Cloud
Connect Microsoft Azure
Reads Azure Resource Manager + Microsoft Defender for Cloud: resource inventory, secure score, security assessments, and Advisor recommendations to compute Cloud Health and Security Readiness.
What it pulls
Subscription + resource-group + resource inventory (by type), Defender secure score, Defender security assessments (unhealthy = findings), and Advisor recommendations (cost / reliability / operational).
What you’ll enter
The exact fields the connect form asks for — and where to find each value.
- Directory (tenant) ID
- On your app’s Overview page in the Azure portal, copy “Directory (tenant) ID” (use the copy icon). A GUID is just a long ID like the example above.
- Application (client) ID
- Same app Overview page — copy “Application (client) ID” (the copy icon beside it).
- Client secret
- App → Certificates & secrets → New client secret → copy the “Value” (NOT “Secret ID”). Shown only once.
- Subscription ID
- Search “Subscriptions” in the portal → open yours → copy “Subscription ID”.
Step-by-step setup
- 1
Register an app
Azure portal → Microsoft Entra ID → App registrations → New registration. Name it “ShipReady Metrics”, keep Supported account types = Single tenant, and LEAVE Redirect URI blank (it's a daemon app, no interactive login). Click Register.
- 2
Copy the tenant + client IDs
On the app’s Overview, copy Application (client) ID into Application (client) ID, and Directory (tenant) ID into Directory (tenant) ID above.
- 3
Create a client secret
Certificates & secrets → Client secrets → New client secret. Set an expiry, Add, then copy the secret Value immediately (hidden once you leave the page) into Client secret. (Use a client secret, not a certificate.)
- 4
Find your subscription ID
Search Subscriptions → open your subscription → copy the Subscription ID (a GUID) into the Subscription ID field.
- 5
Grant the app read access (the step everyone misses)
On the SUBSCRIPTION → Access control (IAM) → Add → Add role assignment → Reader → Members → select the “ShipReady Metrics” app → Review + assign. Do this in IAM, NOT the app’s API permissions blade — no Microsoft Graph consent is needed. Reader covers resources + Advisor + Defender assessments; add Security Reader the same way only if Defender data is missing.
- 6
Connect
Click Connect — we validate the service principal against Azure Resource Manager, encrypt the secret at rest, then sync resources, Defender posture, and Advisor recommendations.
Troubleshooting
- Connect fails with a 403 / “authenticated, but no read access”.
- The app signed in but was never granted the Reader role on the subscription. Subscription → Access control (IAM) → Add role assignment → Reader → select your app → Review + assign, then retry after 1–2 minutes. This is the step most people miss.
- 401 at sign-in / “rejected the service principal”.
- Re-check the tenant ID, client ID, and that you pasted the client secret VALUE — the long value shown once, NOT the Secret ID. If you didn't save it, create a new client secret and copy its Value immediately.
- You don't have a Subscription ID to enter.
- Portal → Subscriptions → your subscription → Overview → copy the Subscription ID. If the list is empty you have no active subscription yet — create one first, since Reader is granted on a subscription.
Read-only service principal — validated live against Azure Resource Manager, encrypted at rest, then synced. Feeds Cloud Health + Security Readiness.