Skip to main content

Azure Workloads

Azure Workloads integration allows your product to discover and monitor compute workloads running across Azure — including Azure Kubernetes Service (AKS) clusters, App Services, Container Instances, and Virtual Machine Scale Sets (VMSS). This integration helps you build visibility into containerized workloads, deployed applications, and underlying compute environments for monitoring, security, and compliance.

Credentials Needed

To connect and fetch workload-related data from Azure, you need credentials from an Azure Active Directory (AAD) App Registration.

Required credentials:

  • Tenant ID (Directory ID)
  • Client ID (Application ID)
  • Client Secret
  • Subscription ID

These credentials enable your integration to authenticate against Azure Resource Manager (ARM) APIs for fetching workload metadata.

Permissions Needed

To read workloads like AKS clusters, App Services, and Container Instances, the registered app requires read-only access to specific Azure services.

1. Role Assignment (Azure RBAC Roles)

Assign the following built-in roles at the subscription level:

  • Reader (minimum required to view workloads)
  • Monitoring Reader (optional — for extended visibility into metrics and performance data)

These roles allow the integration to read information about workloads, clusters, and containers but not modify them.

2. API Permissions (via App Registration)

APIPermissionTypePurpose
Azure Service Management (Azure Resource Manager)user_impersonationDelegatedTo read workloads and resource configurations
Microsoft Graph (optional)Directory.Read.AllApplicationTo fetch associated resource group and tenant metadata

Creating Users / App Registration in Azure

Step 1: Register an Application

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration
  2. Enter a name (e.g., AzureWorkloadIntegrationApp)
  3. Supported account type: "Accounts in this organizational directory only"
  4. Redirect URI: Leave blank or specify your platform callback URL if needed
  5. Click Register

After registration, note down:

  • Application (Client) ID
  • Directory (Tenant) ID

Step 2: Create a Client Secret

  1. Go to Certificates & Secrets → New client secret
  2. Enter a description and choose an expiry period (1 or 2 years)
  3. Copy the Client Secret Value immediately — it will not be visible again later.

Step 3: Assign Roles to App

  1. Go to Azure Portal → Subscriptions → [Your Subscription] → Access Control (IAM)
  2. Click Add role assignment
  3. Choose Reader (or Monitoring Reader if needed)
  4. Under Members, select User, group, or service principal, then find and select your registered app (AzureWorkloadIntegrationApp)
  5. Save the assignment.

This enables your application to read workload and container data from Azure resources.

Test Connectivity

Use Azure CLI commands to verify access and ensure the credentials work as expected:

# Login using Service Principal
az login --service-principal \
  --username <CLIENT_ID> \
  --password <CLIENT_SECRET> \
  --tenant <TENANT_ID>

# Set the subscription context
az account set --subscription <SUBSCRIPTION_ID>

# List all AKS clusters
az aks list --output table

# List all Container Instances
az container list --output table

# List all App Services
az webapp list --output table

# List Virtual Machine Scale Sets
az vmss list --output table

If these commands return data successfully, your integration credentials and permissions are correctly configured.

Save the Results in the Platform and Create Connection

In your product's connector configuration, securely store:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_SUBSCRIPTION_ID

Create a connection labeled Azure Workloads Integration in your platform.

Test the integration by fetching AKS clusters, App Services, and container instances.

Best Practices

  • Always use Reader or Monitoring Reader roles for least-privilege access.
  • Store secrets securely using Azure Key Vault or your platform's secret management system.
  • Rotate Client Secrets periodically to avoid expired credentials.
  • For integrations running inside Azure, use Managed Identities instead of static credentials.
  • Limit access scope by assigning roles at resource group level if the integration only needs specific workloads.
  • Enable Azure Activity Logs to track API access for auditing and compliance.
  • If working across multiple subscriptions, assign the same app roles to each subscription for unified discovery.