diff --git a/docs/assets/azurehound-install-app-registrations.png b/docs/assets/azurehound-install-app-registrations.png
deleted file mode 100644
index 6d72d6be..00000000
Binary files a/docs/assets/azurehound-install-app-registrations.png and /dev/null differ
diff --git a/docs/assets/azurehound-install-branding-result.png b/docs/assets/azurehound-install-branding-result.png
deleted file mode 100644
index 8b8960f0..00000000
Binary files a/docs/assets/azurehound-install-branding-result.png and /dev/null differ
diff --git a/docs/assets/azurehound-install-branding.png b/docs/assets/azurehound-install-branding.png
deleted file mode 100644
index a90d4124..00000000
Binary files a/docs/assets/azurehound-install-branding.png and /dev/null differ
diff --git a/docs/assets/azurehound-install-upload-logo.png b/docs/assets/azurehound-install-upload-logo.png
deleted file mode 100644
index 5c6cb50b..00000000
Binary files a/docs/assets/azurehound-install-upload-logo.png and /dev/null differ
diff --git a/docs/assets/image-103.png b/docs/assets/image-103.png
deleted file mode 100644
index 029acd2e..00000000
Binary files a/docs/assets/image-103.png and /dev/null differ
diff --git a/docs/assets/image-106.png b/docs/assets/image-106.png
deleted file mode 100644
index 445d6b6a..00000000
Binary files a/docs/assets/image-106.png and /dev/null differ
diff --git a/docs/assets/image-108.png b/docs/assets/image-108.png
deleted file mode 100644
index afd76062..00000000
Binary files a/docs/assets/image-108.png and /dev/null differ
diff --git a/docs/assets/image-110.png b/docs/assets/image-110.png
deleted file mode 100644
index 6ba1b9ce..00000000
Binary files a/docs/assets/image-110.png and /dev/null differ
diff --git a/docs/assets/image-111.png b/docs/assets/image-111.png
deleted file mode 100644
index 775d7489..00000000
Binary files a/docs/assets/image-111.png and /dev/null differ
diff --git a/docs/assets/image-113.png b/docs/assets/image-113.png
deleted file mode 100644
index 4ff8d5f4..00000000
Binary files a/docs/assets/image-113.png and /dev/null differ
diff --git a/docs/assets/azurehound-install-consent-granted.png b/docs/images/data_collectors/azurehound/admin-consent-granted.png
similarity index 100%
rename from docs/assets/azurehound-install-consent-granted.png
rename to docs/images/data_collectors/azurehound/admin-consent-granted.png
diff --git a/docs/assets/image-105.png b/docs/images/data_collectors/azurehound/app-registration-details.png
similarity index 100%
rename from docs/assets/image-105.png
rename to docs/images/data_collectors/azurehound/app-registration-details.png
diff --git a/docs/images/data_collectors/azurehound/directory-read-all.png b/docs/images/data_collectors/azurehound/directory-read-all.png
new file mode 100644
index 00000000..6da62b2e
Binary files /dev/null and b/docs/images/data_collectors/azurehound/directory-read-all.png differ
diff --git a/docs/images/data_collectors/azurehound/grant-admin-consent.png b/docs/images/data_collectors/azurehound/grant-admin-consent.png
new file mode 100644
index 00000000..56eaf1c7
Binary files /dev/null and b/docs/images/data_collectors/azurehound/grant-admin-consent.png differ
diff --git a/docs/assets/image-109.png b/docs/images/data_collectors/azurehound/ms-graph-api-permission-type.png
similarity index 100%
rename from docs/assets/image-109.png
rename to docs/images/data_collectors/azurehound/ms-graph-api-permission-type.png
diff --git a/docs/assets/image-104.png b/docs/images/data_collectors/azurehound/register-app.png
similarity index 100%
rename from docs/assets/image-104.png
rename to docs/images/data_collectors/azurehound/register-app.png
diff --git a/docs/assets/azurehound-install-remove-user-read-permission.png b/docs/images/data_collectors/azurehound/remove-default-permission.png
similarity index 100%
rename from docs/assets/azurehound-install-remove-user-read-permission.png
rename to docs/images/data_collectors/azurehound/remove-default-permission.png
diff --git a/docs/images/data_collectors/azurehound/rolemanagement-read-all.png b/docs/images/data_collectors/azurehound/rolemanagement-read-all.png
new file mode 100644
index 00000000..e5e8072d
Binary files /dev/null and b/docs/images/data_collectors/azurehound/rolemanagement-read-all.png differ
diff --git a/docs/images/data_collectors/grant_admin_consent.png b/docs/images/data_collectors/grant_admin_consent.png
deleted file mode 100644
index 72fe486a..00000000
Binary files a/docs/images/data_collectors/grant_admin_consent.png and /dev/null differ
diff --git a/docs/images/data_collectors/rolemanagement_read_all.png b/docs/images/data_collectors/rolemanagement_read_all.png
deleted file mode 100644
index 8b29598a..00000000
Binary files a/docs/images/data_collectors/rolemanagement_read_all.png and /dev/null differ
diff --git a/docs/install-data-collector/install-azurehound/azure-configuration.mdx b/docs/install-data-collector/install-azurehound/azure-configuration.mdx
index 73b0f423..63b3c4d1 100644
--- a/docs/install-data-collector/install-azurehound/azure-configuration.mdx
+++ b/docs/install-data-collector/install-azurehound/azure-configuration.mdx
@@ -1,277 +1,439 @@
---
title: AzureHound Enterprise Azure Configuration
-description: "This section details creating and configuring an Enterprise Application for AzureHound within Microsoft Entra ID, including API permissions, roles, and authentication certificate."
