Prerequisites
To complete the configuration process, you must have the following information:| Item | Description |
|---|---|
| Directory (tenant) ID | Identifies the Microsoft Entra ID instance where you must register the AzureHound Enterprise application. |
| Application (client) ID | Identifies the AzureHound Enterprise app registration that you must create in the Microsoft Entra admin center. |
| AzureHound token ID | Identifies the AzureHound Enterprise collector client that you must create in BloodHound Enterprise. |
| AzureHound token | Provides the authentication key for the AzureHound Enterprise collector client that you must create in BloodHound Enterprise. |
| BloodHound Enterprise URL | The URL of your BloodHound Enterprise tenant (for example, https://<your-tenant>.bloodhoundenterprise.io/). |
| Managed Identity Client ID | If using Azure Managed Identity authentication, identifies the managed identity that the AzureHound Enterprise app registration trusts and that is assigned to the Azure resource where you run AzureHound Enterprise. |
| Certificate and private key | If using Certificate authentication, the certificate and private key used to authenticate the AzureHound Enterprise application. The AzureHound Enterprise CLI tool can generate this for you during the configuration process if needed. |
Download AzureHound Enterprise
- Login to your BloodHound Enterprise tenant.
- In the left menu, click Download Collectors.
-
Download the AzureHound Enterprise ZIP archive.
Choose the option suitable for your system’s architecture (ARM64 or AMD64).
- Extract the contents of the ZIP archive to a working directory on the system where you plan to run the AzureHound Enterprise binary.
Configure connection to Azure
-
Start the AzureHound Enterprise CLI tool with the
configurecommand.To see all available options, runazurehound.exe -h. -
Select the Azure region where your organization’s tenant is hosted.
Most organizations use the
cloudregion. -
Enter the Azure Directory (tenant) ID.
-
Enter the Azure Application (client) ID that you created when registering the AzureHound Enterprise application.
Configure AzureHound authentication
Choose one of the following authentication methods for AzureHound Enterprise to connect to your Microsoft Entra ID and Azure environment:
- Azure Managed Identity
- Certificate
Microsoft recommends user-assigned managed identities for Microsoft services, so this example uses the user-assigned type. AzureHound Enterprise also supports system-assigned managed identities, but that workflow is not covered in this guide.Before configuring Azure Managed Identity authentication, you must first create a user-assigned managed identity, assign it to the Azure resource where you plan to run AzureHound Enterprise, and configure the AzureHound Enterprise app registration to trust that identity.
-
Select Azure Managed Identity as the authentication method.
-
Select User-Assigned as the Managed Identity type.
-
Enter the Client ID of the User-Assigned Managed Identity.
To find the Client ID, navigate to the Managed Identity in the Azure portal and copy the value from the Client ID field in the Overview.
-
Press Enter (or enter
Y) to connect to BloodHound Enterprise. -
Enter the URL of your BloodHound Enterprise tenant.
Configure AzureHound collector client
- Create an AzureHound collector client. Continue to the next step when you have the Token ID and Token.
-
Enter the collector client’s Token ID.
-
Enter the collector client’s Token.
-
(Optional) Enter
yif you want to use a proxy URL.Most organizations do not use a proxy.
Configure AzureHound logging
-
Press Enter (or type
y) to set up local logging. -
Select the logging verbosity, as a start we recommend Default.
-
Enter a name for the log file.
-
If you want AzureHound Enterprise to generate JSON-structured logs, press Enter or type
y.
Review configuration summary
When configuration is complete, the AzureHound Enterprise CLI tool displays a configuration summary.
The example above shows the summary for Certificate authentication. For Azure Managed Identity authentication, the summary omits the key and certificate paths and the certificate upload reminder.