Skip to main content
Applies to BloodHound Enterprise only

Prerequisites

To complete the configuration process, you must have the following information:
ItemDescription
Directory (tenant) IDIdentifies the Microsoft Entra ID instance where you must register the AzureHound Enterprise application.
Application (client) IDIdentifies the AzureHound Enterprise app registration that you must create in the Microsoft Entra admin center.
AzureHound token IDIdentifies the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
AzureHound tokenProvides the authentication key for the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
BloodHound Enterprise URLThe URL of your BloodHound Enterprise tenant (for example, https://enterprise.bloodhoundenterprise.io/).
Managed Identity Client IDIf using Azure Managed Identity authentication, identifies the Managed Identity assigned to the Entra ID app registration.
Certificate and private keyIf using Certificate authentication, identifies the certificate and private key to authenticate the AzureHound Enterprise application. The AzureHound Enterprise CLI tool can generate this for you during the configuration process if needed.
Configuring AzureHound Enterprise involves the following steps: Follow the steps below to create your AzureHound Enterprise configuration file using the AzureHound Enterprise CLI tool.
1

Download AzureHound Enterprise

  1. Login to your BloodHound Enterprise tenant.
  2. In the left menu, click Download Collectors.
  3. Download the AzureHound Enterprise ZIP archive.
    Choose the option suitable for your system’s architecture (ARM64 or AMD64).
  4. Extract the contents of the ZIP archive to a working directory on the system where you plan to run the AzureHound Enterprise binary.
2

Configure connection to Azure

  1. Start the AzureHound Enterprise CLI tool with the configure command. 
    C:\Users\Administrator.ROOT\Downloads\azurehound-v2.8.1\azurehound-windows-amd64>azurehound.exe configure
    To see all available options, run azurehound.exe -h.
  2. Select the Azure region where your organization’s tenant is hosted.
    Most organizations use the cloud region.
    AzureHound v2.8.1
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

Use the arrow keys to navigate: ↓ ↑ ← →
? Azure Region:
  china
> cloud
  germany
  usgov14
  usgov15
  3. Enter the Azure Directory (tenant) ID. 
    Directory (tenant) ID: b82887fc-338d-44ab-97d6-ac32d060ad7e
  4. Enter the Azure Application (client) ID that you created when registering the AzureHound Enterprise application. 
    Application (client) ID: 18a7b927-9905-484e-8b17-c09630ce8ff2
3

Configure AzureHound authentication

Choose one of the following authentication methods for AzureHound Enterprise to connect to your Microsoft Entra ID and Azure environment:
We highly recommend Azure Managed Identity-based authentication.
Microsoft recommends the User-Assigned Managed Identity for Microsoft services, so the following example shows the User-Assigned type.Before configuring Azure Managed Identity authentication, you must first create a user-assigned managed identity.
  1. Select Azure Managed Identity as the authentication method. 
    Use the arrow keys to navigate: ↓ ↑ ← →
? Authentication Method:
    Certificate
    Client Secret
    Username and Password
  > Azure Managed Identity
  2. Select the type of Managed Identity. 
    Use the arrow keys to navigate: ↓ ↑ ← →
? Managed Identity Type:
    System-Assigned
  > User-Assigned
  3. Enter the Client ID of the User-Assigned Managed Identity. 
    v Input the User-Assigned Managed Identity (Client ID):
    To find the Client ID, navigate to the Managed Identity in the Azure portal and copy the value from the Client ID field in the Overview.
  4. Press Enter (or enter Y) to connect to BloodHound Enterprise. 
    ? Setup connection to BloodHound Enterprise? [Y/n]
  5. Enter the URL of your BloodHound Enterprise tenant. 
    v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
4

Configure AzureHound collector client

  1. Create an AzureHound collector client. Continue to the next step when you have the Token ID and Token.
  2. Enter the collector client’s Token ID. 
    v BloodHound Enterprise Token ID: bb7b957f-2508-400b-971e-6a1857cc0101
  3. Enter the collector client’s Token. 
    v BloodHound Enterprise Token: ****************************************
  4. (Optional) Enter y if you want to use a proxy URL.
    Most organizations do not use a proxy.
    ? Set proxy URL? [y/N]
5

Configure AzureHound logging

  1. Press Enter (or type y) to set up local logging. 
    ? Setup AzureHound logging? [Y/n]
  2. Select the logging verbosity, as a start we recommend Default. 
    Use the arrow keys to navigate: ↓ ↑ ← →
? Verbosity:
    Disabled      
  > Default
    Debug
    Trace
  3. Enter a name for the log file.
    You can also enter a full path as a file name. If you do not specify a full path, AzureHound Enterprise writes logs to the specified file name and stores it in the same directory as the AzureHound binary.
    v Log file (optional): azurehound.log
  4. If you want AzureHound Enterprise to generate JSON-structured logs, press Enter or type y. 
    ? Enable Structured Logs? [y/N]
6

Review configuration summary

When configuration is complete, the AzureHound Enterprise CLI tool displays a configuration summary.
Configuration written to C:\Users\Administrator.ROOT\.config\azurehound\config.json
Key written to C:\Users\Administrator.ROOT\.config\azurehound\key.pem
Certificate written to C:\Users\Administrator.ROOT\.config\azurehound\cert.pem

Ensure certificate is uploaded to your application's client credentials
If you are using Certificate authentication, the summary also includes the location of the certificate to complete the configuration in Azure.