+description: Follow this guide to configure Microsoft Entra ID for AzureHound Enterprise data collection.
---
+import ManagedIdentityRecommendation from '/snippets/hounds/managed-id-recommendation.mdx';
+
-## Create the AzureHound Enterprise app
-1. Log into the [Microsoft Entra admin center](https://entra.microsoft.com/) as a user with the [Global Administrator] role,
- or the following less privileged roles:
-
- * [Privileged Role Administrator] AND
- * [Application Administrator] OR [Cloud Application Administrator]
-
-[Global Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator
-[Privileged Role Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator
-[Cloud Application Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator
-[Application Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#application-administrator
-
-2. In the left menu, select **App registrations**.
-
- 
-
-
-3. Click **New registration**.
-
- 
-
+Creating a Microsoft Entra ID application registration is a prerequisite for AzureHound Enterprise data collection and involves the following steps:
+
+```mermaid
+graph LR
+ A[Create a
+ new app
+ registration] --> B[Assign
+ required API
+ permissions]
+ B --> C[Configure
+ authentication
+ methods]
+ C --> D[Assign
+ required
+ access roles]
+```
+
+Some steps are required before you can complete the [AzureHound configuration](/install-data-collector/install-azurehound/create-configuration). At minimum, you must create the application registration because AzureHound requires an Entra ID **Directory (tenant) ID** and **Application (client) ID**.
+
+For managed identity authentication, you must first create the identity in Azure and configure the app registration to use it because AzureHound requires the **Managed Identity Client ID**.
+
+For certificate authentication, you must also upload the certificate to the app registration if you're using the AzureHound Enterprise CLI tool to create the certificate.
+
+## Create a new app registration
+
+This section guides you through the minimum steps to create a new application registration in Microsoft Entra ID for AzureHound Enterprise data collection.
+
+See the Microsoft [documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) for more information.
+
+
+
+
+ Log into the [Microsoft Entra admin center](https://entra.microsoft.com/) as a user with the [Global Administrator] role, or the following less privileged roles:
+
+ - [Privileged Role Administrator] AND
+ - [Application Administrator] OR [Cloud Application Administrator]
+
+ {/* Link definitions */}
+ [Global Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator
+ [Privileged Role Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator
+ [Cloud Application Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator
+ [Application Administrator]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#application-administrator
+
+
+
+
+
+ 1. In the left menu, click **Entra ID** > **App registrations** > **New registration**.
+
+ 1. In the **Name** field, enter a name for the application to identify it in your organization.
+
+ Make sure the supported account type is set to the **Accounts in this organizational directory only (Single tenant)** option. A URI is not required.
+
+
+ 
+
+
+ 1. Click **Register** to create the application registration.
+
+
+
+
+
+ In the **Overview** menu, copy the **Application (client) ID** and **Directory (tenant) ID**.
+
+ You will need this information later to configure [AzureHound Enterprise](/install-data-collector/install-azurehound/create-configuration).
+
+
+ 
+
+
+ Continue to the [Grant Microsoft Graph Permissions](#grant-microsoft-graph-permissions) section.
+
+
+
+
+
+## Assign required API permissions
+
+This section describes how to assign the required Microsoft Graph API permissions to the AzureHound Enterprise application registration.
+
+See the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis#add-permissions-to-access-microsoft-graph) for more information.
