Cloud

Connect Microsoft Azure

Reads Azure Resource Manager + Microsoft Defender for Cloud: resource inventory, secure score, security assessments, and Advisor recommendations to compute Cloud Health and Security Readiness.

What you'll need

An Entra ID service principal with the Reader role on the subscription (its tenant ID, client ID, client secret, and subscription ID). Reader (=*/read) covers ARM resources, Advisor, and reading Defender assessments. Add the Security Reader role only if Defender data doesn't appear. This is pure ARM RBAC — no Microsoft Graph API permissions are needed.

Credential

Entra ID service principal (Reader + optional Security Reader)

Requested scopes

Reader, Security Reader

Powers

Cloud Health, Security Readiness

What it pulls

Subscription + resource-group + resource inventory (by type), Defender secure score, Defender security assessments (unhealthy = findings), and Advisor recommendations (cost / reliability / operational).

What you’ll enter

The exact fields the connect form asks for — and where to find each value.

Directory (tenant) ID
On your app’s Overview page in the Azure portal, copy “Directory (tenant) ID” (use the copy icon). A GUID is just a long ID like the example above.
Application (client) ID
Same app Overview page — copy “Application (client) ID” (the copy icon beside it).
Client secret
App → Certificates & secrets → New client secret → copy the “Value” (NOT “Secret ID”). Shown only once.
Subscription ID
Search “Subscriptions” in the portal → open yours → copy “Subscription ID”.

Step-by-step setup

  1. 1

    Register an app

    Azure portal → Microsoft Entra ID → App registrations → New registration. Name it “ShipReady Metrics”, keep Supported account types = Single tenant, and LEAVE Redirect URI blank (it's a daemon app, no interactive login). Click Register.

  2. 2

    Copy the tenant + client IDs

    On the app’s Overview, copy Application (client) ID into Application (client) ID, and Directory (tenant) ID into Directory (tenant) ID above.

  3. 3

    Create a client secret

    Certificates & secrets → Client secrets → New client secret. Set an expiry, Add, then copy the secret Value immediately (hidden once you leave the page) into Client secret. (Use a client secret, not a certificate.)

  4. 4

    Find your subscription ID

    Search Subscriptions → open your subscription → copy the Subscription ID (a GUID) into the Subscription ID field.

  5. 5

    Grant the app read access (the step everyone misses)

    On the SUBSCRIPTION → Access control (IAM) → Add → Add role assignment → Reader → Members → select the “ShipReady Metrics” app → Review + assign. Do this in IAM, NOT the app’s API permissions blade — no Microsoft Graph consent is needed. Reader covers resources + Advisor + Defender assessments; add Security Reader the same way only if Defender data is missing.

  6. 6

    Connect

    Click Connect — we validate the service principal against Azure Resource Manager, encrypt the secret at rest, then sync resources, Defender posture, and Advisor recommendations.

Troubleshooting

Connect fails with a 403 / “authenticated, but no read access”.
The app signed in but was never granted the Reader role on the subscription. Subscription → Access control (IAM) → Add role assignment → Reader → select your app → Review + assign, then retry after 1–2 minutes. This is the step most people miss.
401 at sign-in / “rejected the service principal”.
Re-check the tenant ID, client ID, and that you pasted the client secret VALUE — the long value shown once, NOT the Secret ID. If you didn't save it, create a new client secret and copy its Value immediately.
You don't have a Subscription ID to enter.
Portal → Subscriptions → your subscription → Overview → copy the Subscription ID. If the list is empty you have no active subscription yet — create one first, since Reader is granted on a subscription.
Create a service principal → Connect in the app

Read-only service principal — validated live against Azure Resource Manager, encrypted at rest, then synced. Feeds Cloud Health + Security Readiness.