> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyshift.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Integration

> Integrate Annie with Microsoft Azure to unlock infrastructure mapping, monitoring, and dependency insights.

Connect your Microsoft Azure subscription to Annie for real-time infrastructure mapping, monitoring, and dependency insights, using Azure-native service principal authentication.

<Info>
  **Security first**: every role below grants read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your Azure subscription.
</Info>

# Setup Guide

The recommended path uses a service principal with the built-in `Reader` role assigned at the Management Group level, giving Anyshift visibility into every subscription you want to track.

<Steps>
  <Step title="Register an application in Microsoft Entra ID">
    See the [Microsoft Entra ID documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) for app registration details.

    <Tabs>
      <Tab title="Terraform">
        ```hcl theme={null}
        # Create the Azure AD Application
        resource "azuread_application" "anyshift" {
          display_name = "anyshift-readonly"
        }

        # Create the Service Principal
        resource "azuread_service_principal" "anyshift" {
          client_id = azuread_application.anyshift.client_id
        }

        # Create a client secret
        resource "azuread_application_password" "anyshift" {
          application_id = azuread_application.anyshift.id
          display_name   = "anyshift-secret"
          end_date       = "2030-01-01T00:00:00Z"
        }

        # Assign Reader role at Management Group level
        resource "azurerm_role_assignment" "anyshift_reader" {
          scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
          role_definition_name = "Reader"
          principal_id         = azuread_service_principal.anyshift.object_id
        }

        # Output the credentials (store securely!)
        output "tenant_id" {
          value = data.azurerm_client_config.current.tenant_id
        }

        output "client_id" {
          value     = azuread_application.anyshift.client_id
          sensitive = true
        }

        output "client_secret" {
          value     = azuread_application_password.anyshift.value
          sensitive = true
        }
        ```
      </Tab>

      <Tab title="Azure Portal">
        1. Go to **Microsoft Entra ID** (formerly Azure Active Directory)
        2. Navigate to **App registrations** → **New registration**
        3. Enter the following:
           * **Name**: `anyshift-readonly`
           * **Supported account types**: "Accounts in this organizational directory only"
           * Click **Register**
        4. Note the **Application (client) ID** and **Directory (tenant) ID** from the Overview page
        5. Go to **Certificates & secrets** → **Client secrets** → **New client secret**
           * **Description**: `anyshift-secret`
           * **Expires**: Choose your preferred duration (recommended: 24 months)
           * Click **Add** and **copy the secret value immediately** (it won't be shown again)
      </Tab>
    </Tabs>
  </Step>

  <Step title="Assign the Reader role to the service principal">
    <Info>
      **Recommended**: assign Reader at the **Management Group** level to cover all subscriptions you want to track.
    </Info>

    <Tabs>
      <Tab title="Azure Portal (Management Group)">
        1. Go to **Management groups** → select the management group containing all subscriptions you want to track
        2. Navigate to **Access control (IAM)** → **Add** → **Add role assignment**
        3. Select the **Reader** role → **Next**
        4. Select **User, group, or service principal** → **Select members**
        5. Search for `anyshift-readonly` and select it
        6. Click **Review + assign**
      </Tab>

      <Tab title="Azure CLI (Management Group)">
        ```bash theme={null}
        # List management groups
        az account management-group list --query "[].{Name:name, DisplayName:displayName}"

        # Assign Reader role at the management group level
        az role assignment create \
          --assignee <CLIENT_ID> \
          --role "Reader" \
          --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"
        ```
      </Tab>

      <Tab title="Azure CLI (Single Subscription)">
        ```bash theme={null}
        # If you prefer to limit access to a single subscription
        az role assignment create \
          --assignee <CLIENT_ID> \
          --role "Reader" \
          --scope "/subscriptions/<SUBSCRIPTION_ID>"
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step title="Add credentials in Anyshift">
    1. Go to **Integrations** → **Azure** → **Credentials** → **New Credential**
    2. Enter your credentials:
       * **Tenant ID**: Your Azure AD tenant ID (Directory ID)
       * **Client ID**: The Application (client) ID from Step 1
       * **Client Secret**: The secret value from Step 1
    3. Click **Save**