+
+
+
+
+ On the **Overview** page of the app registration, click **API Permissions**.
+
+
+
+
+
+ Remove the default **User.Read** delegated permission. It is not required for AzureHound Enterprise data collection.
+
+
+ 
+
+
+
+
+
+
+ 1. Click **Add a permission** > **Microsoft Graph**.
+
+ 1. Select **Application permissions**.
+
+
+ 
+
+
+ 1. Search for the **Directory.Read.All** permission and check the box next to it.
+
+
+ 
+
+
+ 1. Search for the **RoleManagement.Read.All** permission and check the box next to it.
+
+
+ 
+
+
+ 1. Click **Add permissions**.
+
+
+
+
+
+ After adding the required permissions, you must grant admin consent for the application to use them.
+
+ 1. Click **Grant admin consent for <your\_tenant\_name>**.
+
+
+ 
+
+
+ 1. Click **Yes** in the confirmation dialog.
+
+ 1. After being redirected to API Permissions again, you should see both permissions as **Granted**.
+
+
+ 
+
+
+ Continue to the [Configure authentication](#configure-authentication) section.
+
+
+
+
+
+## Configure authentication
+
+This section describes how to configure authentication methods for the AzureHound Enterprise application registration. AzureHound Enterprise supports the following authentication methods:
+
+- Azure Managed Identity _(recommended)_
+- Certificate
+- Client Secret
+- Username and Password
+
+This section provides instructions for configuring the **Azure Managed Identity** and **Certificate** authentication methods. For information on other methods, see the Microsoft [documentation](https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials).
+
+### Managed identity (recommended)
+
+Managed identities provide the most secure authentication method by eliminating credential management entirely. Microsoft Entra ID automatically manages the identity lifecycle, but you must properly configure the identity-to-host assignment and federated trust.
+
+This section describes how to configure Azure Managed Identity authentication for the AzureHound Enterprise application registration.
+
+You will need the managed identity **Client ID** to complete [AzureHound configuration](/install-data-collector/install-azurehound/create-configuration) later.
+
+
+
+
+
+
+
+ Sign in to the [Azure portal](https://portal.azure.com/) and search for **Managed Identities** in the top search bar.
+
+
+
+
+ Click **Create** and enter the required information to create a new user-assigned managed identity.
+
+ See the Microsoft [documentation](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal) for more information.
+
+
+
+
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to the previously created AzureHound Enterprise application registration.
+
+ 1. In the left menu, click **Certificates & secrets** > **Federated credentials** > **Add credential**.
+
+ 1. From the **Federated credential scenario** drop-down menu, select **Managed Identity** and enter the required information.
+
+ See the Microsoft [documentation](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity) for more information.
+
+ 1. Click **Add**.
+
+
+
+
+### Certificate
+
+Certificates provide stronger authentication than client secrets or username and password combinations, but you must manage and rotate them properly.
+
+This section describes how to add an authentication certificate to the AzureHound Enterprise application registration.
+
+If you have not already created a certificate, see [Create an AzureHound Configuration](/install-data-collector/install-azurehound/create-configuration) before proceeding.
+
+
+
+
+ 1. On the **Overview** page of the app registration, click **Certificates & secrets**.
+
+
+ 
+
+
+ 1. Click **Certificates**.
+
+
+ 
+
+
+
+
+
+ 1. Click **Upload certificate**.
+
+
+ 
+
+
+ 1. Locate the `cert.pem` file that you created during [AzureHound configuration](/install-data-collector/install-azurehound/create-configuration).
+
+ 1. Click the folder icon, select the `cert.pem` file, and add a description (optional).
-4. In the **Name** field, give the application an identifying name in your organization. Make sure the supported account type is set to the "Accounts in this organizational directory only (Single tenant)" option. A URI is not required. Then click **Register**.
-
- 
-
+
+ 
+
-5. In the **Overview** menu, copy the **Application (client) ID** and **Directory (tenant) ID** to be used later in [AzureHound Enterprise Local Configuration](/install-data-collector/install-azurehound/create-configuration).
-
- 
-
+ 1. Click **Add**.
+
+
-6. Continue to the next section: "Grant Microsoft Graph Permissions".
+## Assign required access roles
-## Grant Microsoft Graph Permissions
-1. In the AzureHound application, select **API Permissions**.
-
- 
-
+This section describes how to assign the required access roles to the AzureHound Enterprise application registration for data collection.
-2. Remove the default **User.Read** delegated permission from the application, as it is not needed for data collection. Confirm the operation in the dialog window that appears after selecting the **Remove permission** option from the context menu.
