Discovering Microsoft Azure

Microsoft Azure is a cloud service provided by Microsoft. Microsoft Azure enables you to have virtualized computing platforms accessible through the internet. It is divided into a number of regulatory domains around the world so that organizations can store and manage data in countries with particular regulations regarding data in compliance with local laws. 

The model for Cloud Regions and Cloud Services is segregated by account. If you discover more than one AWS Account, more than one Azure Subscription or more than one GCP Project, all the data from Cloud Region through to individual nodes within services will be clearly separated, where before it was intermingled. As a result, the keys of all CloudRegion and CloudService nodes, and many contained nodes will change, even if you only discover a single account. If you synchronize to a CMDB, the identities of the corresponding CIs will also change.

The existing nodes are not deleted automatically with the application of the TKU. To remove the old nodes from the BMC Helix Discovery model, you can delete the patterns that were deactivated by the new patterns in the TKU. However, the old CIs in the CMDB will not be deleted automatically. The simplest way to remove them is to perform a resynchronization.

Services and regulatory domains discovered

You can access and configure all your services in the Azure Public cloud using the Microsoft Azure portal and the other clouds using the appropriate portals.

The following regulatory domains can be discovered with the latest product content update:

  • Azure China 21Vianet
  • Azure France
  • Azure Germany
  • Azure GovCloud
  • Azure Public

BMC Helix Discovery enables you to discover your cloud services running in Microsoft Azure. The following set of Microsoft Azure services can be discovered with the latest product content update:

More detailed information on the discovery of Microsoft Azure services is contained in the following documentation:

BMC Helix Discovery enables you to discover your cloud services running in these regions. To do so, you must provide an application ID and authentication key (credential) with which BMC Helix Discovery can access the cloud, you create the access key using the Microsoft Azure portal or the Microsoft Azure Germany portal.

Creating a credential

Creating a credential is a two stage process. In the Microsoft Azure Portal you obtain a Directory ID, Application ID, and authentication key. Then in BMC Helix Discovery, you use this information to add the cloud discovery credential. These two steps are mandatory for setting the Microsoft Azure discovery. 

Finding the Directory ID, Application ID and Authentication Key in the Microsoft Azure Portal

The procedure is outlined here, though the steps to do this are described fully on this Microsoft Azure web page.

  1. Use the Microsoft Azure Portal to find a Directory ID for your Microsoft Azure account.
    1. Directory ID—find the Directory ID for your Microsoft Azure account under Azure Active Directory>Properties in the Microsoft Azure Portal.
      The Directory ID is a GUID, also known as the Tenant ID.
  2. Find the Application ID and Authentication Key.
    1. Continuing in the Microsoft Azure Portal, add an "App registration" for your BMC Helix Discovery appliance in the Azure Active Directory>App registrations section. You must provide a name, for example, "BMC Discovery", an application type, "Web app / API", and a sign-on URL for the appliance. The URL is mandatory, but is not used. Once you have created the application registration for BMC Helix Discovery, obtain the following information for the application.
    2. Application ID–It is shown in the Properties for the application in Azure Active Directory > App registrations in the Microsoft Azure Portal.  The Application ID is a GUID. Ensure that you select the Application ID and not the Object ID.
    3. Application Key–Create the Application Key (press +New client secret) in the Certificates & secrets for the application in Azure Active Directory>App registrations in the Microsoft Azure Portal. You can only copy the key when creating it, so keep it safe.


      If you lose the Application Key, you cannot retrieve it from the Microsoft Azure Portal. You must create a new application key and use the new key in the BMC Helix Discovery cloud credential. It would help if you kept a note of the application key until you have successfully tested the cloud credential.

Assigning the required permissions for the BMC Helix Discovery application registration in the Microsoft Azure Portal

The built-in Reader the role is sufficient to discover everything except size and encryption (D@RE) values for VHDs used by VMs. To discover size and encryption (D@RE) values for VHDs used by VMs, you need the Microsoft.Storage/storageAccounts/listKeys/action permission. If you only need to discover Managed Disks, the built-in Reader role is sufficient.

Grant the application permissions (roles) to your subscriptions.

  1. Under More services > Subscriptions, select Access Control (IAM).
  2. In the Role Assignments, click +Add and select Add role assignments from the drop-down list.
  3. From the Role drop-down list, select Reader.
  4. From the Select drop-down list, choose your newly created application.

  5. For each additional Subscription you want to be discovered, navigate to More services>Subscriptions, choose the needed subscription, and repeat steps 1-4.


BMC Helix Discovery will not be able to discover resources in the target subscriptions without permission granted to your application.

When the main configuration is done, you can set the optional settings.

Discovering Microsoft Azure storage (Optional)

If you need to discover Microsoft Azure storage, you also need to grant the Microsoft.Storage/storageAccounts/listKeys/action a role for a complete discovery of Azure Storage. You do not need this permission if you are only using managed disks. A JSON template is available here, which is used with the Microsoft Azure command line tools to create a Discovery role that gives the correct permissions. Custom roles are described in the Microsoft Azure documentation. Click the link below to download the JSON template:

or register to view the contents of this page.

BMC Helix Discovery (on-premises) customers can also download the JSON template from the Manage>Discovery Tools page.

  1. Edit the JSON file to set the subscription scope. Add your subscription id in the field <SUBSCRIPTION ID HERE>.
  2. Rename the template file to azure_discovery_role.json.
  3. Run the following command, depending on your Azure cli version:

    az role definition create --role-definition <PATH>azure_discovery_role.json

    az role create --config <PATH>azure_discovery_role.json
  4. Ensure the role is created and appears in the Azure Portal roles list.
  5. Assign a recently created custom 'Discovery' role to the application registration you used for BMC Helix Discovery. 

