Connect an Azure Subscription to InfraAudit

InfraAudit connects to Azure using a service principal. Once connected, it discovers Virtual Machines, Storage Accounts, SQL Servers, and resource groups, and ingests billing data from the Azure Cost Management API.

Prerequisites

An Azure subscription
The Azure CLI installed and authenticated, or access to the Azure portal
Permission to create app registrations and assign roles in the subscription

Create the service principal

Use the Azure CLI to create a service principal with the Reader role scoped to your subscription:

az ad sp create-for-rbac \
  --name "infraudit-reader" \
  --role Reader \
  --scopes /subscriptions/<subscription-id> \
  --output json

The command returns the credentials you’ll need when connecting:

{
  "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Copy the clientSecret now — Azure does not show it again after the initial creation.

Required roles

Role	Scope	Purpose
`Reader`	Subscription	Read all resource metadata (VMs, Storage Accounts, SQL Servers, resource groups)
`Cost Management Reader`	Subscription	Read billing data via the Cost Management API

The Reader role is assigned automatically by the create-for-rbac command above. To also enable billing data ingest, assign the Cost Management Reader role separately:

az role assignment create \
  --assignee <clientId> \
  --role "Cost Management Reader" \
  --scope /subscriptions/<subscription-id>

Connect your Azure subscription

Open the connection dialog

In the sidebar, click Cloud Providers → Connect Azure.

Enter your credentials

Fill in all four values from the create-for-rbac output:

Client ID (clientId)
Client Secret (clientSecret)
Tenant ID (tenantId)
Subscription ID (subscriptionId)
Display name — a label for this account in the InfraAudit UI

Connect

Click Connect. InfraAudit validates the service principal and starts the initial resource sync.

infraudit provider connect azure \
  --client-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --client-secret "your-client-secret" \
  --tenant-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --subscription-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --name "Azure Production"

curl -X POST http://localhost:8080/api/v1/providers/azure/connect \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Azure Production",
    "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "clientSecret": "your-client-secret",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  }'

What gets synced

Resource type	Internal type name
Virtual Machines	`azure_virtual_machine`
Storage Accounts	`azure_storage_account`
SQL Servers	`azure_sql_server`
Resource Groups	`azure_resource_group`

Billing data is synced daily from the Azure Cost Management API.

Security notes

Credentials are encrypted at rest using AES-GCM.
InfraAudit never writes to your Azure subscription. All API calls are read-only.
Azure AD app client secrets expire — by default after 2 years. Set a calendar reminder to rotate the secret before it expires, then update the provider credentials in InfraAudit under Cloud Providers → Edit.

Get Started

Platform

Integrations

Concepts

Self-Hosting

Resources

Connect an Azure Subscription to InfraAudit

Prerequisites

Create the service principal

Required roles

Connect your Azure subscription

What gets synced

Security notes

Get Started

Platform

Integrations

Concepts

Self-Hosting

Resources

​Prerequisites

​Create the service principal

​Required roles

​Connect your Azure subscription

​What gets synced

​Security notes

Prerequisites

Create the service principal

Required roles

Connect your Azure subscription

What gets synced

Security notes