-
- 
-
+### Assign Directory Readers role on the Entra ID tenant
-3. Select **Add a permission**.
-
- 
-
+The AzureHound Enterprise application registration requires the **Directory Readers** role to read Entra ID data. Follow the steps below to assign this role.
-4. Click on **Microsoft Graph**.
-
- 
-
+
+
-5. Select **Application permissions**.
-
- 
-
+ In the left menu, click **Entra ID** > **Roles & admins**.
-6. Search for the **Directory.Read.All** permission and check the box next to it.
-
- 
-
+
+
-7. Search for the **RoleManagement.Read.All** permission and check the box next to it.
-
- 
-
+ 1. Search for the **Directory Readers** role and click the role name or description.
-8. In the bottom of the window, select **Add permissions**.
-
- 
-
+ Clicking the checkbox sometimes prevents clicking on the role itself.
-9. Click on **Grant admin consent for <your\_tenant\_name>**.
-
- 
-
+
+ 
+
-10. Click **Yes** on the confirmation dialog.
-
- 
-
+ 1. Click **Add assignments**.
-11. After being redirected to API Permissions again, you should see both permissions as **Granted**.
-
- 
-
+
+ 
+
-12. Continue to the next section: "Add application authentication certificate".
+ 1. Click **No member selected** to open the search window.
-## Add application authentication certificate
+
+ 
+
-This section requires you have authentication material.
+ 1. Search for the previously created service principal with either its name, application ID, or object ID. Select it by clicking on it.
-We highly recommend using certificate-based authentication. If you do not already have a certificate created, follow the article [AzureHound Enterprise Local Configuration](/install-data-collector/install-azurehound/create-configuration) and then return back here.
+
+ 
+
-1. Select the **Certificates & secrets** section on the left.
-
-
-
+ 1. Click **Select**.
-2. Click on **Certificates**.
-
-
-
+
+ 
+
-3. Click **Upload certificate**.
-
-
-
+ 1. Validate that your principal is displayed and click **Next**.
-4. Locate the **cert.pem** file created during AzureHound setup (either on your own, or utilizing the instructions at [AzureHound Enterprise Local Configuration](/install-data-collector/install-azurehound/create-configuration)).
+
+ 
+
-5. Click the folder icon and locate the "cert.pem" file. Add a description if desired.
-
-
-
+ 1. Ensure that the Assignment type is **Active** and the **Permanently assigned** box is checked. Enter a justification and click **Assign**.
-6. In the bottom of the window, select **Add**.
+
+ 
+
-7. Continue to the next section to optionally configure application branding.
+ 1. Confirm that the service principal is a **Directory Reader** by refreshing the view.
-## Configure application branding (optional)
+
+
-_Note: All steps in this section are optional and do not affect the functionality of the collector._
+### Grant Reader role on all Azure subscriptions
-1. Download the [AzureHound Enterprise icon](/assets/icons/entra-bhe-app-icon.png) to your computer.
+If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether.
-2. Still on the AzureHound application in the Entra ID admin center, open the **Branding & properties** section.
-
- 
-
+If you skip this section, you will see a warning in the logs for each collection indicating the lack of ability to collect this data accordingly.
-3. Click the **Select a file** button and browse to the file you previously downloaded.
-
- 
-
+
+
-4. Provide a human-readable **Name** for the application, e.g., **BloodHound Enterprise Collector (AzureHound)**.
+ 1. Log into the [Azure portal](https://portal.azure.com/) as a user with the [User Access Administrator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator) role.
-5. Type your BloodHound Enterprise tenant URL into the **Home page URL** field. This is for record keeping only.
+ 1. Search for and select the **Management groups** item in the top search bar.
-6. Click the **Save** button and review the results.
-
- 
-
+
+ 
+
+
+ 1. Select **Tenant Root Group**.
-7. Continue to the next section to assign the Directory Readers role on your Entra ID tenant.
+
+ 
+
-## Assign "Directory Readers" role on the Entra ID tenant
+
+
-1. In the left menu, select **Roles & admins**.
-
- 
-
+ 1. Select **Access control (IAM)**.
-2. Search for the role **Directory Readers** and click the role name or description.
- _Note: Clicking the checkbox sometimes prevents clicking on the role itself._
-
-
-
+
+ 
+
-3. In the "Directory Readers" role, select **Add assignments**.
-
-
-
+ 1. Select **Role assignments**.
-4. Click **No member selected** to open the search window.
