SpecterOps · jeff-matthews · Nov 7, 2025 · Nov 14, 2025 · Nov 14, 2025 · Nov 18, 2025
diff --git a/docs/assets/azurehound-install-app-registrations.png b/docs/assets/azurehound-install-app-registrations.png
diff --git a/docs/assets/azurehound-install-branding-result.png b/docs/assets/azurehound-install-branding-result.png
diff --git a/docs/assets/azurehound-install-branding.png b/docs/assets/azurehound-install-branding.png
diff --git a/docs/assets/azurehound-install-upload-logo.png b/docs/assets/azurehound-install-upload-logo.png
diff --git a/docs/assets/image-103.png b/docs/assets/image-103.png
diff --git a/docs/assets/image-106.png b/docs/assets/image-106.png
diff --git a/docs/assets/image-108.png b/docs/assets/image-108.png
diff --git a/docs/assets/image-110.png b/docs/assets/image-110.png
diff --git a/docs/assets/image-111.png b/docs/assets/image-111.png
diff --git a/docs/assets/image-113.png b/docs/assets/image-113.png
diff --git a/...ts/azurehound-install-consent-granted.png → ...tors/azurehound/admin-consent-granted.png b/...ts/azurehound-install-consent-granted.png → ...tors/azurehound/admin-consent-granted.png
diff --git a/docs/assets/image-105.png → ...s/azurehound/app-registration-details.png b/docs/assets/image-105.png → ...s/azurehound/app-registration-details.png
diff --git a/docs/images/data_collectors/azurehound/directory-read-all.png b/docs/images/data_collectors/azurehound/directory-read-all.png
diff --git a/docs/images/data_collectors/azurehound/grant-admin-consent.png b/docs/images/data_collectors/azurehound/grant-admin-consent.png
diff --git a/docs/assets/image-109.png → ...urehound/ms-graph-api-permission-type.png b/docs/assets/image-109.png → ...urehound/ms-graph-api-permission-type.png
diff --git a/docs/assets/image-104.png → ...ta_collectors/azurehound/register-app.png b/docs/assets/image-104.png → ...ta_collectors/azurehound/register-app.png
diff --git a/...d-install-remove-user-read-permission.png → .../azurehound/remove-default-permission.png b/...d-install-remove-user-read-permission.png → .../azurehound/remove-default-permission.png
diff --git a/docs/images/data_collectors/azurehound/rolemanagement-read-all.png b/docs/images/data_collectors/azurehound/rolemanagement-read-all.png
diff --git a/docs/images/data_collectors/grant_admin_consent.png b/docs/images/data_collectors/grant_admin_consent.png
diff --git a/docs/images/data_collectors/rolemanagement_read_all.png b/docs/images/data_collectors/rolemanagement_read_all.png
diff --git a/docs/install-data-collector/install-azurehound/azure-configuration.mdx b/docs/install-data-collector/install-azurehound/azure-configuration.mdx
diff --git a/docs/install-data-collector/install-azurehound/create-configuration.mdx b/docs/install-data-collector/install-azurehound/create-configuration.mdx
@@ -3,16 +3,23 @@ title: Create an AzureHound Configuration
 description: Learn how to create a configuration file for AzureHound Enterprise data collection.
 ---
 
+import ManagedIdentityRecommendation from '/snippets/hounds/managed-id-recommendation.mdx';
+
 <img noZoom src="/assets/enterprise-edition-pill-tag.svg" alt="Applies to BloodHound Enterprise only"/>
 
+## Prerequisites
+
 To complete the configuration process, you must have the following information:
 
 | Item | Description |
 | --- | --- |
-| Directory (tenant) ID | Identifies the Microsoft Entra ID instance where you must [register](/install-data-collector/install-azurehound/azure-configuration) the AzureHound Enterprise application. |
-| Application (client) ID | Identifies the AzureHound Enterprise [app registration](/install-data-collector/install-azurehound/azure-configuration) that you must create in the Microsoft Entra admin center. |
-| AzureHound token ID | Identifies the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
-| AzureHound token | Provides the authentication key for the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **Directory (tenant) ID** | Identifies the Microsoft Entra ID instance where you must [register](/install-data-collector/install-azurehound/azure-configuration) the AzureHound Enterprise application. |
+| **Application (client) ID** | Identifies the AzureHound Enterprise [app registration](/install-data-collector/install-azurehound/azure-configuration) that you must create in the Microsoft Entra admin center. |
+| **AzureHound token ID** | Identifies the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **AzureHound token** | Provides the authentication key for the AzureHound Enterprise [collector client](/collect-data/enterprise-collection/create-collector) that you must create in BloodHound Enterprise. |
+| **BloodHound Enterprise URL** | The URL of your BloodHound Enterprise tenant (for example, `https://enterprise.bloodhoundenterprise.io/`). |
+| **Managed Identity Client ID** | If using [Azure Managed Identity](/install-data-collector/install-azurehound/azure-configuration#managed-identity-recommended) authentication, identifies the Managed Identity assigned to the Entra ID [app registration](/install-data-collector/install-azurehound/azure-configuration). |
+| **Certificate and private key** | If using [Certificate](/install-data-collector/install-azurehound/azure-configuration#certificate) authentication, identifies the certificate and private key to authenticate the AzureHound Enterprise application. The AzureHound Enterprise CLI tool can generate this for you during the configuration process if needed. |
 
