Azure Onboarding
Azure support is currently in early access. The onboarding flow is fully functional — additional Azure features (assessments, workload support) are planned for future releases.
Overview
CloudAgent supports connecting Azure subscriptions alongside your AWS accounts. Once connected, Azure environments appear in your Cloud Environments list and are available to CloudAgent's agent tools for resource discovery and analysis.
Prerequisites
Before connecting an Azure subscription, you'll need:
- An Azure account with permissions to create App Registrations and assign roles
- The Tenant ID for your Azure Active Directory (found in Azure Portal → Azure Active Directory → Overview)
- One or more Subscription IDs you want to connect, or a Management Group ID for automatic discovery
- Admin consent capability for Microsoft Graph API permissions
Step 1: Enter Your Tenant Details
In CloudAgent, navigate to Cloud Setup and click + Add Cloud Environment, then select Azure.
The wizard walks you through four steps. Start by entering:
- Azure Tenant ID: Your Azure AD tenant identifier (UUID format)
- Description (optional): A friendly label like "Production Azure" or "Dev Tenant"
- Environment Type: Choose between Azure Public (default) or Azure US Government
Step 2: Select Subscription Access
Choose how CloudAgent discovers your subscriptions:
| Mode | How It Works | Best For |
|---|---|---|
| Manual Entry | Enter subscription IDs individually with optional descriptions | Small environments or specific subscriptions |
| Management Group | Provide a management group ID — CloudAgent auto-discovers all subscriptions within it | Large organizations with many subscriptions |
You can always add more subscriptions later by editing the environment.
Step 3: Create a Service Principal
CloudAgent needs a Service Principal (app registration) in your Azure AD to authenticate. Choose one of three setup methods:
Option A: Terraform
Download the generated Terraform template and apply it. The template automatically creates the app registration, assigns the required Graph API permissions, and sets up RBAC roles. After running terraform apply, the output provides the Client ID and Client Secret you'll need in the next step.
Terraform templates are tailored to your chosen subscription mode — subscription-level or management group-level — so the correct RBAC scope is applied automatically.
Option B: PowerShell
Download the PowerShell script and run it in Azure Cloud Shell or a local PowerShell session with the Az module installed. The script performs the same setup as Terraform and outputs the credentials at completion.
Option C: Manual Setup (Azure Portal)
Follow the step-by-step instructions in the wizard to configure everything through the Azure Portal:
-
Create an App Registration: Navigate to Azure AD → App registrations → New registration. Name it something like "CloudAgent" and register it.
-
Create a Client Secret: In the app registration, go to Certificates & secrets → New client secret. Copy the secret value immediately — it's only shown once.
-
Assign Graph API Permissions: In API permissions, add the following Microsoft Graph (Application) permissions, then grant admin consent:
Directory.Read.AllPolicy.Read.AllUser.Read.AllAuditLog.Read.AllIdentityRiskyUser.Read.AllIdentityRiskyServicePrincipal.Read.AllIdentityRiskEvent.Read.AllUserAuthenticationMethod.Read
-
Assign Subscription Roles: In each subscription (or management group), assign the Reader and Backup Reader roles to the app registration.
After completing your chosen method, enter the Client ID and Client Secret in the wizard.
Step 4: Validate and Save
Click Test Connection to verify that CloudAgent can authenticate with your Service Principal. The validation checks that:
- The Service Principal credentials are valid
- The tenant is accessible
- The assigned permissions allow resource access
- (For management group mode) Subscriptions can be discovered
Once validated, give the environment a name and click Save. Your Azure environment now appears in Cloud Environments alongside your AWS accounts.
Store your Client Secret securely. CloudAgent encrypts it before storage, but if you lose the original value, you'll need to create a new secret in Azure and update the environment.
What You Can Do with Azure Today
With an Azure environment connected, CloudAgent can:
- Discover resources across your subscriptions using Azure Resource Graph
- List subscriptions and their properties
- Include Azure environments in multi-cloud workload definitions
Additional capabilities — including Azure-specific assessments, compliance reports, and agent-driven remediation — are on the roadmap.
Troubleshooting
Test Connection fails with authentication error: Verify that the Client ID and Client Secret are correct. If using manual setup, confirm that admin consent was granted for all Graph API permissions.
No subscriptions discovered (management group mode): Ensure the Service Principal has the Reader role assigned at the management group level, not just individual subscriptions.
"Insufficient permissions" after successful connection: The Service Principal likely needs additional role assignments. Verify that both Reader and Backup Reader are assigned at the correct scope (subscription or management group).
Cannot find Tenant ID: In the Azure Portal, go to Azure Active Directory → Overview. The Tenant ID is displayed on the overview page.
Next Steps
- Permissions & Access Control — Understand CloudAgent's permission model across all providers
- Account Onboarding — Connect your AWS accounts
- Managing Workloads — Create workloads spanning AWS and Azure environments