-
-
-
+
+ 
+
-5. Search for the previously created service principal with either its name, application ID, or object ID. Select it by clicking on it.
-
-
-
+ 1. Click **Add**, then **Add role assignment**.
-6. Click **Select**.
-
-
-
+
+ 
+
-7. Validate that your principal is displayed and click **Next**.
-
-
-
+ 1. Find the **Reader** role and select it.
-8. Ensure that the Assignment type is **Active** and the **Permanently assigned** box is checked. Provide a justification and click **Assign**.
-
-
-
+
+ 
+
-9. Confirm the service principal is a Directory Reader by refreshing this view.
+ 1. Click **Members**.
-10. Continue to the next section to assign the Reader role on your Azure subscriptions.
+
+ 
+
-## Grant "Reader" role on all Azure subscriptions
+ 1. Click **Select members**.
-_Note: If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether. If you skip this section, you will see a warning in the logs for each collection indicating the lack of ability to collect this data accordingly._
+
+ 
+
-1. Log into the [Azure portal](https://portal.azure.com/) as a user with the [User Access Administrator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator) role.
+ 1. Search for and click on your previously created service principal.
-2. Search for and select the **Management groups** item in the top search bar.
-
-
-
+
+ 
+
-3. Select **Tenant Root Group**.
-
-
-
+ 1. Validate the principal selected, then click **Select**.
-4. Select **Access control (IAM)**.
-
-
-
+
+ 
+
-5. Select **Role assignments**.
-
-
-
+
+
-6. Click **Add**, then **Add role assignment**.
-
-
-
+ 1. Click the tab **Review + Assign**.
-7. Find the **Reader** role and select it.
-
-
-
+
+ 
+
-8. Click **Members**.
-
-
-
+ 1. Click **Review + Assign** at the bottom of the page.
-9. Click **Select members**.
-
-
-
-
-10. Search for and click on your previously created service principal.
-
-
-
+
+ 
+
-11. Validate the principal selected, then click **Select**.
-
-
-
-
-12. Click the tab **Review + Assign**.
-
-
-
-
-13. Click **Review + Assign** at the bottom of the page.
-
-
-
-
-14. Confirm the role is present by refreshing this view. You may need to alter the filter to see this role.
-
-15. Continue to [Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)](/install-data-collector/install-azurehound/installation-options)
+ 1. Confirm the role is present by refreshing this view. You may need to alter the filter to see this role.
+
+
## Scripted app registration
diff --git a/docs/install-data-collector/install-azurehound/create-configuration.mdx b/docs/install-data-collector/install-azurehound/create-configuration.mdx
index 2b941e33..6e3ecbe0 100644
--- a/docs/install-data-collector/install-azurehound/create-configuration.mdx
+++ b/docs/install-data-collector/install-azurehound/create-configuration.mdx
@@ -3,16 +3,23 @@ title: Create an AzureHound Configuration
description: Learn how to create a configuration file for AzureHound Enterprise data collection.
---
+import ManagedIdentityRecommendation from '/snippets/hounds/managed-id-recommendation.mdx';
+
+## Prerequisites
+
To complete the configuration process, you must have the following information:
| Item | Description |
| --- | --- |
-| Directory (tenant) ID | Identifies the Microsoft Entra ID instance where you must [register](/install-data-collector/install-azurehound/azure-configuration) the AzureHound Enterprise application. |
-| Application (client) ID | Identifies the AzureHound Enterprise [app registration](/install-data-collector/install-azurehound/azure-configuration) that you must create in the Microsoft Entra admin center. |
-| AzureHound token ID | Identifies the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
-| AzureHound token | Provides the authentication key for the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **Directory (tenant) ID** | Identifies the Microsoft Entra ID instance where you must [register](/install-data-collector/install-azurehound/azure-configuration) the AzureHound Enterprise application. |
+| **Application (client) ID** | Identifies the AzureHound Enterprise [app registration](/install-data-collector/install-azurehound/azure-configuration) that you must create in the Microsoft Entra admin center. |
+| **AzureHound token ID** | Identifies the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **AzureHound token** | Provides the authentication key for the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **BloodHound Enterprise URL** | The URL of your BloodHound Enterprise tenant (for example, `https://enterprise.bloodhoundenterprise.io/`). |
+| **Managed Identity Client ID** | If using [Azure Managed Identity](/install-data-collector/install-azurehound/azure-configuration#managed-identity-recommended) authentication, identifies the Managed Identity assigned to the Entra ID [app registration](/install-data-collector/install-azurehound/azure-configuration). |
+| **Certificate and private key** | If using [Certificate](/install-data-collector/install-azurehound/azure-configuration#certificate) authentication, identifies the certificate and private key to authenticate the AzureHound Enterprise application. The AzureHound Enterprise CLI tool can generate this for you during the configuration process if needed. |
Configuring AzureHound Enterprise involves the following steps:
@@ -92,51 +99,105 @@ Follow the steps below to create your AzureHound Enterprise configuration file u
- 1. Select a method for authenticating AzureHound Enterprise to BloodHound Enterprise.