 Configuring AzureHound Enterprise involves the following steps:
 
@@ -92,51 +99,105 @@ Follow the steps below to create your AzureHound Enterprise configuration file u
   </Step>
 
   <Step title="Configure AzureHound authentication">
-  1.  Select a method for authenticating AzureHound Enterprise to BloodHound Enterprise.
+  Choose one of the following authentication methods for AzureHound Enterprise to connect to your Microsoft Entra ID and Azure environment:
 
-      <Note>We **highly** recommend certificate-based authentication.</Note>
+  <Note>We **highly** recommend **Azure Managed Identity**-based authentication.</Note>
 
-      ```text
-      Use the arrow keys to navigate: ↓ ↑ ← →
-      ? Authentication Method:
-        > Certificate
-          Client Secret
-          Username and Password
-      ```
+    <Tabs>
+      <Tab title="Azure Managed Identity" icon="key">
 
-  1. If using Certificate authentication, press **Enter** or type `Y` to create a new certificate and key.
+      <ManagedIdentityRecommendation />
 
-      ```text
-      Authentication Method: Certificate
-      ? Generate Certificate and Key? [Y/n]
-      ```
+      Before configuring Azure Managed Identity authentication, you must first create a [user-assigned managed identity](/install-data-collector/install-azurehound/azure-configuration#managed-identity-recommended).
+
+      1. Select **Azure Managed Identity** as the authentication method.
+
+          ```text
+          Use the arrow keys to navigate: ↓ ↑ ← →
+          ? Authentication Method:
+              Certificate
+              Client Secret
+              Username and Password
+            > Azure Managed Identity
+          ```
+
+      1. Select the type of Managed Identity.
+
+          ```text
+          Use the arrow keys to navigate: ↓ ↑ ← →
+          ? Managed Identity Type:
+              System-Assigned
+            > User-Assigned
+          ```
+
+      1. Enter the **Client ID** of the User-Assigned Managed Identity.
+
+          ```text
+          v Input the User-Assigned Managed Identity (Client ID):
+          ```
+
+          <Note>To find the Client ID, navigate to the Managed Identity in the Azure portal and copy the value from the **Client ID** field in the Overview.</Note>
 
-      <Note>
-      - The certificate generated by AzureHound expires after one year.
-      - If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
-        - PEM encoded
-        - RSA 256
-        - PKCS#8 or PKCS#5
-      </Note>
+      1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
 
-  1. If using Certificate authentication, enter an optional passphrase for the private key.
+          ```text
+          ? Setup connection to BloodHound Enterprise? [Y/n]
+          ```
+
+      1. Enter the URL of your BloodHound Enterprise tenant.
+
+          ```text
+          v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
+          ```
+      </Tab>
+
+      <Tab title="Certificate" icon="file-certificate">
+      1. Select **Certificate** as the authentication method.
+
+          ```text
+          Use the arrow keys to navigate: ↓ ↑ ← →
+          ? Authentication Method:
+            > Certificate
+              Client Secret
+              Username and Password
+              Azure Managed Identity
+          ```
+
+      1. Press **Enter** or type `Y` to create a new certificate and key.
+
+          ```text
+          Authentication Method: Certificate
+          ? Generate Certificate and Key? [Y/n]
+          ```
+
+          <Note>
+          - The certificate generated by AzureHound expires after one year.
+          - If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
+            - PEM encoded
+            - RSA 256
+            - PKCS#8 or PKCS#5
+          </Note>
+
+      1. Enter an optional passphrase for the private key.
 
-        ```text
-        Authentication Method: Certificate
-        v Private Key Passphrase (optional):
-        ```
+          ```text
+          Authentication Method: Certificate
+          v Private Key Passphrase (optional):
+          ```
 
-  1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
+      1. Press **Enter** (or enter `Y`) to connect to BloodHound Enterprise.
 
-      ```text
-      ? Setup connection to BloodHound Enterprise? [Y/n]
-      ```
+          ```text
+          ? Setup connection to BloodHound Enterprise? [Y/n]
+          ```
 
-  1. Enter the URL of your BloodHound Enterprise tenant.
+      1. Enter the URL of your BloodHound Enterprise tenant.
 
-      ```text
-      v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
-      ```
+          ```text
+          v BloodHound Enterprise URL: https://enterprise.bloodhoundenterprise.io/
+          ```
+      </Tab>
+    </Tabs>
   </Step>
 
   <Step title="Configure AzureHound collector client">

diff --git a/docs/snippets/hounds/managed-id-recommendation.mdx b/docs/snippets/hounds/managed-id-recommendation.mdx
@@ -0,0 +1 @@
+Microsoft [recommends](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#use-managed-identities-for-azure-resources) the User-Assigned Managed Identity for Microsoft services, so the following example shows the **User-Assigned** type.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Microsoft [recommends](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#use-managed-identities-for-azure-resources) the User-Assigned Managed Identity for Microsoft services, so the following example shows the User-Assigned type.
Comment thread jeff-matthews marked this conversation as resolved.