Connect your Microsoft Azure subscription to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—using Azure-native security primitives with service principal authentication.

Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your Azure subscription.

Required Roles and Permissions

Setup Options

Recommended Setup
Custom Permissions

Assign Reader Role at the Management Group LevelFor complete infrastructure visibility, assign the built-in Reader role at the Management Group level containing all subscriptions you want to track.Anyshift will scan all Azure resources including:

Compute (Virtual Machines, VM Scale Sets, Disks, Availability Sets)
Network (VNets, Subnets, NICs, NSGs, Load Balancers, Private DNS Zones)
Storage (Storage Accounts, Blob Containers, File Shares, Queues, Tables)
Containers (AKS Clusters, Agent Pools, Container Registries)
Identity (Managed Identities, Role Assignments, Role Definitions)
Key Vault metadata
Log Analytics Workspaces
Resource Groups and Subscriptions

Granular Role AssignmentIf you prefer more granular control, you can create a custom role with specific permissions. Below are the read-only actions Anyshift uses:

Service	Actions	What We Scan
Compute	`Microsoft.Compute/*/read`	VMs, VM Scale Sets, Disks, Disk Encryption Sets
Network	`Microsoft.Network/*/read`	VNets, Subnets, NICs, NSGs, Public IPs, Load Balancers, Private DNS Zones, Application Gateways, Firewalls, VPN Gateways
Storage	`Microsoft.Storage/*/read`	Storage Accounts, Blob Containers, File Shares, Queues, Tables
Containers	`Microsoft.ContainerService/*/read`	AKS Clusters, Agent Pools
Container Registry	`Microsoft.ContainerRegistry/*/read`	Container Registries
Key Vault	`Microsoft.KeyVault/*/read`	Key Vaults, Keys, Secrets metadata (not values)
Managed Identity	`Microsoft.ManagedIdentity/*/read`	User-Assigned Managed Identities
Log Analytics	`Microsoft.OperationalInsights/*/read`	Log Analytics Workspaces
Authorization	`Microsoft.Authorization/*/read`	Role Assignments, Role Definitions
Resources	`Microsoft.Resources/*/read`	Resource Groups, Subscriptions
App Service	`Microsoft.Web/*/read`	Web Apps, Function Apps, App Service Plans
SQL	`Microsoft.Sql/*/read`	SQL Servers, Databases, Elastic Pools
Cosmos DB	`Microsoft.DocumentDB/*/read`	Cosmos DB Accounts, Databases
Redis Cache	`Microsoft.Cache/*/read`	Redis Cache instances
Service Bus	`Microsoft.ServiceBus/*/read`	Service Bus Namespaces, Queues, Topics
Event Hubs	`Microsoft.EventHub/*/read`	Event Hub Namespaces, Event Hubs
API Management	`Microsoft.ApiManagement/*/read`	API Management Services, APIs
Monitor	`Microsoft.Insights/*/read`	Alerts, Metrics, Diagnostic Settings

Complete Permissions List

View all permissions that Anyshift uses for comprehensive infrastructure scanning:

Compute Resources

Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/disks/read
Microsoft.Compute/diskEncryptionSets/read
Microsoft.Compute/availabilitySets/read

Storage Resources

Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/fileServices/read
Microsoft.Storage/storageAccounts/fileServices/shares/read
Microsoft.Storage/storageAccounts/queueServices/read
Microsoft.Storage/storageAccounts/tableServices/read

Container Resources

Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/agentPools/read
Microsoft.ContainerRegistry/registries/read

Identity & Authorization

Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleDefinitions/read

App Service & Serverless

Microsoft.Web/sites/read
Microsoft.Web/serverfarms/read
Microsoft.Web/sites/functions/read

Databases

Microsoft.Sql/servers/read
Microsoft.Sql/servers/databases/read
Microsoft.Sql/servers/elasticPools/read
Microsoft.DocumentDB/databaseAccounts/read
Microsoft.Cache/redis/read

Messaging & Events

Microsoft.ServiceBus/namespaces/read
Microsoft.ServiceBus/namespaces/queues/read
Microsoft.ServiceBus/namespaces/topics/read
Microsoft.EventHub/namespaces/read
Microsoft.EventHub/namespaces/eventhubs/read

Other Resources

Microsoft.KeyVault/vaults/read
Microsoft.OperationalInsights/workspaces/read
Microsoft.ApiManagement/service/read
Microsoft.Insights/alertRules/read
Microsoft.Insights/diagnosticSettings/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read

Setup Guide

Option 1: Service Principal (Recommended)

For more details on app registration, see the Microsoft Entra ID documentation.

