
Use a dedicated Service Principal to securely map Azure virtual networks and peerings. This allows for more controlled and scoped access, ideal for enterprise or CI/CD workflows.
What You’ll Receive
- HLD (High-Level Diagram) — hub and spoke layout of your Azure network
- MLD (Medium-Level Diagram) — detailed structure with information about subnets
- Both are bundled as a ZIP file and downloaded via the browser
Requirements
The Service Principal must have at least Reader access to all networks and peerings to be included in the scan.
Disclaimer
CloudNetDraw uses the credentials you provide to perform a single scan of your environment. Activity is logged in your Entra ID tenant, and access can be monitored and revoked at any time.
🛠️ How to Set Up a Service Principal
You only need three values: Tenant ID, Client ID, and Client Secret. Here's how to get them:
1. Register a New App
Navigate to Entra ID → App registrations → New registration.

2. Fill in the App Info
Use a name like CloudNetDraw
, select Single tenant, and skip redirect URI.

3. Copy IDs
From the Overview page, copy both the Tenant ID and Client ID.

4. Create a Client Secret
Go to Certificates & secrets → + New client secret.

5. Name and Save the Secret
Give it a description and expiration, then click Add.

6. Copy the Secret Value
Important: Copy the secret value now—it won’t be shown again later.

7. Assign Reader Role
In Subscriptions → IAM, click Add role assignment.

8. Select Reader

9. Assign to the App
Search for and select your app under Members.

You're ready! Return to the form at the top, paste in the values, and generate your diagrams.
If you wish to map more than one subscription just add the same Reader role to all applicable subscriptions!