Skip to main content
To connect Azure as a data source for infrastructure inventory, observability, cost analysis, and optimization insights, you need to create a service principal with appropriate permissions.

Prerequisites

  1. Azure CLI installed and configured
  2. An Azure subscription with appropriate admin access to create roles and service principals
  3. An Entra App (Service Principal) for authentication

Step 1: Get Your Subscription ID

Run the following command to get your Azure subscription ID: 
az account show --query id -o tsv
Or find it in the Azure Portal.

Step 2: Create a Custom Role

Save the following role definition to a file called custom-role.json. Replace {subscription-id} with your actual subscription ID from Step 1. 
{
  "Name": "Infrastructure and Cost Analysis Reader",
  "IsCustom": true,
  "Description": "Read-only access for infrastructure inventory, observability, cost analysis, and optimization insights",
  "Actions": [
    "Microsoft.Compute/*/read",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
    "Microsoft.ContainerInstance/containerGroups/read",
    "Microsoft.Network/*/read",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.DBforPostgreSQL/servers/read",
    "Microsoft.DBforMySQL/servers/read",
    "Microsoft.Cache/redis/read",
    "Microsoft.EventHub/namespaces/read",
    "Microsoft.ServiceBus/namespaces/read",
    "Microsoft.Resources/subscriptions/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/deployments/read",
    "Microsoft.Resources/deployments/operations/read",
    "Microsoft.Insights/metrics/read",
    "Microsoft.Insights/metricDefinitions/read",
    "Microsoft.Insights/logs/read",
    "Microsoft.Insights/diagnosticSettings/read",
    "Microsoft.Insights/activityLogAlerts/read",
    "Microsoft.Insights/alertRules/read",
    "Microsoft.Insights/actionGroups/read",
    "Microsoft.Insights/components/read",
    "Microsoft.Insights/components/query/read",
    "Microsoft.Insights/webtests/read",
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
    "Microsoft.OperationsManagement/solutions/read",
    "Microsoft.CostManagement/query/action",
    "Microsoft.CostManagement/query/read",
    "Microsoft.CostManagement/exports/read",
    "Microsoft.CostManagement/exports/run/action",
    "Microsoft.CostManagement/budgets/read",
    "Microsoft.CostManagement/dimensions/read",
    "Microsoft.CostManagement/forecast/read",
    "Microsoft.Consumption/usageDetails/read",
    "Microsoft.Consumption/budgets/read",
    "Microsoft.Consumption/reservationRecommendations/read",
    "Microsoft.Consumption/reservationDetails/read",
    "Microsoft.Consumption/reservationSummaries/read",
    "Microsoft.Consumption/priceSheets/read",
    "Microsoft.Billing/billingAccounts/read",
    "Microsoft.Billing/billingPeriods/read",
    "Microsoft.Billing/invoices/read",
    "Microsoft.Resources/tags/read",
    "Microsoft.Advisor/recommendations/read",
    "Microsoft.Advisor/configurations/read",
    "Microsoft.Security/assessments/read",
    "Microsoft.Security/securityStatuses/read",
    "Microsoft.ContainerRegistry/registries/read",
    "Microsoft.ContainerRegistry/registries/pull/read",
    "Microsoft.ContainerRegistry/registries/metadata/read",
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Authorization/roleDefinitions/read",
    "Microsoft.Authorization/permissions/read",
    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
    "Microsoft.Capacity/reservationOrders/read",
    "Microsoft.Capacity/reservations/read",
    "Microsoft.Support/supportTickets/read"
  ],
  "NotActions": [],
  "DataActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
Create the custom role using Azure CLI: 
az role definition create --role-definition custom-role.json

Step 3: Create an Entra App (Service Principal)

Create a new App Registration in Azure Entra (formerly Azure Active Directory). You can follow the official instructions here. After creating the Entra App, note down the following values:
  • Tenant ID (Directory ID)
  • Client ID (Application ID)
Then create a Client Secret within the Entra App under “Certificates & secrets”.

Step 4: Assign the Custom Role to the Service Principal

Assign the custom role to your service principal: 
# Set your values
export AZURE_CLIENT_ID="your-client-id"
export AZURE_SUBSCRIPTION_ID="your-subscription-id"

# Assign the role
az role assignment create \
  --assignee $AZURE_CLIENT_ID \
  --role "Infrastructure and Cost Analysis Reader" \
  --scope /subscriptions/$AZURE_SUBSCRIPTION_ID

Step 5: Configure in Doctor Droid Platform

  1. Navigate to the Integrations tab in the Doctor Droid platform
  2. Click Add New Integration
  3. Select Azure and click Connect
  4. Fill in the following credentials:
FieldDescriptionExample
Integration NameA descriptive name to identify this integrationProduction Azure
Client IDYour Azure Client ID (Application ID)11111111-2222-3333-4444-555555555555
Client SecretYour Azure Client Secret (Application Secret)Abc12345DefGHIjk~LMNopqRSTUvwxYZ
Tenant IDYour Azure Tenant ID (Directory ID)66666666-7777-8888-9999-000000000000
Subscription IDYour Azure Subscription IDaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
  1. Click Save to complete the integration

Permissions Overview

The custom role provides read-only access to:
CategoryResources
ComputeVirtual Machines, Container Instances, AKS Clusters
NetworkingVirtual Networks, Load Balancers, Network Security Groups
StorageStorage Accounts, Blob Containers
DatabasesSQL Servers, PostgreSQL, MySQL, Redis Cache
MessagingEvent Hubs, Service Bus
MonitoringMetrics, Logs, Alerts, Application Insights, Log Analytics
Cost ManagementCost queries, Budgets, Forecasts, Usage details
BillingBilling accounts, Invoices, Price sheets
SecuritySecurity assessments, Advisor recommendations
Container RegistryRegistry metadata and image pull access
IAMRole assignments, Role definitions

Troubleshooting

Role Creation Failed

Ensure you have Microsoft.Authorization/roleDefinitions/write permission on the subscription. You may need Owner or User Access Administrator role.

Role Assignment Failed

Verify that:
  • The Client ID is correct
  • The service principal exists
  • You have permission to assign roles on the subscription

Integration Test Failed

Check that:
  • All credentials (Client ID, Client Secret, Tenant ID, Subscription ID) are correct
  • The Client Secret has not expired
  • The role assignment is complete and propagated (may take a few minutes)