Creating an Azure cloud credential in BMC Helix Discovery

Create the Azure cloud credential in the same way as any other credential. The Azure cloud credential uses the Directory ID, Application ID, and Application Key as the equivalent of a username and password combination.

  1. From the BMC Helix Discovery Device Credentials page, click Add.
    The Add Credential page is displayed.
  2. Click add more to add the cloud provider type. Select Microsoft Azure from the drop-down list.
  3. Add the usual credential information:
    • Label
    • Description
  4. Add the additional fields with the information that you copied from the Microsoft Azure Portal:
    1. Directory ID
    2. Application ID
    3. Application Key
    4. CyberArk–If the CyberArk integration is enabled, do not enter a key ID and secret, rather, enter a CyberArk search string in this field to extract a CyberArk credential. An example search string is:
      Object=Cloud Service-Azure-keys-fc2636b7-426d-42df-a13f-f45b903bd40a
      See Integrating with CyberArk Enterprise Password Vault for more information on the integration.


      The Directory ID and Application ID are both GUIDs, 32 hex digits grouped 8-4-4-4-12. They are easy to transpose; if you do so, your credential will never work, and the problem will be difficult to diagnose.

  5. Optionally specify a proxy to use to access. To use a proxy you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)
  6. 'TLS Certificate Check' option can be disabled if your proxy uses self-signed certificates. 


    If you disable the certificate check, your credentials could be intercepted by a man-in-the-middle attack.

  7. Click Apply.

Testing the credential

Once you have created the credential, you should test it to ensure it works.

  1. From the credentials page, click Devices.

  2. Filter the list to show cloud credentials.
  3. Click Actions for the Microsoft Azure cloud credential you added, and then click Test.
  4. Select Microsoft Azure from the list.
  5. For the Regulatory Domain, select Azure Public or Azure Germany.
  6. Click Test.
    The screen below shows a successful test.

If the credential test was unsuccessful, ensure you copied the Directory ID and Application ID correctly.


The BMC Helix Discovery appliance must be able to access Microsoft Azure using https (port 443).

Run a cloud scan

To perform cloud discovery from the Discovery Status page, use the Add New run control.

  1. Click Add New run.
    The Add a Cloud Run dialog is displayed.

  2. Enter a Label for the cloud discovery run.
  3. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normal scheduled discovery runs.
  4. Select Cloud.
  5. Select the provider from the drop-down list. Select Microsoft Azure.
  6. Select the appropriate cloud credential. If none are available, you must add one.
  7. Select the regulatory domain to scan, for example, for the public cloud, select Azure Public, or for Azure Germany, select Azure Germany.
  8. Click OK.

Scanning the hosts running the VMs in the cloud

Perform a normal scan on the hosts running the VMs discovered in the cloud scan. Use the Unscanned Cloud Hosts report on the Cloud Overview dashboard to find these.

Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

Public IP addresses do not respond to ICMP pings. It would help if you disabled "Ping before scanning", otherwise, all scans are dropped, reporting no response.

Examining results

Once you have scanned, you can examine the results. The screen below shows a discovered VM running in Microsoft Azure.

Database discovery

Microsoft Azure supports Microsoft SQL Server. The Microsoft Azure API reports the database. If you only need to discover the database, these are reported as part of regular cloud discovery, and no further configuration is required.

If you need deeper database discovery (for example, to report the tables or run queries for application-specific data), ensure that appropriate database credentials are created. For more information, see Adding credentials Open link in the BMC Discovery documentation.

Database server and database firewalls

Each database server has a firewall, and you can add a rule stating which IP addresses are permitted access.

To do this:

  1. From the database server, configure the firewall to enable BMC Helix Discovery to access it.
  2. Add the following information
    1. Rule name, for example, Discovery Access.
    2. Start IP, for example,
    3. End IP, for example,
    You can now access the database server from BMC Helix Discovery.

You can also configure rules on a firewall on the database, in addition to the firewall on the server, configured earlier. The server firewall and the database firewall must permit BMC Helix Discovery access.

BMC Helix Discovery database credential


To discover a Database an appropriate Database credentials must be created.

Information about Database credentials is available here in the Database credentials paragraph.

Microsoft Azure discovery patterns

The Microsoft Azure discovery patterns are available on the Manage>Knowledge page. They are located in the Pattern modules list under Cloud>Microsoft Azure.

Azure tags discovery

For detailed information about tags, see Discovering Cloud Tags.


The tenant ID is not foundCheck Directory ID in Azure Active Directory>Properties
Application with the identifier is not found (ID is correct, but application ID is wrong or does not exist).Check the Application id or register the new one.
Invalid client secret provided (application in Azure portal is created, application key in the ADDM credentials is not set, or key is expired). Check the security key, or add the new one.

Failed to get dynamic parameter subsribtionid: No valuesNo role is assigned to the application in Azure portalAssign role for your application in Azure Portal. Open More services (or on home screen) > Subscriptions, then select Access Control (IAM) > Role Assignments > Add Role Assignment > Choose Reader Role and your application
Failed to get dynamic parameter subscriptionId: 'some request name': Authentication failure: AADSTS7000222: The provided client secret keys are expiredKeys encryption bugPlease check if your keys contain / and + characters. Try to generate new key using the manual above. Keys that will work 100% are keys exclusively with alphanumeric characters

Information sources

For more information, see the following pages:

Was this page helpful? Yes No Submitting... Thank you