> ## Documentation Index > Fetch the complete documentation index at: https://docs.drdroid.io/llms.txt > Use this file to discover all available pages before exploring further. # Azure To connect Azure as a data source for infrastructure inventory, observability, cost analysis, and optimization insights, you need to create a service principal with appropriate permissions. ## Prerequisites 1. **Azure CLI** installed and configured 2. An **Azure subscription** with appropriate admin access to create roles and service principals 3. An **Entra App** (Service Principal) for authentication ## Step 1: Get Your Subscription ID Run the following command to get your Azure subscription ID: ```bash theme={null} az account show --query id -o tsv ``` Or find it in the [Azure Portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id). ## Step 2: Create a Custom Role Save the following role definition to a file called `custom-role.json`. Replace `{subscription-id}` with your actual subscription ID from Step 1. ```json theme={null} { "Name": "Infrastructure and Cost Analysis Reader", "IsCustom": true, "Description": "Read-only access for infrastructure inventory, observability, cost analysis, and optimization insights", "Actions": [ "Microsoft.Compute/*/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.ContainerInstance/containerGroups/read", "Microsoft.Network/*/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/databases/read", "Microsoft.DBforPostgreSQL/servers/read", "Microsoft.DBforMySQL/servers/read", "Microsoft.Cache/redis/read", "Microsoft.EventHub/namespaces/read", "Microsoft.ServiceBus/namespaces/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/operations/read", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Insights/logs/read", "Microsoft.Insights/diagnosticSettings/read", "Microsoft.Insights/activityLogAlerts/read", "Microsoft.Insights/alertRules/read", "Microsoft.Insights/actionGroups/read", "Microsoft.Insights/components/read", "Microsoft.Insights/components/query/read", "Microsoft.Insights/webtests/read", "Microsoft.OperationalInsights/workspaces/read", "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "Microsoft.OperationsManagement/solutions/read", "Microsoft.CostManagement/query/action", "Microsoft.CostManagement/query/read", "Microsoft.CostManagement/exports/read", "Microsoft.CostManagement/exports/run/action", "Microsoft.CostManagement/budgets/read", "Microsoft.CostManagement/dimensions/read", "Microsoft.CostManagement/forecast/read", "Microsoft.Consumption/usageDetails/read", "Microsoft.Consumption/budgets/read", "Microsoft.Consumption/reservationRecommendations/read", "Microsoft.Consumption/reservationDetails/read", "Microsoft.Consumption/reservationSummaries/read", "Microsoft.Consumption/priceSheets/read", "Microsoft.Billing/billingAccounts/read", "Microsoft.Billing/billingPeriods/read", "Microsoft.Billing/invoices/read", "Microsoft.Resources/tags/read", "Microsoft.Advisor/recommendations/read", "Microsoft.Advisor/configurations/read", "Microsoft.Security/assessments/read", "Microsoft.Security/securityStatuses/read", "Microsoft.ContainerRegistry/registries/read", "Microsoft.ContainerRegistry/registries/pull/read", "Microsoft.ContainerRegistry/registries/metadata/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Authorization/permissions/read", "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.Capacity/reservationOrders/read", "Microsoft.Capacity/reservations/read", "Microsoft.Support/supportTickets/read" ], "NotActions": [], "DataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] } ``` Create the custom role using Azure CLI: ```bash theme={null} az role definition create --role-definition custom-role.json ``` ## Step 3: Create an Entra App (Service Principal) Create a new App Registration in Azure Entra (formerly Azure Active Directory). You can follow the official instructions [here](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). After creating the Entra App, note down the following values: * **Tenant ID** (Directory ID) * **Client ID** (Application ID) Then create a **Client Secret** within the Entra App under "Certificates & secrets". ## Step 4: Assign the Custom Role to the Service Principal Assign the custom role to your service principal: ```bash theme={null} # Set your values export AZURE_CLIENT_ID="your-client-id" export AZURE_SUBSCRIPTION_ID="your-subscription-id" # Assign the role az role assignment create \ --assignee $AZURE_CLIENT_ID \ --role "Infrastructure and Cost Analysis Reader" \ --scope /subscriptions/$AZURE_SUBSCRIPTION_ID ``` ## Step 5: Configure in Doctor Droid Platform 1. Navigate to the **Integrations** tab in the Doctor Droid platform 2. Click **Add New Integration** 3. Select **Azure** and click **Connect** 4. Fill in the following credentials: | Field | Description | Example | | -------------------- | ----------------------------------------------- | -------------------------------------- | | **Integration Name** | A descriptive name to identify this integration | `Production Azure` | | **Client ID** | Your Azure Client ID (Application ID) | `11111111-2222-3333-4444-555555555555` | | **Client Secret** | Your Azure Client Secret (Application Secret) | `Abc12345DefGHIjk~LMNopqRSTUvwxYZ` | | **Tenant ID** | Your Azure Tenant ID (Directory ID) | `66666666-7777-8888-9999-000000000000` | | **Subscription ID** | Your Azure Subscription ID | `aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee` | 5. Click **Save** to complete the integration ## Permissions Overview The custom role provides read-only access to: | Category | Resources | | ---------------------- | ---------------------------------------------------------- | | **Compute** | Virtual Machines, Container Instances, AKS Clusters | | **Networking** | Virtual Networks, Load Balancers, Network Security Groups | | **Storage** | Storage Accounts, Blob Containers | | **Databases** | SQL Servers, PostgreSQL, MySQL, Redis Cache | | **Messaging** | Event Hubs, Service Bus | | **Monitoring** | Metrics, Logs, Alerts, Application Insights, Log Analytics | | **Cost Management** | Cost queries, Budgets, Forecasts, Usage details | | **Billing** | Billing accounts, Invoices, Price sheets | | **Security** | Security assessments, Advisor recommendations | | **Container Registry** | Registry metadata and image pull access | | **IAM** | Role assignments, Role definitions | ## Troubleshooting ### Role Creation Failed Ensure you have `Microsoft.Authorization/roleDefinitions/write` permission on the subscription. You may need Owner or User Access Administrator role. ### Role Assignment Failed Verify that: * The Client ID is correct * The service principal exists * You have permission to assign roles on the subscription ### Integration Test Failed Check that: * All credentials (Client ID, Client Secret, Tenant ID, Subscription ID) are correct * The Client Secret has not expired * The role assignment is complete and propagated (may take a few minutes)