Step 1
Search for Azure Active Directory in the search box and click on it
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 2
On the left panel click on App Registrations
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 3
On the App Registration page, click on “New Registration” on top.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 4
Add Registration name, select account type and click on Register
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 5
After registration of the application name, click on certificates and secrets on the left panel.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 6
Click on New client Secret, add the secret name and choose the expiration date. Once done, click on the add button.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 7
Once the client secret is created, please copy and save the “Secret value” somewhere safe for later usage.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 8
Go to the home page, search for “Subscriptions” and click on it
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 9
Click the subscriptions name in your account. If there are multiple subscriptions follow the same steps from here onward for each subscription.
Step 10
Click Access control (IAM). Click on “Add” on top. From the drop-down menu under “Add”, choose “Add custom role”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 11
On the “Basics” tab, write “Custom role name”, “Description”, “Baseline permissions” set to “Start from scratch” radio button and hit “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 12
Select the Assignable scopes tab and select the required subscriptions
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 13
Select the JSON tab and click edit.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 14
Replace the permissions with Lucidity-provided permissions (present below) and save it. The permissions in the JSON should look like this:
"permissions": [
{
"actions": [
"Microsoft.Authorization/denyAssignments/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.CostManagement/query/read",
"Microsoft.Insights/DataCollectionRuleAssociations/Delete",
"Microsoft.Insights/DataCollectionRuleAssociations/Read",
"Microsoft.Insights/DataCollectionRuleAssociations/Write",
"Microsoft.Insights/DataCollectionRules/Delete",
"Microsoft.Insights/DataCollectionRules/Read",
"Microsoft.Insights/DataCollectionRules/Write",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/MetricBaselines/Read",
"Microsoft.Insights/MetricDefinitions/Read",
"Microsoft.Insights/Metricnamespaces/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.OperationalInsights/workspaces/delete",
"Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationsManagement/managementAssociations/delete",
"Microsoft.OperationsManagement/managementAssociations/read",
"Microsoft.OperationsManagement/managementAssociations/write",
"Microsoft.OperationsManagement/managementConfigurations/delete",
"Microsoft.OperationsManagement/managementConfigurations/read",
"Microsoft.OperationsManagement/managementConfigurations/write",
"Microsoft.OperationsManagement/register/action",
"Microsoft.OperationsManagement/solutions/delete",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationsManagement/solutions/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
].png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 15
Select the Review + Create tab. Click on Create.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 16
Acknowledge by responding to the prompt “Ok”. This will redirect to the IAM page. Wait for 2-3 minutes and proceed to the next step.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 17
On the “Access control (IAM)” home page, click on the “Role assignments” tab on top of this window. Under “Role assignments”, click the “Add” button icon and select “Add role assignment”
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 18
Select the created role. Search for the role created in the previous steps and click on it. It’ll be selected. Click on “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 19
On the Members tab, click on “+ Select members”. On the “Select Members” page in the right-hand corner, type and search with the app name that you have given during app registration, select the app and select “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
Step 20
Once done, click on the review + assign button.
.png?sv=2022-11-02&spr=https&st=2026-04-01T19%3A35%3A09Z&se=2026-04-01T19%3A49%3A09Z&sr=c&sp=r&sig=lDfhUQirlLsBt9G4RNSwy3c%2B7ZYFP8rpy9sI1HHPj3o%3D)
You are done!!
To get the Tenant id and client id:
Follow steps 1 and Step 2
Select the app that you have just registered, click on it
Note down the Application (client) ID, Directory (tenant) ID, and the secret you have saved earlier
Steps to execute the Assessment tool
The assessment tool can be run on any instance, whether a virtual machine or a developer laptop. In order to run the assessment tool:
On Windows Machine
If curl is installed or if using Windows 10 (Windows 10 has curl installed by default)
curl https://audittool.s3.ap-south-1.amazonaws.com/script/run.bat --output run.bat && run.bat
-t <tenant_id> -c <client_id> -s <client_secret> -i <comma separated subscription-ids>If the above command is used please skip steps 2, 3, 4 and 5.
If curl is not installed, please download the ‘exe’ manually using the link. Please ensure that all the old azure.exe are deleted before downloading the new one.
If the above downloading process is used, continue to follow steps 2, 3, 4 and 5.
Open command prompt
Go to the directory containing azure.exe
Enter the following command to run the tool
.\azure.exe -t <tenant_id> -c <client_id> -s <client_secret> -cp yesThe tool will start running and collecting metrics for each VM instance sequentially. The time taken by the tool to collect the information varies depending on the size of the account.
On Linux Terminal
curl https://audittool.s3.ap-south-1.amazonaws.com/script/run.sh --output run.sh &&
/bin/bash run.sh -t <tenant_id> -c <client_id> -s <client_secret> -i <comma separated subscription-ids>Once the tool has finished running, you will find a zip file in the same directory containing CSV files with the metrics collected. You can review the metrics and share the zip file.