Skip to main content

Azure DNS Zone

Azure DNS integration allows your product to discover, read, and manage DNS zones and records hosted within Microsoft Azure. This integration is essential for network visibility, domain posture assessment, automated DNS record management, and multi-cloud asset correlation. Using the Azure REST APIs or SDK, your product can fetch all DNS zones and records under a given subscription securely using Azure Active Directory (AAD) authentication.

Credentials Needed

To integrate with Azure DNS, you need credentials from an Azure Active Directory App Registration that has the necessary permissions on DNS zones.

Required credentials:

  • Tenant ID
  • Client ID (Application ID)
  • Client Secret
  • Subscription ID

Use a Service Principal (App Registration) with read-only permissions for secure, automation-friendly access.

Permissions Needed / API Roles

Your service principal must be assigned Azure RBAC roles to query DNS zones and records.

RoleScopeDescription
DNS Zone ReaderSubscription / Resource Group / ZoneGrants read-only access to DNS zones and their records
ReaderSubscription (optional)Read access to all resources within a subscription

Minimum Required Role: DNS Zone Reader

If you plan to modify DNS records (not recommended for read-only integrations), use the DNS Zone Contributor role instead.

Creating Users / App Registration

Step 1: Register an App in Azure AD

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration
  2. Enter a name (e.g., AzureDNSIntegrationApp)
  3. Supported account type: "Accounts in this organizational directory only"
  4. Redirect URI: (optional) (for non-interactive service accounts, this can be skipped)
  5. Click Register

After registration, note:

  • Application (Client) ID
  • Directory (Tenant) ID

Step 2: Create a Client Secret

  1. Go to the created App → Certificates & Secrets → New client secret
  2. Add a description and set an expiration (1 or 2 years recommended)
  3. Copy the Client Secret Value — it will only be shown once

Step 3: Assign Role Permissions

  1. Go to Subscriptions → [Your Subscription] → Access Control (IAM)
  2. Click Add → Add Role Assignment
  3. Select the role: DNS Zone Reader
  4. Under Assign access to, choose "User, group, or service principal"
  5. Select your registered app (AzureDNSIntegrationApp)
  6. Click Save

Test Connectivity

Use Azure CLI or a direct REST API call to verify credentials.

Option 1: Using Azure CLI

# Log in using service principal credentials
az login --service-principal \
  --username <CLIENT_ID> \
  --password <CLIENT_SECRET> \
  --tenant <TENANT_ID>

# Set subscription
az account set --subscription <SUBSCRIPTION_ID>

# List all DNS zones
az network dns zone list --output table

# List DNS records for a specific zone
az network dns record-set list --zone-name <ZONE_NAME> --resource-group <RESOURCE_GROUP>

Option 2: Using REST API

curl -X GET \
  "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Network/dnsZones?api-version=2018-05-01" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

Example Response:

{
  "value": [
    {
      "id": "/subscriptions/xxxx/resourceGroups/DNS-RG/providers/Microsoft.Network/dnszones/example.com",
      "name": "example.com",
      "type": "Microsoft.Network/dnszones",
      "location": "global",
      "properties": {
        "maxNumberOfRecordSets": 10000,
        "numberOfRecordSets": 42,
        "nameServers": ["ns1-01.azure-dns.com", "ns2-01.azure-dns.net"]
      }
    }
  ]
}

Save the Results in the Platform and Create Connection

  1. In your product's integration setup, securely store:
    • AZURE_TENANT_ID
    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
    • AZURE_SUBSCRIPTION_ID
  2. Create a connection labeled Azure DNS Integration
  3. Test the connection by fetching DNS zones and DNS records
  4. Store and index the results in your platform for analytics and correlation

Best Practices

  • Use DNS Zone Reader for read-only operations — avoid contributor roles unless necessary
  • Store credentials securely using Azure Key Vault or your platform's encrypted secrets manager
  • Rotate client secrets periodically and revoke unused credentials
  • Limit app registration access to specific subscriptions or resource groups
  • Cache DNS data locally to avoid frequent API calls and reduce rate-limit risk
  • Track DNS zone changes using Azure Activity Logs for audit purposes
  • For large environments, use pagination (?$top=1000) when listing zones
  • If you require event-based updates, integrate with Azure Event Grid for DNS zone change notifications

Useful Azure DNS API Endpoints

ResourceMethodEndpoint
List all DNS zonesGET/subscriptions/{subId}/providers/Microsoft.Network/dnsZones
Get DNS zone detailsGET/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/dnsZones/{zoneName}
List record setsGET/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/dnsZones/{zoneName}/recordsets
Get record set detailsGET/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/dnsZones/{zoneName}/{recordType}/{recordName}

Reference: Azure DNS REST API