Setting up an Azure Integration

The Azure integration uses a service principal with the Reader role for authentication. This is the recommended method for production deployments.

Prerequisites

A CloudQuery Platform account with admin access
Azure CLI installed
An Azure account with permissions to create service principals and assign roles
Your Azure subscription ID (find it in the Azure Portal subscriptions page)

Set up a service principal

Service principal secrets expire after 1 year by default. Set a calendar reminder to rotate the secret before it expires, or use the --years flag with az ad sp create-for-rbac to set a custom expiration.

Syncing from a single subscription

Open your terminal and log in to Azure:


az login


# Register the security provider
az provider register --namespace 'Microsoft.Security'
 
# Create a service principal and grant Reader access
az ad sp create-for-rbac --name cloudquery-sp \
          --scopes /subscriptions/<YOUR_SUBSCRIPTION_ID> --role Reader

The command outputs credentials in this format:


{
  "appId": "YOUR_AZURE_CLIENT_ID",
  "displayName": "cloudquery-sp",
  "password": "YOUR_AZURE_CLIENT_SECRET",
  "tenant": "YOUR_AZURE_TENANT_ID"
}

Save these credentials — you need them when configuring the integration.

Syncing from multiple subscriptions

There are two approaches for multi-subscription setups:

1. Management group level access (recommended)

Scoping the service principal at the management group level allows automatic discovery of all subscriptions under the specified group(s), including subscriptions added later.


# Register the security provider
az provider register --namespace 'Microsoft.Security'
 
# Create service principal with Management Group access
az ad sp create-for-rbac --name cloudquery-sp-root-1 \
  --scopes /providers/Microsoft.Management/managementGroups/<YOUR_MANAGEMENT_GROUP_NAME> \
  --role Reader

2. Specific subscriptions access

To limit access to specific subscriptions, list them explicitly. This command grants access to all subscriptions you can currently access:


# Register the security provider
az provider register --namespace 'Microsoft.Security'
 
# Create service principal with access to specific subscriptions
az ad sp create-for-rbac --name cloudquery-sp \
  --scopes $(az account subscription list --query "[].id" -o tsv --only-show-errors | xargs) \
  --role Reader

With the specific subscriptions approach, the service principal does not automatically get access to subscriptions added later. Run the command again to include new subscriptions.

Configure the integration

In CloudQuery Platform, go to Data Pipelines → Integrations. Click Create Integration and type Azure to find the Azure integration.

Find Azure integration

Choose a name for your integration (e.g. Azure) and update the YAML configuration. Here is a complete example:


kind: source
spec:
  name: azure
  path: cloudquery/azure
  registry: cloudquery
  version: "v19.2.4"
  tables:
    - azure_compute_virtual_machines
    - azure_storage_accounts
  spec: {}

The tables list above is an example. Customize it to include the tables you need. See the Azure integration tables for the full list. Use ["*"] to sync all tables.

Add the service principal credentials as secrets in the Secrets section:

Key	Value
`AZURE_TENANT_ID`	`tenant` from the service principal output
`AZURE_CLIENT_ID`	`appId` from the service principal output
`AZURE_CLIENT_SECRET`	`password` from the service principal output

Azure YAML Configuration with secrets

Click Test Connection to verify the configuration.

What gets synced

The Azure integration can sync hundreds of tables across Azure services. Some of the most commonly used tables include:

Category	Tables	Description
Compute	`azure_compute_virtual_machines`, `azure_compute_skus`	VMs, compute SKUs
Storage	`azure_storage_accounts`	Storage accounts
Networking	`azure_network_virtual_networks`, `azure_network_security_groups`	Virtual networks, network security groups
Databases	`azure_sql_servers`, `azure_cosmosdb_accounts`	SQL servers, Cosmos DB
Security	`azure_keyvault_vault_keys`, `azure_security_assessments`	Key Vault keys, security assessments

See the full Azure table list for all available tables.

Verify the integration

After your first sync completes, open the SQL Console and run these queries to confirm data arrived:


-- Count synced virtual machines
SELECT count(*) FROM azure_compute_virtual_machines


-- List synced subscriptions
SELECT DISTINCT subscription_id FROM azure_compute_virtual_machines


-- View storage accounts
SELECT subscription_id, name, location FROM azure_storage_accounts LIMIT 10

You can also browse your Azure resources in the Asset Inventory under the Compute, Storage, Networking, and other categories.

Troubleshooting

Issue	Cause	Fix
Authentication error	Invalid or expired service principal secret	Verify the `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` match the service principal output. If the secret has expired, create a new one.
Permission denied	Service principal lacks Reader role	Verify the service principal has the Reader role on the target subscription, management group, or resource group.
`Microsoft.Security` provider not registered	Security provider registration required	Run `az provider register --namespace 'Microsoft.Security'` and wait for registration to complete. Check status with `az provider show --namespace 'Microsoft.Security' --query "registrationState"`.
Missing subscriptions in data	Service principal scope too narrow	For multi-subscription setups, verify the service principal has access to all target subscriptions. Use management group scoping for automatic discovery.
No data after sync	Empty `tables` list	Check the `tables` field in the YAML configuration. Add specific table names or use `["*"]` to sync all tables.

Next steps

Set up a sync to schedule when your Azure data is fetched
Browse synced resources in the Asset Inventory
Run advanced queries in the SQL Console
See the Azure integration documentation for full configuration options and table reference