ArchitectureSecurityAzure

Agentless Cloud Governance: How It Works

No agents on VMs, no CLI tools, no infrastructure to deploy. Here's the architecture behind Unsave's agentless approach to Azure governance.

3 min read

Why Agentless?

Traditional monitoring tools require agents installed on every VM, collectors running in your network, and credentials stored in your environment. That's infrastructure you have to deploy, maintain, patch, and secure.

The agent-based model creates a circular problem: you need infrastructure to monitor your infrastructure. And every agent is another attack surface.

Unsave takes a different approach: API-first, read-only, zero-footprint.

Instead of installing software, you grant a one-time OAuth admin consent. This gives Unsave's multi-tenant Azure AD app registration read-only access to:

  • Microsoft Graph — Directory roles, users, groups, app registrations, service principals, MFA status, Conditional Access policies
  • Azure Resource Graph — VMs, NSGs, storage accounts, Key Vaults, SQL databases, and all other resource types across all subscriptions
  • Azure Cost Management — Spending data, usage patterns, and budget status
  • Azure Monitor — VM metrics for right-sizing analysis (CPU, memory, network, disk I/O)

No write permissions. No policy changes. No resource modifications. The consent can be revoked at any time from the Azure AD Enterprise Applications blade.

How Scanning Works

When you trigger a scan, the platform:

  1. Collects — Runs ~12 parallel Azure Resource Graph queries and Microsoft Graph calls to gather all resource and identity data
  2. Evaluates — 103 check functions process the collected data locally — zero additional API calls during evaluation
  3. Scores — Calculates weighted security scores across identity (6 categories) and infrastructure (6 categories)
  4. Reports — Returns findings with severity, affected resources, and remediation guidance

Total time: under 60 seconds for a typical environment with 200-500 resources.

Security of the Approach

Every aspect of the architecture is designed around zero-trust principles:

  • AES-256-GCM encryption for any stored credentials
  • Per-user credential isolation — no cross-tenant data leakage
  • Short-lived tokens — ARM tokens expire in 60 minutes, Graph tokens in 90 minutes
  • No secrets on your side — the platform manages its own app credentials
  • Read-only by design — the app registration requests only Directory.Read.All and Reader role

What This Means for Your Team

  • No change management process for deploying agents
  • No firewall rules to open
  • No VM extensions to maintain
  • No credential rotation on your side
  • No additional attack surface in your environment

Five minutes from first click to full governance. No agents to deploy, no infrastructure to maintain.

Connect your Azure tenant in 5 minutes. No agents required. Try Unsave free at unsave.io.