Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.anyshift.io/llms.txt

Use this file to discover all available pages before exploring further.

Connect your Microsoft Azure subscription to Annie for real-time infrastructure mapping, monitoring, and dependency insights, using Azure-native service principal authentication.
Security first: every role below grants read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your Azure subscription.

Setup Guide

The recommended path uses a service principal with the built-in Reader role assigned at the Management Group level, giving Anyshift visibility into every subscription you want to track.
1

Register an application in Microsoft Entra ID

See the Microsoft Entra ID documentation for app registration details.
# Create the Azure AD Application
resource "azuread_application" "anyshift" {
  display_name = "anyshift-readonly"
}

# Create the Service Principal
resource "azuread_service_principal" "anyshift" {
  client_id = azuread_application.anyshift.client_id
}

# Create a client secret
resource "azuread_application_password" "anyshift" {
  application_id = azuread_application.anyshift.id
  display_name   = "anyshift-secret"
  end_date       = "2030-01-01T00:00:00Z"
}

# Assign Reader role at Management Group level
resource "azurerm_role_assignment" "anyshift_reader" {
  scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.anyshift.object_id
}

# Output the credentials (store securely!)
output "tenant_id" {
  value = data.azurerm_client_config.current.tenant_id
}

output "client_id" {
  value     = azuread_application.anyshift.client_id
  sensitive = true
}

output "client_secret" {
  value     = azuread_application_password.anyshift.value
  sensitive = true
}
2

Assign the Reader role to the service principal

Recommended: assign Reader at the Management Group level to cover all subscriptions you want to track.
  1. Go to Management groups → select the management group containing all subscriptions you want to track
  2. Navigate to Access control (IAM)AddAdd role assignment
  3. Select the Reader role → Next
  4. Select User, group, or service principalSelect members
  5. Search for anyshift-readonly and select it
  6. Click Review + assign
3

Add credentials in Anyshift

  1. Go to IntegrationsAzureCredentialsNew Credential
  2. Enter your credentials:
    • Tenant ID: Your Azure AD tenant ID (Directory ID)
    • Client ID: The Application (client) ID from Step 1
    • Client Secret: The secret value from Step 1
  3. Click Save
Anyshift automatically discovers all subscriptions accessible by the service principal and begins scanning your Azure infrastructure.

Reference

The recommended setup assigns the built-in Reader role at the Management Group level containing all subscriptions you want to track, giving Anyshift complete infrastructure visibility. Scanned resources include:
  • Compute (Virtual Machines, VM Scale Sets, Disks, Availability Sets)
  • Network (VNets, Subnets, NICs, NSGs, Load Balancers, Private DNS Zones)
  • Storage (Storage Accounts, Blob Containers, File Shares, Queues, Tables)
  • Containers (AKS Clusters, Agent Pools, Container Registries)
  • Identity (Managed Identities, Role Assignments, Role Definitions)
  • Key Vault metadata
  • Log Analytics Workspaces
  • Resource Groups and Subscriptions
For more granular control, create a custom role with the read-only actions Anyshift uses:
ServiceActionsWhat We Scan
ComputeMicrosoft.Compute/*/readVMs, VM Scale Sets, Disks, Disk Encryption Sets
NetworkMicrosoft.Network/*/readVNets, Subnets, NICs, NSGs, Public IPs, Load Balancers, Private DNS Zones, Application Gateways, Firewalls, VPN Gateways
StorageMicrosoft.Storage/*/readStorage Accounts, Blob Containers, File Shares, Queues, Tables
ContainersMicrosoft.ContainerService/*/readAKS Clusters, Agent Pools
Container RegistryMicrosoft.ContainerRegistry/*/readContainer Registries
Key VaultMicrosoft.KeyVault/*/readKey Vaults, Keys, Secrets metadata (not values)
Managed IdentityMicrosoft.ManagedIdentity/*/readUser-Assigned Managed Identities
Log AnalyticsMicrosoft.OperationalInsights/*/readLog Analytics Workspaces
AuthorizationMicrosoft.Authorization/*/readRole Assignments, Role Definitions
ResourcesMicrosoft.Resources/*/readResource Groups, Subscriptions
App ServiceMicrosoft.Web/*/readWeb Apps, Function Apps, App Service Plans
SQLMicrosoft.Sql/*/readSQL Servers, Databases, Elastic Pools
Cosmos DBMicrosoft.DocumentDB/*/readCosmos DB Accounts, Databases
Redis CacheMicrosoft.Cache/*/readRedis Cache instances
Service BusMicrosoft.ServiceBus/*/readService Bus Namespaces, Queues, Topics
Event HubsMicrosoft.EventHub/*/readEvent Hub Namespaces, Event Hubs
API ManagementMicrosoft.ApiManagement/*/readAPI Management Services, APIs
MonitorMicrosoft.Insights/*/readAlerts, Metrics, Diagnostic Settings
All permissions Anyshift uses for comprehensive infrastructure scanning:

Compute Resources

  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachineScaleSets/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/diskEncryptionSets/read
  • Microsoft.Compute/availabilitySets/read

