Azure Cloud Organizations

Configure a Cloud Organization in TOS Classic to automatically discover and onboard subscriptions from Azure Management Groups.

The Cloud Organizations page in Device Groups lists existing organizations, their settings, and options available to manage them.

Add a cloud organization

Configure the Azure-specific settings and automatic account import settings to add an Azure organization. See Cloud organization settings.

After adding an AWS cloud organization, you can:
- Add new or associate existing devices with it
- Edit settings, or delete the cloud organization
- Manually import member accounts

Azure cloud organization settings

Cloud organization settings are divided into Azure-specific and automatic account settings.

Azure-specific cloud organization settings

The table below describes the Azure-specific settings for a cloud organization.

Field Name	Description
Name	Required. The display name for the cloud organization.

Field Name

Description

Name

Required.

The display name for the cloud organization.

Tenant ID	Required. The unique identifier representing the cloud organization and its subscriptions.
Management Group	Optional. The ID of the Management Group that contains the subscriptions to import. If not defined, TOS imports all subscriptions for the tenant specified by Tenant ID. When defined, TOS imports the subscriptions assigned to the specified Management Group, including any child Management Groups and their subscriptions. To import accounts at a more granular level, define the cloud organization multiple times using different Names, and specify the Management Groups that contain the subscriptions to import for each Name. To import accounts at a more granular level, define the cloud organization multiple times using different Names, and specifying the Management Groups that contain the accounts to import for each Name. See Overview on Management Groups.
Application Client ID	Required. The unique identifier of the application, automatically generated on registering the application in Microsoft Entra ID. See Register an application in Microsoft Entra ID.
Application Secret	Required. Also called the Client Secret, the credential used by the Application Client for authentication. The Application Secret is manually generated in the Azure portal. See Register an application in Microsoft Entra ID.

Proxy Server

Optional.

The proxy server and settings to connect to the cloud organization:

IP/Hostname: Required. The IP address or Hostname of the proxy server.
Port: Required. The port to connect to on the proxy.
Username: Optional. The username, if the proxy server requires authentication.
Password and Confirm Password: Optional. The password, if the proxy server requires authentication.

Automatic subscription import settings

When configuring a cloud organization, you can enable automatic discovery and import for the subscriptions, and also configure the default behavior for usage analysis.

Automatic subscription import frequency
When enabled, automatic subscription imports occur daily at midnight. To change the scheduled time, contact Tufin Customer Support.

Manual subscription import
Manually import on demand, even when automatic import is enabled. Manual import behavior differs depending on whether auto import is enabled or disabled. See Azure Cloud Organizations.

Both automatic and manual subscription import processes only add new entities.
Existing entities that have been deleted or removed are not automatically removed during import.

The table below describes the automatic subscription import settings you can configure for an Azure cloud organization.

Field Name	Description
Automatic import settings	When selected, imports accounts on a predefined automated schedule. Monitoring/usage analysis features when enabled for the cloud organization are inherited by all devices.
Collect traffic logs for rule usage analysis	Collects traffic logs using Azure Firewall and NSG (supported from R24-1).
Collect traffic logs for object usage analysis	Requires Collect traffic logs for rule usage analysis. When selected, collects traffic logs using NSG (supported from R24-2).
Enable Rule Optimizer recommendations	Requires Collect traffic logs for rule usage analysis and Collect traffic logs for object usage analysis. Supported from R25-2 PHF1 and later. When selected, enables recommendations to tighten the permissiveness rules using traffic usage data. See Rule Optimizer.
Enable topology	When selected, collects routing information to build the network Map.
Automatic VNet import	Determines if SecureTrack automatically detects VNet changes in the vendor environment. When selected, reflects added or deleted VNets in the device list and revision history.

Add Azure cloud organizations

Add a cloud organization directly from Device Groups, or through Manage Device before adding the device. This procedure describes how to add a cloud organization from Device Groups.

Select Cloud Organizations, and then click + ADD CLOUD ORGANIZATION. The Add Cloud Organization page is displayed.
Define the settings for the Cloud Organization, as described in Azure-specific cloud organization settings.
Optional. Define the settings for automatic account import, as described in Automatic subscription import settings.

If automatic account import settings are not configured, you can manually import accounts when needed.
Click Save.