How ZEUS reads Azure (read-only Service Principal, ARM, Resource Graph, Defender, Entra Graph)
This is a key lesson for anyone deploying ZEUS at a customer. It shows how the connector connects to Azure — read-only — and which APIs it queries. The model is deliberately minimalist: an identity with no write permissions.
Identity: a read-only Service Principal
ZEUS registers an application (App Registration) and an associated Service Principal in the customer's tenant. We grant it two RBAC roles at the management group or subscription level:
- Reader — read access to the entire resource hierarchy,
- Security Reader — read access to Defender for Cloud data.
# Service principal z rolą Reader na subskrypcji
az ad sp create-for-rbac --name "zeus-connector" \
--role "Reader" --scopes "/subscriptions/<sub-id>"
# Dodatkowo Security Reader (dane Defendera)
az role assignment create --assignee "<app-id>" \
--role "Security Reader" --scope "/subscriptions/<sub-id>"
Tip: neither of these roles can be used to modify resources. ZEUS physically has no permission to change anything — this is a guarantee for the customer's security team. Remediation, if enabled, requires a separate, explicitly approved authorization.
Four data sources
1. Azure Resource Manager (ARM)
Azure's control plane. ZEUS queries ARM for resource details — VM, network,
database and storage account configuration — through the
management.azure.com REST API.
2. Azure Resource Graph
Fast, bulk KQL queries across the entire hierarchy. Ideal for inventorying tens of thousands of resources in a single query:
az graph query -q "
Resources
| where type =~ 'microsoft.compute/virtualmachines'
| project name, location, resourceGroup, subscriptionId
"
3. Microsoft Defender for Cloud
Through the security API ZEUS pulls in recommendations, assessments, Secure Score and alerts — without duplicating scans that Microsoft has already performed (see lesson 06).
4. Microsoft Graph (Entra ID)
Reads the identity configuration: users, groups, privileged roles, MFA state,
Conditional Access policies. Requires Graph application permissions, including
Directory.Read.All, Policy.Read.All, Reports.Read.All (the last of these
is needed to correctly read the MFA state of users).
What ZEUS does with this data
| Source | What it reads | Why |
|---|---|---|
| ARM | resource configuration | misconfiguration detection |
| Resource Graph | inventory of the entire hierarchy | environment map |
| Defender | recommendations, alerts | posture + SecOps |
| Graph (Entra) | identity, MFA, roles | identity posture |
All four streams flow into a single ZEUS data model, where they merge with analogous data from AWS, GCP and on-premise. The result: a single security posture view of the customer's entire environment, with the ability to demonstrate compliance with NIS2, DORA and ISO 27001.
Track summary
We moved from the tenant hierarchy and RBAC, through networking, compute, storage and IaC, to security and the ZEUS connector. You now have the complete picture to understand how ZEUS "sees" a customer's Azure environment — and to lead a demo or deployment.