Security first: every role below grants read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your Azure subscription.
Setup Guide
The recommended path uses a service principal with the built-inReader role assigned at the Management Group level, giving Anyshift visibility into every subscription you want to track.
1
Register an application in Microsoft Entra ID
See the Microsoft Entra ID documentation for app registration details.
- Terraform
- Azure Portal
2
Assign the Reader role to the service principal
Recommended: assign Reader at the Management Group level to cover all subscriptions you want to track.
- Azure Portal (Management Group)
- Azure CLI (Management Group)
- Azure CLI (Single Subscription)
- Go to Management groups → select the management group containing all subscriptions you want to track
- Navigate to Access control (IAM) → Add → Add role assignment
- Select the Reader role → Next
- Select User, group, or service principal → Select members
- Search for
anyshift-readonlyand select it - Click Review + assign
3
Add credentials in Anyshift
- Go to Integrations → Azure → Credentials → New Credential
- Enter your credentials:
- Tenant ID: Your Azure AD tenant ID (Directory ID)
- Client ID: The Application (client) ID from Step 1
- Client Secret: The secret value from Step 1
- Click Save
Reference
Required roles and permissions
Required roles and permissions
The recommended setup assigns the built-in
Reader role at the Management Group level containing all subscriptions you want to track, giving Anyshift complete infrastructure visibility. Scanned resources include:- Compute (Virtual Machines, VM Scale Sets, Disks, Availability Sets)
- Network (VNets, Subnets, NICs, NSGs, Load Balancers, Private DNS Zones)
- Storage (Storage Accounts, Blob Containers, File Shares, Queues, Tables)
- Containers (AKS Clusters, Agent Pools, Container Registries)
- Identity (Managed Identities, Role Assignments, Role Definitions)
- Key Vault metadata
- Log Analytics Workspaces
- Resource Groups and Subscriptions
Complete permissions list
Complete permissions list
All permissions Anyshift uses for comprehensive infrastructure scanning:
Compute Resources
Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachineScaleSets/readMicrosoft.Compute/disks/readMicrosoft.Compute/diskEncryptionSets/readMicrosoft.Compute/availabilitySets/read
Network Resources
Microsoft.Network/virtualNetworks/readMicrosoft.Network/networkInterfaces/readMicrosoft.Network/networkSecurityGroups/readMicrosoft.Network/publicIPAddresses/readMicrosoft.Network/loadBalancers/readMicrosoft.Network/privateDnsZones/readMicrosoft.Network/applicationGateways/readMicrosoft.Network/azureFirewalls/readMicrosoft.Network/virtualNetworkGateways/readMicrosoft.Network/dnszones/read
Storage Resources
Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/fileServices/readMicrosoft.Storage/storageAccounts/fileServices/shares/readMicrosoft.Storage/storageAccounts/queueServices/readMicrosoft.Storage/storageAccounts/tableServices/read
Container Resources
Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/agentPools/readMicrosoft.ContainerRegistry/registries/read
Identity & Authorization
Microsoft.ManagedIdentity/userAssignedIdentities/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
App Service & Serverless
Microsoft.Web/sites/readMicrosoft.Web/serverfarms/readMicrosoft.Web/sites/functions/read
Databases
Microsoft.Sql/servers/readMicrosoft.Sql/servers/databases/readMicrosoft.Sql/servers/elasticPools/readMicrosoft.DocumentDB/databaseAccounts/readMicrosoft.Cache/redis/read
Messaging & Events
Microsoft.ServiceBus/namespaces/readMicrosoft.ServiceBus/namespaces/queues/readMicrosoft.ServiceBus/namespaces/topics/readMicrosoft.EventHub/namespaces/readMicrosoft.EventHub/namespaces/eventhubs/read
Other Resources
Microsoft.KeyVault/vaults/readMicrosoft.OperationalInsights/workspaces/readMicrosoft.ApiManagement/service/readMicrosoft.Insights/alertRules/readMicrosoft.Insights/diagnosticSettings/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/read
Alternative: Workload Identity Federation (OIDC)
Alternative: Workload Identity Federation (OIDC)
Workload Identity Federation lets Anyshift authenticate to Azure without a client secret. Anyshift signs a short-lived JWT token that Azure trusts via a federated identity credential. This removes secret rotation and is more secure.Azure PortalAzure Portal
Step 1 - Register an Application in Microsoft Entra ID
Follow the same steps as the service principal setup to create an App Registration and assign the Reader role, but skip creating a client secret.Terraform- Go to Microsoft Entra ID → App registrations → New registration
- Enter:
- Name:
anyshift-readonly - Supported account types: “Accounts in this organizational directory only”
- Click Register
- Name:
- Note the Application (client) ID and Directory (tenant) ID
- Assign the Reader role as described in the service principal setup, Step 2
Step 2 - Add Credentials in Anyshift
- Go to Integrations → Azure → Credentials → New Credential
- Select OIDC as the authentication method
- Enter:
- Tenant ID: Your Azure AD tenant ID
- Client ID: The Application (client) ID from Step 1
- Click Save
- Issuer URL: The Anyshift OIDC issuer (e.g.
https://api.anyshift.io) - Subject Identifier: A unique identifier for this credential (e.g.
anyshift:project:<project-id>:credential:<credential-id>) - Audience:
api://AzureADTokenExchange
Step 3 - Configure Federated Identity Credential in Azure
Using the values from the Anyshift dialog:Terraform- Go to Azure Portal → App Registrations → your app → Certificates & secrets → Federated credentials
- Click Add credential and select Other issuer
- Paste the Issuer URL, Subject Identifier, and Audience values from the Anyshift dialog
- Click Add
Step 4 - Verify the Connection
Click Done & Verify Connection in the Anyshift dialog. Anyshift triggers a scan to verify the federation is working correctly.Troubleshooting
Troubleshooting
Status shows “Error” after adding credentialsThis usually means the service principal lacks the required permissions. Verify that:
- The Reader role is assigned at the subscription level
- The credentials (Tenant ID, Client ID, Client Secret) are correct
- The client secret hasn’t expired (for service principal auth)
- Verify the federated identity credential is configured correctly in Azure AD (Issuer URL, Subject Identifier, Audience)
- Ensure the Issuer URL matches exactly (no trailing slash)
- Check that the App Registration has the Reader role assigned
- Ensure the service principal has access to the correct subscription
- Check that resources exist in the subscription
- Allow a few minutes for the initial scan to complete
Try Anyshift
Start mapping your Azure infrastructure today.Create an account
Request a demo
See Anyshift Root Cause Analysis in action