+ Choose one of the following authentication methods for AzureHound Enterprise to connect to your Microsoft Entra ID and Azure environment:
- We **highly** recommend certificate-based authentication.
+ We **highly** recommend **Azure Managed Identity**-based authentication.
- ```text
- Use the arrow keys to navigate: ↓ ↑ ← →
- ? Authentication Method:
- > Certificate
- Client Secret
- Username and Password
- ```
+
+
- 1. If using Certificate authentication, press **Enter** or type `Y` to create a new certificate and key.
+
- ```text
- Authentication Method: Certificate
- ? Generate Certificate and Key? [Y/n]
- ```
+ Before configuring Azure Managed Identity authentication, you must first create a [user-assigned managed identity](/install-data-collector/install-azurehound/azure-configuration#managed-identity-recommended).
+
+ 1. Select **Azure Managed Identity** as the authentication method.
+
+ ```text
+ Use the arrow keys to navigate: ↓ ↑ ← →
+ ? Authentication Method:
+ Certificate
+ Client Secret
+ Username and Password
+ > Azure Managed Identity
+ ```
+
+ 1. Select the type of Managed Identity.
+
+ ```text
+ Use the arrow keys to navigate: ↓ ↑ ← →
+ ? Managed Identity Type:
+ System-Assigned
+ > User-Assigned
+ ```
+
+ 1. Enter the **Client ID** of the User-Assigned Managed Identity.
+
+ ```text
+ v Input the User-Assigned Managed Identity (Client ID):
+ ```
+
+ To find the Client ID, navigate to the Managed Identity in the Azure portal and copy the value from the **Client ID** field in the Overview.
-
- - The certificate generated by AzureHound expires after one year.
- - If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
- - PEM encoded
- - RSA 256
- - PKCS#8 or PKCS#5
-
+ 1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
- 1. If using Certificate authentication, enter an optional passphrase for the private key.
+ ```text
+ ? Setup connection to BloodHound Enterprise? [Y/n]
+ ```
+
+ 1. Enter the URL of your BloodHound Enterprise tenant.
+
+ ```text
+ v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
+ ```
+
+
+
+ 1. Select **Certificate** as the authentication method.
+
+ ```text
+ Use the arrow keys to navigate: ↓ ↑ ← →
+ ? Authentication Method:
+ > Certificate
+ Client Secret
+ Username and Password
+ Azure Managed Identity
+ ```
+
+ 1. Press **Enter** or type `Y` to create a new certificate and key.
+
+ ```text
+ Authentication Method: Certificate
+ ? Generate Certificate and Key? [Y/n]
+ ```
+
+
+ - The certificate generated by AzureHound expires after one year.
+ - If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
+ - PEM encoded
+ - RSA 256
+ - PKCS#8 or PKCS#5
+
+
+ 1. Enter an optional passphrase for the private key.
- ```text
- Authentication Method: Certificate
- v Private Key Passphrase (optional):
- ```
+ ```text
+ Authentication Method: Certificate
+ v Private Key Passphrase (optional):
+ ```
- 1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
+ 1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
- ```text
- ? Setup connection to BloodHound Enterprise? [Y/n]
- ```
+ ```text
+ ? Setup connection to BloodHound Enterprise? [Y/n]
+ ```
- 1. Enter the URL of your BloodHound Enterprise tenant.
+ 1. Enter the URL of your BloodHound Enterprise tenant.
- ```text
- v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
- ```
+ ```text
+ v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
+ ```
+
+
diff --git a/docs/snippets/hounds/managed-id-recommendation.mdx b/docs/snippets/hounds/managed-id-recommendation.mdx
new file mode 100644
index 00000000..5510a619
--- /dev/null
+++ b/docs/snippets/hounds/managed-id-recommendation.mdx
@@ -0,0 +1 @@
+Microsoft [recommends](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#use-managed-identities-for-azure-resources) the User-Assigned Managed Identity for Microsoft services, so the following example shows the **User-Assigned** type.