    Anyshift automatically discovers all subscriptions accessible by the service principal and begins scanning your Azure infrastructure.
  </Step>
</Steps>

# Reference

<AccordionGroup>
  <Accordion icon="key" title="Required roles and permissions">
    The recommended setup assigns the built-in `Reader` role at the **Management Group** level containing all subscriptions you want to track, giving Anyshift complete infrastructure visibility. Scanned resources include:

    * Compute (Virtual Machines, VM Scale Sets, Disks, Availability Sets)
    * Network (VNets, Subnets, NICs, NSGs, Load Balancers, Private DNS Zones)
    * Storage (Storage Accounts, Blob Containers, File Shares, Queues, Tables)
    * Containers (AKS Clusters, Agent Pools, Container Registries)
    * Identity (Managed Identities, Role Assignments, Role Definitions)
    * Key Vault metadata
    * Log Analytics Workspaces
    * Resource Groups and Subscriptions

    For more granular control, create a custom role with the read-only actions Anyshift uses:

    | Service            | Actions                                | What We Scan                                                                                                             |
    | ------------------ | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
    | Compute            | `Microsoft.Compute/*/read`             | VMs, VM Scale Sets, Disks, Disk Encryption Sets                                                                          |
    | Network            | `Microsoft.Network/*/read`             | VNets, Subnets, NICs, NSGs, Public IPs, Load Balancers, Private DNS Zones, Application Gateways, Firewalls, VPN Gateways |
    | Storage            | `Microsoft.Storage/*/read`             | Storage Accounts, Blob Containers, File Shares, Queues, Tables                                                           |
    | Containers         | `Microsoft.ContainerService/*/read`    | AKS Clusters, Agent Pools                                                                                                |
    | Container Registry | `Microsoft.ContainerRegistry/*/read`   | Container Registries                                                                                                     |
    | Key Vault          | `Microsoft.KeyVault/*/read`            | Key Vaults, Keys, Secrets metadata (not values)                                                                          |
    | Managed Identity   | `Microsoft.ManagedIdentity/*/read`     | User-Assigned Managed Identities                                                                                         |
    | Log Analytics      | `Microsoft.OperationalInsights/*/read` | Log Analytics Workspaces                                                                                                 |
    | Authorization      | `Microsoft.Authorization/*/read`       | Role Assignments, Role Definitions                                                                                       |
    | Resources          | `Microsoft.Resources/*/read`           | Resource Groups, Subscriptions                                                                                           |
    | App Service        | `Microsoft.Web/*/read`                 | Web Apps, Function Apps, App Service Plans                                                                               |
    | SQL                | `Microsoft.Sql/*/read`                 | SQL Servers, Databases, Elastic Pools                                                                                    |
    | Cosmos DB          | `Microsoft.DocumentDB/*/read`          | Cosmos DB Accounts, Databases                                                                                            |
    | Redis Cache        | `Microsoft.Cache/*/read`               | Redis Cache instances                                                                                                    |
    | Service Bus        | `Microsoft.ServiceBus/*/read`          | Service Bus Namespaces, Queues, Topics                                                                                   |
    | Event Hubs         | `Microsoft.EventHub/*/read`            | Event Hub Namespaces, Event Hubs                                                                                         |
    | API Management     | `Microsoft.ApiManagement/*/read`       | API Management Services, APIs                                                                                            |
    | Monitor            | `Microsoft.Insights/*/read`            | Alerts, Metrics, Diagnostic Settings                                                                                     |
  </Accordion>

  <Accordion icon="list-check" title="Complete permissions list">
    All permissions Anyshift uses for comprehensive infrastructure scanning:

    ### Compute Resources

    * `Microsoft.Compute/virtualMachines/read`
    * `Microsoft.Compute/virtualMachineScaleSets/read`
    * `Microsoft.Compute/disks/read`
    * `Microsoft.Compute/diskEncryptionSets/read`
    * `Microsoft.Compute/availabilitySets/read`

    ### Network Resources

    * `Microsoft.Network/virtualNetworks/read`
    * `Microsoft.Network/networkInterfaces/read`
    * `Microsoft.Network/networkSecurityGroups/read`
    * `Microsoft.Network/publicIPAddresses/read`
    * `Microsoft.Network/loadBalancers/read`
    * `Microsoft.Network/privateDnsZones/read`
    * `Microsoft.Network/applicationGateways/read`
    * `Microsoft.Network/azureFirewalls/read`
    * `Microsoft.Network/virtualNetworkGateways/read`
    * `Microsoft.Network/dnszones/read`

    ### Storage Resources

    * `Microsoft.Storage/storageAccounts/read`
    * `Microsoft.Storage/storageAccounts/blobServices/read`
    * `Microsoft.Storage/storageAccounts/blobServices/containers/read`
    * `Microsoft.Storage/storageAccounts/fileServices/read`
    * `Microsoft.Storage/storageAccounts/fileServices/shares/read`
    * `Microsoft.Storage/storageAccounts/queueServices/read`
    * `Microsoft.Storage/storageAccounts/tableServices/read`

    ### Container Resources

    * `Microsoft.ContainerService/managedClusters/read`
    * `Microsoft.ContainerService/managedClusters/agentPools/read`
    * `Microsoft.ContainerRegistry/registries/read`

    ### Identity & Authorization

    * `Microsoft.ManagedIdentity/userAssignedIdentities/read`
    * `Microsoft.Authorization/roleAssignments/read`
    * `Microsoft.Authorization/roleDefinitions/read`

    ### App Service & Serverless

    * `Microsoft.Web/sites/read`
    * `Microsoft.Web/serverfarms/read`
    * `Microsoft.Web/sites/functions/read`

    ### Databases

    * `Microsoft.Sql/servers/read`
    * `Microsoft.Sql/servers/databases/read`
    * `Microsoft.Sql/servers/elasticPools/read`
    * `Microsoft.DocumentDB/databaseAccounts/read`
    * `Microsoft.Cache/redis/read`

    ### Messaging & Events

    * `Microsoft.ServiceBus/namespaces/read`
    * `Microsoft.ServiceBus/namespaces/queues/read`
    * `Microsoft.ServiceBus/namespaces/topics/read`
    * `Microsoft.EventHub/namespaces/read`
    * `Microsoft.EventHub/namespaces/eventhubs/read`

    ### Other Resources

    * `Microsoft.KeyVault/vaults/read`
    * `Microsoft.OperationalInsights/workspaces/read`
    * `Microsoft.ApiManagement/service/read`
    * `Microsoft.Insights/alertRules/read`
    * `Microsoft.Insights/diagnosticSettings/read`
    * `Microsoft.Resources/subscriptions/read`
    * `Microsoft.Resources/subscriptions/resourceGroups/read`
  </Accordion>

  <Accordion icon="shield-check" title="Alternative: Workload Identity Federation (OIDC)">
    Workload Identity Federation lets Anyshift authenticate to Azure without a client secret. Anyshift signs a short-lived JWT token that Azure trusts via a federated identity credential. This removes secret rotation and is more secure.

    ## Step 1 - Register an Application in Microsoft Entra ID

    Follow the same steps as the service principal setup to create an App Registration and assign the Reader role, but **skip creating a client secret**.