Step 1 - Register an Application in Microsoft Entra ID

Terraform

# Create the Azure AD Application
resource "azuread_application" "anyshift" {
  display_name = "anyshift-readonly"
}

# Create the Service Principal
resource "azuread_service_principal" "anyshift" {
  client_id = azuread_application.anyshift.client_id
}

# Create a client secret
resource "azuread_application_password" "anyshift" {
  application_id = azuread_application.anyshift.id
  display_name   = "anyshift-secret"
  end_date       = "2030-01-01T00:00:00Z"
}

# Assign Reader role at Management Group level
resource "azurerm_role_assignment" "anyshift_reader" {
  scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.anyshift.object_id
}

# Output the credentials (store securely!)
output "tenant_id" {
  value = data.azurerm_client_config.current.tenant_id
}

output "client_id" {
  value     = azuread_application.anyshift.client_id
  sensitive = true
}

output "client_secret" {
  value     = azuread_application_password.anyshift.value
  sensitive = true
}

Azure Portal

Go to Microsoft Entra ID (formerly Azure Active Directory)
Navigate to App registrations → New registration
Enter the following:
- Name: anyshift-readonly
- Supported account types: “Accounts in this organizational directory only”
- Click Register
Note the Application (client) ID and Directory (tenant) ID from the Overview page
Go to Certificates & secrets → Client secrets → New client secret
- Description: anyshift-secret
- Expires: Choose your preferred duration (recommended: 24 months)
- Click Add and copy the secret value immediately (it won’t be shown again)

Step 2 - Assign Reader Role to the Service Principal

Recommended: Assign Reader role at the Management Group level to grant access to all subscriptions you want to track.

Azure Portal (Management Group - Recommended)

Go to Management groups → Select the management group containing all subscriptions you want to track
Navigate to Access control (IAM) → Add → Add role assignment
Select the Reader role → Next
Select User, group, or service principal → Select members
Search for anyshift-readonly and select it
Click Review + assign

Azure CLI (Management Group)

# List management groups
az account management-group list --query "[].{Name:name, DisplayName:displayName}"

# Assign Reader role at the management group level
az role assignment create \
  --assignee <CLIENT_ID> \
  --role "Reader" \
  --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"

Azure CLI (Single Subscription - Alternative)

# If you prefer to limit access to a single subscription
az role assignment create \
  --assignee <CLIENT_ID> \
  --role "Reader" \
  --scope "/subscriptions/<SUBSCRIPTION_ID>"

Step 3 - Add Credentials in Anyshift

Go to Integrations → Azure → Credentials → New Credential
Enter your credentials:
- Tenant ID: Your Azure AD tenant ID (Directory ID)
- Client ID: The Application (client) ID from Step 1
- Client Secret: The secret value from Step 1
Click Save

Anyshift will automatically discover all subscriptions accessible by the service principal and begin scanning your Azure infrastructure.

Option 2: Workload Identity Federation (OIDC)

Workload Identity Federation allows Anyshift to authenticate to Azure without a client secret. Instead, Anyshift signs a short-lived JWT token that Azure trusts via a federated identity credential. This eliminates secret rotation and is more secure.

Step 1 - Register an Application in Microsoft Entra ID

Follow the same steps as Option 1 to create an App Registration and assign the Reader role, but skip creating a client secret.Terraform

# Create the Azure AD Application
resource "azuread_application" "anyshift" {
  display_name = "anyshift-readonly"
}

# Create the Service Principal
resource "azuread_service_principal" "anyshift" {
  client_id = azuread_application.anyshift.client_id
}

# Assign Reader role at Management Group level
resource "azurerm_role_assignment" "anyshift_reader" {
  scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.anyshift.object_id
}

Azure Portal

Go to Microsoft Entra ID → App registrations → New registration
Enter:
- Name: anyshift-readonly
- Supported account types: “Accounts in this organizational directory only”
- Click Register
Note the Application (client) ID and Directory (tenant) ID
Assign the Reader role as described in Option 1, Step 2

Step 2 - Add Credentials in Anyshift

Go to Integrations → Azure → Credentials → New Credential
Select OIDC as the authentication method
Enter:
- Tenant ID: Your Azure AD tenant ID
- Client ID: The Application (client) ID from Step 1
Click Save

Anyshift will display a dialog with three values you need for the next step:

Issuer URL: The Anyshift OIDC issuer (e.g. https://api.anyshift.io)
Subject Identifier: A unique identifier for this credential (e.g. anyshift:project:<project-id>:credential:<credential-id>)
Audience: api://AzureADTokenExchange

Copy these values using the copy buttons in the dialog.

