The CrowdStrike Azure VM Extension is an open-source solution that simplifies and automates the installation of the CrowdStrike Falcon sensor on Azure virtual machines at enterprise scale.
The CrowdStrike Azure VM Extension provides:
- Automated Deployment: Deploy the Falcon sensor to Azure VMs at scale using Azure's native extension framework
- Cross-Platform Support: Support for both Linux and Windows Azure virtual machines
- Enterprise Integration: Seamless integration with Azure infrastructure and CrowdStrike APIs
- Lifecycle Management: Handle sensor installation, configuration, updates, and removal
- Architecture Support: Support for both x86_64 and arm64 architectures on Linux
The extension follows Azure VM Extension standards with a handler-based architecture:
- Lifecycle Operations: Install, enable, disable, uninstall, and update operations
- Platform-Specific Implementation: Separate Linux (bash) and Windows (PowerShell) handlers
- Azure Integration: Native integration with Azure VM Extension framework
- Status Reporting: Structured JSON status updates to Azure portal
- Azure invokes the extension handler with configuration parameters
- Handler validates the configuration and credentials
- CrowdStrike API is called to download the appropriate sensor package
- Falcon installer is executed to install and configure the sensor
- Status reporting back to Azure portal with success/failure information
Note
For a complete list of supported platforms and versions, architectures, and compatibility, please refer to the CrowdStrike documentation.
See https://falcon.crowdstrike.com/documentation/page/edd7717e/falcon-sensor-for-linux-system-requirements for detailed support information and a complete list of supported platforms:
- Ubuntu LTS
- Debian
- Red Hat Enterprise Linux
- SUSE Linux Enterprise Server
See https://falcon.crowdstrike.com/documentation/page/ecc97e75/falcon-sensor-for-windows-deployment for detailed support information and a complete list of supported platforms:
- Windows Server
- Windows Desktop
API clients are granted one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform.
Ensure the following API scopes are enabled:
Important
- Sensor Download [read]
- Sensor update policies [read]
- (optional) Installation Tokens [read]
This scope allows the installer to retrieve a provisioning token from the API, but only if installation tokens are required in your environment.
- (Optional) Sensor update policies [write]
Required for reading the maintenance token during uninstall. This is only required for uninstall.
The extension can be deployed through:
- Azure Portal - Individual VM deployment
- Azure CLI - Command-line deployment
- Azure Resource Manager templates - Infrastructure as Code
- Azure Policy - Enterprise-scale automated deployment (see Policy Templates)
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM \
--name FalconSensorLinux \
--publisher Crowdstrike.Falcon \
--settings '{
"cloud": "autodiscover",
"tags": "azure,production"
}' \
--protected-settings '{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}'az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM \
--name FalconSensorWindows \
--publisher Crowdstrike.Falcon \
--settings '{
"cloud": "autodiscover",
"tags": "azure,production"
}' \
--protected-settings '{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}'- Navigate to your virtual machine in the Azure Portal
- Select "Extensions + applications" from the left menu
- Click "Add" and search for "CrowdStrike Falcon"
- Select the appropriate extension (Linux or Windows)
- Configure the required parameters and install
For enhanced security, store sensitive CrowdStrike API credentials in Azure Key Vault rather than directly in ARM templates. This ensures credentials are encrypted, access-controlled, and auditable.
Follow the Azure Key Vault documentation to create a Key Vault and store your CrowdStrike API credentials as secrets.
Store your CrowdStrike API credentials in Key Vault as secrets. You can use any secret names you prefer - the examples below use:
FalconClientId- Your CrowdStrike API Client IDFalconClientSecret- Your CrowdStrike API Client Secret
Example of parameters file with Key Vault references:
{
"parameters": {
"falconClientId": {
"reference": {
"keyVault": {
"id": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.KeyVault/vaults/{vault-name}"
},
"secretName": "FalconClientId"
}
},
"falconClientSecret": {
"reference": {
"keyVault": {
"id": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.KeyVault/vaults/{vault-name}"
},
"secretName": "FalconClientSecret"
}
}
}
}Example of ARM template deployment with inline parameters:
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2021-07-01",
"name": "[concat(parameters('vmName'), '/', variables('extensionName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
],
"properties": {
"publisher": "[variables('extensionPublisher')]",
"type": "[variables('extensionType')]",
"typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]",
"autoUpgradeMinorVersion": true,
"protectedSettings": {
"client_id": "[parameters('falconClientId')]",
"client_secret": "[parameters('falconClientSecret')]"
}
}
}The deployment identity must have Get permissions on the Key Vault secrets for the deployment to succeed.
For automated enterprise-scale deployment using Azure Policy, see the Policy Templates documentation for detailed instructions on deploying CrowdStrike Falcon at scale using Azure Policy. The templates support both subscription and management group level assignments, with automatic detection of Windows and Linux VMs.
- FAQ - Frequently asked questions and troubleshooting
- Testing Guide - Information about the testing framework
- Policy Templates - Azure Policy deployment guide for enterprise-scale deployment
The CrowdStrike Azure VM Extension uses two types of configuration parameters:
- Settings: Non-sensitive configuration parameters passed as plain text
- Protected Settings: Sensitive parameters (credentials, tokens) that are encrypted in transit and at rest
Important
Always place sensitive information like credentials and tokens in protectedSettings to ensure they are encrypted and secure.
These parameters contain sensitive information and must be placed in the protectedSettings section:
| Parameter | Description | Required |
|---|---|---|
client_id |
CrowdStrike API Client ID | Yes* |
client_secret |
CrowdStrike API Client Secret | Yes* |
access_token |
CrowdStrike API Access Token (alternative to client_id/client_secret) | Yes* |
provisioning_token |
Installation token (if required by your environment) | No |
*Either client_id/client_secret or access_token is required for authentication.
These configuration parameters can be placed in the settings section:
| Parameter | Description | Default |
|---|---|---|
cloud |
CrowdStrike cloud region (us-1, us-2, eu-1, us-gov-1, autodiscover) | autodiscover |
member_cid |
Member CID for MSSP scenarios | None |
sensor_update_policy |
Sensor update policy name | platform_default |
tags |
Comma-separated list of sensor tags | None |
disable_proxy |
Disable proxy settings | false |
proxy_host |
HTTP proxy hostname | None |
proxy_port |
HTTP proxy port | None |
| Parameter | Description | Default |
|---|---|---|
pac_url |
Proxy auto-configuration URL | None |
disable_provisioning_wait |
Disable provisioning wait timeout | false |
disable_start |
Prevent sensor from starting until reboot | false |
provisioning_wait_time |
Provisioning timeout in milliseconds | 1200000 |
vdi |
Enable virtual desktop infrastructure mode | false |
Have additional questions about the extension? Check out our FAQ documentation for more information. If your question is not answered in the FAQ doc, feel free to open a discussion in our GitHub repository.
We welcome contributions that improve the installation and distribution processes of the Falcon Sensor. Please ensure that your contributions align with our coding standards and pass all CI/CD checks.
The CrowdStrike Azure VM Extension is a community-driven, open source project designed to streamline the deployment and use of the CrowdStrike Falcon sensor. While not a formal CrowdStrike product, Falcon Installer is maintained by CrowdStrike and supported in partnership with the open source developer community.
For additional support, please see the SUPPORT.md file.
See LICENSE