions
    • Machine.Read.All
    • Vulnerability.Read.All
    • SecurityRecommendation.Read.All
    • Alert.Read.All
  5. Click "Grant admin consent" for your tenant

Complete integration in Tidal:

  1. Go to Settings → Integrations → Microsoft Azure
  2. Select "Service Principal"
  3. Fill in noted values:
    • Name: Recognisable name for the integration
    • Tenant ID: Directory (tenant) ID from Azure
    • Client ID: Application (client) ID from Azure
    • Client Secret: The created client secret

Azure subscription access

Assign Reader role per subscription:

For each Azure subscription you want to monitor:

  1. Azure portal → Subscriptions → [Select subscription]
  2. Access control (IAM) → Add role assignment
  3. Select "Reader" role
  4. Search for your Tidal integration (name you used in step 1)
  5. Select integration and click "Assign"
Tip

Reader role: Gives Tidal read-only access for compliance monitoring without security risks. Sufficient for all Azure tests.

Integration verification in Tidal

Check successful configuration:

  • Settings → Integrations shows "Connected" status for Azure
  • Test refresh delivers results without (authentication) errors

Troubleshooting issues:

  • Verify all credentials are correctly entered
  • Check admin consent has been granted for API permissions
  • Confirm Reader role is assigned to relevant subscriptions
  • If only the Microsoft Defender tests fail with an authorization error, confirm the WindowsDefenderATP permissions (Machine.Read.All, Vulnerability.Read.All, SecurityRecommendation.Read.All, Alert.Read.All) have been added to the app registration and admin consent granted

Microsoft Sentinel integration

Microsoft Sentinel is configured as a separate integration from the Microsoft Azure integration above. It runs compliance tests against a single Sentinel workspace by reading its incidents, analytics (alert) rules, and data connectors. Set it up only if you want to run the Sentinel tests — it has its own credentials and does not reuse the Azure integration above.

Required permission

Sentinel access is granted through an Azure RBAC role rather than API permissions. Assign the built-in Microsoft Sentinel Reader role to a service principal, scoped to the resource group that contains your Sentinel (Log Analytics) workspace. This grants read-only access to Microsoft.SecurityInsights resources (incidents, alert rules, and data connectors) — sufficient for all Sentinel tests.

Setup process

1. Register an app (service principal):

  1. Go to Azure portal → Entra ID → App registrations → New registration
    • Name: Tidal Control - Sentinel
    • Account types: Single tenant
  2. Note the Application (client) ID and Directory (tenant) ID
  3. Go to "Certificates & secrets" → "New client secret", then note the secret value immediately (it cannot be retrieved later)
Tip

You can reuse your existing Azure integration's app registration instead of creating a new one — just assign it the Microsoft Sentinel Reader role in the next step and reuse its tenant ID, client ID, and client secret in Tidal.

2. Assign the Microsoft Sentinel Reader role:

  1. Go to the resource group that contains your Sentinel workspace → Access control (IAM) → Add role assignment
  2. Select the "Microsoft Sentinel Reader" role
  3. Search for the app registration you created and assign it

3. Gather the workspace details you'll enter in Tidal:

  • Subscription ID
  • Resource group name
  • Log Analytics workspace name (the workspace Sentinel runs on)

4. Complete the integration in Tidal:

  1. Go to Settings → Integrations → Microsoft Sentinel
  2. Fill in the values:
    • Name: Recognisable name for the integration
    • Tenant ID, Client ID, Client Secret: from the app registration
    • Subscription ID, Resource group name, Workspace name: from step 3
Tip

If the Sentinel tests fail with an authorization error, confirm the Microsoft Sentinel Reader role is assigned to the app registration at the resource group (or workspace) scope, and that the subscription ID, resource group, and workspace name exactly match the workspace Sentinel runs on.

Still having trouble?

Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.

Info

Gathering support info: Note which browser you're using, exact error messages, which steps you've already tried, and screenshots of the problem. This significantly speeds up the solution.

Next
Amazon Web Services (AWS)