Skip to main content
Applies to BloodHound Enterprise only To complete the configuration process, you must have the following information:
ItemDescription
Directory (tenant) IDIdentifies the Microsoft Entra ID instance where you must register the AzureHound Enterprise application.
Application (client) IDIdentifies the AzureHound Enterprise app registration that you must create in the Microsoft Entra admin center.
AzureHound token IDIdentifies the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
AzureHound tokenProvides the authentication key for the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
Configuring AzureHound Enterprise involves the following steps: Follow the steps below to create your AzureHound Enterprise configuration file using the AzureHound Enterprise CLI tool.
1

Download AzureHound Enterprise

  1. Login to your BloodHound Enterprise tenant.
  2. In the left menu, click Download Collectors.
  3. Download the AzureHound Enterprise ZIP archive.
    Choose the option suitable for your system’s architecture (ARM64 or AMD64).
  4. Extract the contents of the ZIP archive to a working directory on the system where you plan to run the AzureHound Enterprise binary.
2

Configure connection to Azure

  1. Start the AzureHound Enterprise CLI tool with the configure command. 
    C:\Users\Administrator.ROOT\Downloads\azurehound-v2.0.5\azurehound-windows-amd64>azurehound.exe configure
    To see all available options, run azurehound.exe -h.
  2. Select the Azure region where your organization’s tenant is hosted.
    Most organizations use the cloud region.
    AzureHound v2.0.5
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

Use the arrow keys to navigate: ↓ ↑ ← →
? Azure Region:
  china
> cloud
  germany
  usgov14
  usgov15
  3. Enter the Azure Directory (tenant) ID. 
    Directory (tenant) ID: b82887fc-338d-44ab-97d6-ac32d060ad7e
  4. Enter the Azure Application (client) ID that you created when registering the AzureHound Enterprise application. 
    Application (client) ID: 18a7b927-9905-484e-8b17-c09630ce8ff2
3

Configure AzureHound authentication

  1. Select a method for authenticating AzureHound Enterprise to BloodHound Enterprise.
    We highly recommend certificate-based authentication.
    Use the arrow keys to navigate: ↓ ↑ ← →
? Authentication Method:
  > Certificate
    Client Secret
    Username and Password
  2. If using Certificate authentication, press Enter or type Y to create a new certificate and key. 
    Authentication Method: Certificate
? Generate Certificate and Key? [Y/n]
    • The certificate generated by AzureHound expires after one year.
    • If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
      • PEM encoded
      • RSA 256
      • PKCS#8 or PKCS#5
  3. If using Certificate authentication, enter an optional passphrase for the private key. 
    Authentication Method: Certificate
v Private Key Passphrase (optional):
  4. Press Enter (or enter Y) to connect to BloodHound Enterprise. 
    ? Setup connection to BloodHound Enterprise? [Y/n]
  5. Enter the URL of your BloodHound Enterprise tenant. 
    v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
4

Configure AzureHound collector client

  1. Create an AzureHound collector client. Continue to the next step when you have the Token ID and Token.
  2. Enter the collector client’s Token ID. 
    v BloodHound Enterprise Token ID: bb7b957f-2508-400b-971e-6a1857cc0101
  3. Enter the collector client’s Token. 
    v BloodHound Enterprise Token: ****************************************
  4. (Optional) Enter y if you want to use a proxy URL.
    Most organizations do not use a proxy.
    ? Set proxy URL? [y/N]
5

Configure AzureHound logging

  1. Press Enter (or type y) to set up local logging. 
    ? Setup AzureHound logging? [Y/n]
  2. Select the logging verbosity, as a start we recommend Default. 
    Use the arrow keys to navigate: ↓ ↑ ← →
? Verbosity:
    Disabled      
  > Default
    Debug
    Trace
  3. Enter a name for the log file.
    You can also enter a full path as a file name. If you do not specify a full path, AzureHound Enterprise writes logs to the specified file name and stores it in the same directory as the AzureHound binary.
    v Log file (optional): azurehound.log
  4. If you want AzureHound Enterprise to generate JSON-structured logs, press Enter or type y. 
    ? Enable Structured Logs? [y/N]
6

Review configuration summary

When configuration is complete, the AzureHound Enterprise CLI tool displays a configuration summary.
Configuration written to C:\Users\Administrator.ROOT\.config\azurehound\config.json
Key written to C:\Users\Administrator.ROOT\.config\azurehound\key.pem
Certificate written to C:\Users\Administrator.ROOT\.config\azurehound\cert.pem

Ensure certificate is uploaded to your application's client credentials
If you are using Certificate authentication, the summary also includes the location of the certificate to complete the configuration in Azure.