    **Terraform**

    ```hcl theme={null}
    # Create the Azure AD Application
    resource "azuread_application" "anyshift" {
      display_name = "anyshift-readonly"
    }

    # Create the Service Principal
    resource "azuread_service_principal" "anyshift" {
      client_id = azuread_application.anyshift.client_id
    }

    # Assign Reader role at Management Group level
    resource "azurerm_role_assignment" "anyshift_reader" {
      scope                = "/providers/Microsoft.Management/managementGroups/${var.management_group_id}"
      role_definition_name = "Reader"
      principal_id         = azuread_service_principal.anyshift.object_id
    }
    ```

    **Azure Portal**

    1. Go to **Microsoft Entra ID** → **App registrations** → **New registration**
    2. Enter:
       * **Name**: `anyshift-readonly`
       * **Supported account types**: "Accounts in this organizational directory only"
       * Click **Register**
    3. Note the **Application (client) ID** and **Directory (tenant) ID**
    4. Assign the **Reader** role as described in the service principal setup, Step 2

    ## Step 2 - Add Credentials in Anyshift

    1. Go to **Integrations** → **Azure** → **Credentials** → **New Credential**
    2. Select **OIDC** as the authentication method
    3. Enter:
       * **Tenant ID**: Your Azure AD tenant ID
       * **Client ID**: The Application (client) ID from Step 1
    4. Click **Save**

    Anyshift displays a dialog with three values you need for the next step:

    * **Issuer URL**: The Anyshift OIDC issuer (e.g. `https://api.anyshift.io`)
    * **Subject Identifier**: A unique identifier for this credential (e.g. `anyshift:project:<project-id>:credential:<credential-id>`)
    * **Audience**: `api://AzureADTokenExchange`

    Copy these values using the copy buttons in the dialog.

    ## Step 3 - Configure Federated Identity Credential in Azure

    Using the values from the Anyshift dialog:

    **Terraform**

    ```hcl theme={null}
    resource "azuread_application_federated_identity_credential" "anyshift" {
      application_id = azuread_application.anyshift.id
      display_name   = "anyshift-oidc"
      issuer         = "<ISSUER_URL>"           # From the dialog
      subject        = "<SUBJECT_IDENTIFIER>"    # From the dialog
      audiences      = ["api://AzureADTokenExchange"]
    }
    ```

    **Azure Portal**

    1. Go to **Azure Portal** → **App Registrations** → your app → **Certificates & secrets** → **Federated credentials**
    2. Click **Add credential** and select **Other issuer**
    3. Paste the **Issuer URL**, **Subject Identifier**, and **Audience** values from the Anyshift dialog
    4. Click **Add**

    ## Step 4 - Verify the Connection

    Click **Done & Verify Connection** in the Anyshift dialog. Anyshift triggers a scan to verify the federation is working correctly.
  </Accordion>

  <Accordion icon="circle-question" title="Troubleshooting">
    **Status shows "Error" after adding credentials**

    This usually means the service principal lacks the required permissions. Verify that:

    1. The Reader role is assigned at the subscription level
    2. The credentials (Tenant ID, Client ID, Client Secret) are correct
    3. The client secret hasn't expired (for service principal auth)

    **Status shows "Error" with OIDC federation**

    1. Verify the federated identity credential is configured correctly in Azure AD (Issuer URL, Subject Identifier, Audience)
    2. Ensure the Issuer URL matches exactly (no trailing slash)
    3. Check that the App Registration has the Reader role assigned

    **No resources showing up**

    1. Ensure the service principal has access to the correct subscription
    2. Check that resources exist in the subscription
    3. Allow a few minutes for the initial scan to complete

    **Multiple subscriptions**

    Anyshift automatically discovers and scans all subscriptions accessible by the service principal. Assign Reader at the **Management Group level** to cover all subscriptions you want to track, with no need for separate credentials per subscription.
  </Accordion>
</AccordionGroup>

# Try Anyshift

Start mapping your Azure infrastructure today.

<CardGroup cols={2}>
  <Card title="Create an account" icon="user-plus" href="https://app.anyshift.io/" />

  <Card title="Request a demo" icon="phone" href="https://calendly.com/d/cr9z-6g6-6g9/meet-with-anyshift">
    See Anyshift Root Cause Analysis in action
  </Card>
</CardGroup>
