Azure cloud security in 60 seconds
Sign in via Microsoft Entra OAuth. Scope to specific subscriptions. Read-only by default. No credentials stored.
Free forever. No credit card required.
Why vul.ninja for Azure?
Native Microsoft Entra OAuth
Sign in with your existing Microsoft account. No app registrations to create, no client secrets to manage, no certificates to rotate.
Subscription-level granularity
Choose exactly which Azure subscriptions vul.ninja can see. Exclude test tenants or environments you don't want scanned. Change scope at any time.
Azure-aware findings
Findings include Azure resource IDs, resource groups, and remediation steps tailored to Azure Resource Manager and Azure Policy best practices.
How to connect Azure in 60 seconds
Click "Connect Azure" in vul.ninja
From your vul.ninja dashboard, choose Azure as your cloud provider. You'll be redirected to the Microsoft Entra OAuth flow.
Sign in with your Microsoft account
Authenticate via your existing Microsoft work account. Review and approve the permission scopes vul.ninja requests.
Choose your subscriptions
Select which Azure subscriptions you want vul.ninja to scan. You can include or exclude specific subscriptions and change this at any time.
Done — your first scan starts automatically
Within minutes you'll have findings across your selected subscriptions, prioritized by severity and compliance impact.
What permissions does vul.ninja need?
Least-privilege by design. Read-only by default. Write actions require your explicit per-action approval.
By default (read-only)
- Reader role on selected subscriptions (built-in Azure RBAC, audited by Microsoft)
- Microsoft Graph: User.Read.All — list users and their properties
- Microsoft Graph: Directory.Read.All — read Entra directory objects
- Azure Resource Manager: read all resource metadata and configurations
- Azure Security Center: read security alerts and recommendations
- Azure Monitor: read activity logs and diagnostic settings
If you enable remediation (opt-in)
- Storage account: set secure transfer required and public access disabled
- Network security groups: remove overly permissive inbound rules
- Key Vault: enable soft delete and purge protection
- SQL Server: enable auditing and Advanced Threat Protection
Write permissions are scoped per-action and require your approval before anything runs.
vul.ninja uses OAuth 2.0 with PKCE. Tokens are short-lived and refreshed via OAuth refresh tokens — we never store long-lived credentials or client secrets. You can revoke vul.ninja's access at any time by visiting myaccount.microsoft.com/Permissions, finding vul.ninja, and clicking Revoke. This immediately terminates all access.
How is this different from Microsoft Defender for Cloud?
We believe in honest comparisons. Here's where the native tool wins, and where vul.ninja wins.
Where Microsoft Defender for Cloud wins
- Native to Azure with no additional setup; included in some Azure plans at no extra cost
- Deep integration with Azure Sentinel, Azure Policy, and Microsoft threat intelligence
- Microsoft-managed and covered by your existing Microsoft support agreement
- Extensive Azure-specific compliance benchmarks built in
Where vul.ninja wins
- Multi-cloud: scan AWS and GCP alongside Azure — Defender for Cloud is Microsoft-only
- AI agents that explain findings in plain English and trace attack paths end-to-end
- Faster, friendlier setup for teams without dedicated Azure security expertise
- Simpler pricing: flat-rate plans, not per-resource or per-subscription billing
- Human-in-the-loop remediation pipeline with approval gates before any change runs
Frequently asked questions
Yes, by default. The OAuth scopes requested are read-only. Write actions are only possible if you explicitly enable the Remediation Agent on a paid plan, and every individual fix requires your approval before it runs.
Yes. During setup you choose exactly which subscriptions to include. You can update this selection at any time from the cloud connections page in your dashboard.
No. We use OAuth 2.0 refresh tokens to maintain access — there are no client secrets or certificates stored on our end. If you revoke the OAuth grant in Microsoft, our access ends immediately.
Go to myaccount.microsoft.com/Permissions, find vul.ninja in the list of authorized applications, and click Revoke. This immediately removes all access to your Azure subscriptions.
Azure Virtual Machines, Storage Accounts, Azure SQL, Azure Key Vault, Network Security Groups, Azure Active Directory/Entra ID, App Service, AKS, and more. See our documentation for the full current coverage list.
Defender for Cloud is excellent if you only use Azure. vul.ninja adds multi-cloud coverage (AWS, GCP), AI agents that investigate findings and propose remediations in plain language, and a human-approval remediation pipeline. Defender doesn't offer those capabilities.
Yes. vul.ninja maps findings to SOC 2, HIPAA, and PCI-DSS controls. Connecting your Azure subscriptions gives us visibility into your posture — your existing compliance certifications are unaffected by the connection.
Typically 5–20 minutes for a standard Azure subscription, depending on the number of resources across services.
Yes. You can connect subscriptions from multiple tenants by completing the OAuth flow for each tenant separately. Each connection is managed independently in your dashboard.
Azure Government is not currently supported. Reach out to security@vul.ninja if this is a requirement.
Built for security-conscious teams
Reader role only
Built-in Azure RBAC Reader role — the minimum required to see your resources.
OAuth 2.0 with PKCE
Short-lived tokens refreshed via OAuth. No client secrets stored.
Full API audit log
Every API call vul.ninja makes against your subscriptions is logged.
One-click revocation
Revoke via myaccount.microsoft.com/Permissions — instant effect.
Ready to scan your Azure cloud?
Connect in 60 seconds. Free forever.
Free forever. No credit card required.