Azure Virtual Machines (VMs)
Azure Virtual Machines integration allows your product to fetch information about virtual machines running in an Azure subscription — including their names, IP addresses, resource groups, network interfaces, and configuration details. This helps in building infrastructure inventory, monitoring cloud assets, and analyzing compute workloads for security or compliance use cases.
Credentials Needed
You'll need credentials from an Azure Active Directory (AAD) App Registration to access Azure Resource Manager (ARM) APIs and read VM details.
Required credentials:
- Tenant ID (Directory ID)
- Client ID (Application ID)
- Client Secret
- Subscription ID
Permissions Needed
To read VM details, the app needs permissions on Azure Resource Manager (Microsoft.Compute and Microsoft.Network) APIs.
1. Role Assignment
Assign the following built-in Azure role at the subscription level:
- Reader
This allows the integration to read VM details, network configurations, and metadata without modifying any resources.
2. API Permissions (via App Registration)
| API | Permission | Type | Purpose |
|---|---|---|---|
| Azure Service Management (Azure Resource Manager) | user_impersonation | Delegated | To query VMs, resource groups, and networks |
No additional Microsoft Graph permissions are needed for reading VMs.
Creating Users / App Registration in Azure
Step 1: Register an Application
- Go to Azure Portal → Azure Active Directory → App registrations → New registration
- Enter a name (e.g.,
AzureVMIntegrationApp) - Supported account type: "Accounts in this organizational directory only"
- Redirect URI: Leave blank or use your product's callback URL if needed
- Click Register
After registration, note the following values:
- Application (Client) ID
- Directory (Tenant) ID
Step 2: Create a Client Secret
- Go to Certificates & Secrets → New client secret
- Enter a description and choose an expiry period (1 year or 2 years)
- Copy the Client Secret Value immediately — it will not be visible again later
Step 3: Assign Role to App
- Go to Azure Portal → Subscriptions → [Your Subscription] → Access Control (IAM)
- Click Add role assignment
- Choose Reader role
- Under Members, select User, group, or service principal → search for your registered app (
AzureVMIntegrationApp) - Save the role assignment
This allows the application to read VM, network, and resource information from the subscription.
Test Connectivity
Use Azure CLI or REST API to verify that the credentials have the correct access:
# Login using Service Principal
az login --service-principal \
--username <CLIENT_ID> \
--password <CLIENT_SECRET> \
--tenant <TENANT_ID>
# Set the correct subscription
az account set --subscription <SUBSCRIPTION_ID>
# List all VMs
az vm list --output table
# Get details of a specific VM
az vm show --name <VM_NAME> --resource-group <RESOURCE_GROUP> --output json
If these commands return VM information successfully, your integration credentials and permissions are configured correctly.
Save the Results in the Platform and Create Connection
- In your product's integration or connector section, securely store:
AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_SUBSCRIPTION_ID
- Create a new connection labeled Azure Virtual Machines Integration
- Test the connection by fetching VM inventory data and network details
Best Practices
- Assign only Reader role to enforce least privilege access
- Use App Registrations and Service Principals instead of personal credentials for automation
- Rotate the Client Secret periodically and use Azure Key Vault for secure storage
- Use Managed Identity if your integration runs inside Azure (VM, Function App, or Container)
- For multi-subscription environments, assign the same app Reader role across all relevant subscriptions
- Enable Azure Activity Logs to audit access to the integration