Network Resources

  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/loadBalancers/read
  • Microsoft.Network/privateDnsZones/read
  • Microsoft.Network/applicationGateways/read
  • Microsoft.Network/azureFirewalls/read
  • Microsoft.Network/virtualNetworkGateways/read
  • Microsoft.Network/dnszones/read

Storage Resources

  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/fileServices/shares/read
  • Microsoft.Storage/storageAccounts/queueServices/read
  • Microsoft.Storage/storageAccounts/tableServices/read

Container Resources

  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.ContainerService/managedClusters/agentPools/read
  • Microsoft.ContainerRegistry/registries/read

Identity & Authorization

  • Microsoft.ManagedIdentity/userAssignedIdentities/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read

App Service & Serverless

  • Microsoft.Web/sites/read
  • Microsoft.Web/serverfarms/read
  • Microsoft.Web/sites/functions/read

Databases

  • Microsoft.Sql/servers/read
  • Microsoft.Sql/servers/databases/read
  • Microsoft.Sql/servers/elasticPools/read
  • Microsoft.DocumentDB/databaseAccounts/read
  • Microsoft.Cache/redis/read

Messaging & Events

  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/queues/read
  • Microsoft.ServiceBus/namespaces/topics/read
  • Microsoft.EventHub/namespaces/read
  • Microsoft.EventHub/namespaces/eventhubs/read

Other Resources

  • Microsoft.KeyVault/vaults/read
  • Microsoft.OperationalInsights/workspaces/read
  • Microsoft.ApiManagement/service/read
  • Microsoft.Insights/alertRules/read
  • Microsoft.Insights/diagnosticSettings/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
Workload Identity Federation lets Anyshift authenticate to Azure without a client secret. Anyshift signs a short-lived JWT token that Azure trusts via a federated identity credential. This removes secret rotation and is more secure.

Step 1 - Register an Application in Microsoft Entra ID

Follow the same steps as the service principal setup to create an App Registration and assign the Reader role, but skip creating a client secret.Terraform
# Create the Azure AD Application
resource "azuread_application" "anyshift" {
  display_name = "anyshift-readonly"
}

# Create the Service Principal
resource "azuread_service_principal" "anyshift" {
  client_id = azuread_application.anyshift.client_id
}

# Assign Reader role at Management Group level
resource "azurerm_role_assignment" "anyshift_reader" {
  scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.anyshift.object_id
}
Azure Portal
  1. Go to Microsoft Entra IDApp registrationsNew registration
  2. Enter:
    • Name: anyshift-readonly
    • Supported account types: “Accounts in this organizational directory only”
    • Click Register
  3. Note the Application (client) ID and Directory (tenant) ID
  4. Assign the Reader role as described in the service principal setup, Step 2

Step 2 - Add Credentials in Anyshift

  1. Go to IntegrationsAzureCredentialsNew Credential
  2. Select OIDC as the authentication method
  3. Enter:
    • Tenant ID: Your Azure AD tenant ID
    • Client ID: The Application (client) ID from Step 1
  4. Click Save
Anyshift displays a dialog with three values you need for the next step:
  • Issuer URL: The Anyshift OIDC issuer (e.g. https://api.anyshift.io)
  • Subject Identifier: A unique identifier for this credential (e.g. anyshift:project:<project-id>:credential:<credential-id>)
  • Audience: api://AzureADTokenExchange
Copy these values using the copy buttons in the dialog.

Step 3 - Configure Federated Identity Credential in Azure

Using the values from the Anyshift dialog:Terraform
resource "azuread_application_federated_identity_credential" "anyshift" {
  application_id = azuread_application.anyshift.id
  display_name   = "anyshift-oidc"
  issuer         = "<ISSUER_URL>"           # From the dialog
  subject        = "<SUBJECT_IDENTIFIER>"    # From the dialog
  audiences      = ["api://AzureADTokenExchange"]
}
Azure Portal
  1. Go to Azure PortalApp Registrations → your app → Certificates & secretsFederated credentials
  2. Click Add credential and select Other issuer
  3. Paste the Issuer URL, Subject Identifier, and Audience values from the Anyshift dialog
  4. Click Add

Step 4 - Verify the Connection

Click Done & Verify Connection in the Anyshift dialog. Anyshift triggers a scan to verify the federation is working correctly.
Status shows “Error” after adding credentialsThis usually means the service principal lacks the required permissions. Verify that:
  1. The Reader role is assigned at the subscription level
  2. The credentials (Tenant ID, Client ID, Client Secret) are correct
  3. The client secret hasn’t expired (for service principal auth)
Status shows “Error” with OIDC federation
  1. Verify the federated identity credential is configured correctly in Azure AD (Issuer URL, Subject Identifier, Audience)
  2. Ensure the Issuer URL matches exactly (no trailing slash)
  3. Check that the App Registration has the Reader role assigned
No resources showing up
  1. Ensure the service principal has access to the correct subscription
  2. Check that resources exist in the subscription
  3. Allow a few minutes for the initial scan to complete
Multiple subscriptionsAnyshift automatically discovers and scans all subscriptions accessible by the service principal. Assign Reader at the Management Group level to cover all subscriptions you want to track, with no need for separate credentials per subscription.

Try Anyshift

Start mapping your Azure infrastructure today.

Create an account

Request a demo

See Anyshift Root Cause Analysis in action