Step 3 - Configure Federated Identity Credential in Azure

Using the values from the Anyshift dialog:Terraform

resource "azuread_application_federated_identity_credential" "anyshift" {
  application_id = azuread_application.anyshift.id
  display_name   = "anyshift-oidc"
  issuer         = "<ISSUER_URL>"           # From the dialog
  subject        = "<SUBJECT_IDENTIFIER>"    # From the dialog
  audiences      = ["api://AzureADTokenExchange"]
}

Azure Portal

Go to Azure Portal → App Registrations → your app → Certificates & secrets → Federated credentials
Click Add credential and select Other issuer
Paste the Issuer URL, Subject Identifier, and Audience values from the Anyshift dialog
Click Add

Step 4 - Verify the Connection

Click Done & Verify Connection in the Anyshift dialog. Anyshift will trigger a scan to verify the federation is working correctly.

Troubleshooting

Common Issues

Status shows “Error” after adding credentials This typically means the service principal doesn’t have the required permissions. Verify that:

The Reader role is assigned at the subscription level
The credentials (Tenant ID, Client ID, Client Secret) are correct
The client secret hasn’t expired (for service principal auth)

Status shows “Error” with OIDC federation

Verify the federated identity credential is configured correctly in Azure AD (Issuer URL, Subject Identifier, Audience)
Ensure the Issuer URL matches exactly (no trailing slash)
Check that the App Registration has the Reader role assigned

No resources showing up

Ensure the service principal has access to the correct subscription
Check that resources exist in the subscription
Allow a few minutes for the initial scan to complete

Multiple subscriptions Anyshift automatically discovers and scans all subscriptions accessible by the service principal. Assign Reader role at the Management Group level to cover all subscriptions you want to track - no need to create separate credentials for each subscription.

Get Started

Product

Privacy & Security

Azure Integration

Required Roles and Permissions

Setup Options

Compute Resources

Network Resources

Storage Resources

Container Resources

Identity & Authorization

App Service & Serverless

Databases

Messaging & Events

Other Resources

Setup Guide

Step 1 - Register an Application in Microsoft Entra ID

Step 2 - Assign Reader Role to the Service Principal

Step 3 - Add Credentials in Anyshift

Step 1 - Register an Application in Microsoft Entra ID

Step 2 - Add Credentials in Anyshift

Step 3 - Configure Federated Identity Credential in Azure

Step 4 - Verify the Connection

Troubleshooting

Common Issues

Try Anyshift

Create an account

Request a demo

Get Started

Product

Privacy & Security

​Required Roles and Permissions

​Setup Options

​Compute Resources

​Network Resources

​Storage Resources

​Container Resources

​Identity & Authorization

​App Service & Serverless

​Databases

​Messaging & Events

​Other Resources

​Setup Guide

​Step 1 - Register an Application in Microsoft Entra ID

​Step 2 - Assign Reader Role to the Service Principal

​Step 3 - Add Credentials in Anyshift

​Step 1 - Register an Application in Microsoft Entra ID

​Step 2 - Add Credentials in Anyshift

​Step 3 - Configure Federated Identity Credential in Azure

​Step 4 - Verify the Connection

​Troubleshooting

​Common Issues

​Try Anyshift

Create an account

Request a demo

Required Roles and Permissions

Setup Options

Compute Resources

Network Resources

Storage Resources

Container Resources

Identity & Authorization

App Service & Serverless

Databases

Messaging & Events

Other Resources

Setup Guide

Step 1 - Register an Application in Microsoft Entra ID

Step 2 - Assign Reader Role to the Service Principal

Step 3 - Add Credentials in Anyshift

Step 1 - Register an Application in Microsoft Entra ID

Step 2 - Add Credentials in Anyshift

Step 3 - Configure Federated Identity Credential in Azure

Step 4 - Verify the Connection

Troubleshooting

Common Issues

Try Anyshift