Azure Security Score

  • Updated on Jan 22, 2026
  • Published on Jan 22, 2026
  • 3 minute(s) read
Prev Next

Azure Security Score provides a centralized view of an organization’s security posture by measuring how well Azure resources follow Microsoft’s recommended security best practices. These logs help track overall security improvements and identify areas that need attention. Common use cases include secure scores and secure score controls. For more details refer to Microsoft’s official documentation.

Integration Method: API

Tables: Assessment Finding (99402001)

This integration supports the following events.

Event(s)

Description

Secure Scores

List secure scores for all your Microsoft Defender for Cloud initiatives within your current scope.

Secure Score Controls

Get all security controls within a scope

This integration supports the following versions.

Azure Security Score API version

2020-01-01

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privileges.  

  • The user should have access to the DataBee console. 

Configuration Overview

  1. Create an application with required permissions to fetch the data. 

  2. Create Azure Security Score Data Feed in the DataBee console with the required Client credentials.

    DataBee Parameter

    Azure Parameter

    Client Key

    Application (client ID)

    Client Secret

    Client secret Value

    Token URL(<tenant_id>)

    Directory (Tenant) ID

    Subscription ID (subscriptionId)

    Subscription ID

Azure Configuration

Create an application

  1. Log on to Azure portal with an account that has the Global Administrator role. 

  2. In the search bar, search for App registrations and select it.


  3. On the “Register an application” window:

    1. Under ‘Name’, enter your Application Name then click on Register to create the application.
         

  4. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

  5. Login on to Azure portal with an account that has the Global Administrator role. In the search bar, check for Subscriptions and select it.

  6. Select the Subscription name as shown below.
     

  7. On the Overview page, copy the Subscription ID for later use.

Add Endpoint Access   

Once the application is created, permission should be provided to fetch data. The appropriate permission for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.   

Add Permissions

From the Azure Active Directory portal:   

  1. Select the application registered in the previous step. 

  2. Under Manage, click API permissions and then click Add a permission; the “Request API permissions” window will appear.

  3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
     

  4. Click on Application permissions and search SecurityEvents.Read.All and select it. Click on Add permissions.

  5. The following permissions need to be granted for the endpoint to function properly:

    Permission Name

    Type

    SecurityEvents.Read.All

    Application

  6. In the search bar, check for Subscriptions and select your Subscription name.

  7. Assign the Reader Role to the Subscription. Click on Access Control (IAM) and select Add.

    Role : Security Reader

    Scope: Subscription

  8. Under Role, search security reader and select it. Click Next.
     

  9. Under Members, select member to be added. Click Next.
     

  10. Under Assignment type, Click Review + assign and click Next.
     

  11. Under Review + assign, verified the details (role, member etc.) and click on Review + assign.
     

    Action: Grant the Reader role to the Subscription for the App Registration to enable read-only access to subscription-level resources.

Create the Client Secret

The final step in accessing the APIs is creating a Client Secret. To create it from the Azure Portal:   

  1. Select the application created above.

  2. Under Manage, Click Certificates & secrets, and then Client secrets
     

  3. Click New client secret. Then “Add a client secret” window appears.
     

  4. On “Add a client secret” window: 

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

    2. Then click on Add to create the client secret. 
       

      Note:

      The user needs to re-create the client's secret when it expires. 

  5. Copy the Value fields for later use. 
     

This completes the setup for Azure Security Score API integration.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     A screenshot of a computer AI-generated content may be incorrect.

  2. Search for the Azure Security Score and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     A screenshot of a computer AI-generated content may be incorrect.

  4. Enter feed contact information, keep Entity Resolution checkbox checked if you want it, else uncheck it and scroll down.
     

  5. In the configuration page, confirm the following:


  6. Click on the Test Connection button once details are added.

  7. Click on the Submit button once Test Connection is successful.
     

Troubleshooting Tips

  • If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed. 

  • If you are facing response code - 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.