Skip to main content
Skip table of contents

Azure Start Guide

Microsoft Azure Setup

1 - Create Application


1. Select Azure Active Directory in Azure Portal.

2. Under 'Manage', select App registrations +New registration.


3. Insert the following information for your Azure Application:

Name: cloudaware-api-access

Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) OR Accounts in any organizational directory (Any Azure AD directory - Multitenant)

Redirect URL (optional): Webhttps://cloudaware.com/

4. Click Register.

2 - Configure Permissions

1. Select the application that you have just created.

2. Select API permissions → +Add a permission.

3. Select the tab 'Microsoft APIs'. Select Azure Service Management.

4. Select 'Delegated permissions' and check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'.

Click Add permissions.

5. Select Microsoft Graph.

a. In APPLICATION Permissions select:
Directory → Directory.Read.All

Click Add permissions.

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]

Click Add permissions.

Ensure that all necessary permissions are assigned as below:

You should have two APIs added total - Azure Service Management and Microsoft Graph.


7. Having added APIs, click Grant admin consent for <Directory Name> to populate them.

Microsoft takes up to 30 minutes to populate the permissions added in previous steps.

8. To grant permissions to Cloudaware for auto-discovery of Azure subscriptions at the tenant level, follow these steps:

a) Select Management Groups in Azure Portal:

b) Select the management group in question (the one from which subscriptions are to be collected, or the Tenant Root Group for Cloudaware to discover all available subscriptions as in the example below):

c) Go to Access Control (IAM) on the left → click +Add → Add role assignment:

d) Grant the Cloudaware application with access to the management group in question:

Under the tab 'Job function roles' select Reader.

Under the tab 'Members' select the following settings:

a. Role: Reader

b. Assign access to: User, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Review + assign.

3 - Configure Certificates & Secrets

Cloudaware supports both ways of Azure Application authentication:

a) Client secret (key)

1. Select 'Certificates & secrets' → the tab 'Client secrets' → +New client secret. 

2. Type the description: ca-api-key

3. Set EXPIRES to: 730 days (24 months)

4. Click Add.

5. Save the secret value in a secure location.

Once the key is created and saved, skip the part below and continue the further configuration.

b) Certificate

1. Select 'Certificates & secrets' → the tab 'Certificates' → Upload certificate. 

2. Click Select a file → choose the certificate file*.

*Get the certificate generated by Cloudaware - see step 2 in Adding Azure Active Directory to Cloudaware below.

3. Click Add.

Once the certificate is uploaded, continue the configuration following the steps below.

4 - Getting The Active Directory ID (Tenant ID)

Navigate to Azure Active Directory, click Properties and locate Tenant ID. Click Copy to clipboard to save Tenant ID as it is required for integration setup in Cloudaware.

5 - Assigning Role to Subscriptions


1. Navigate to Subscriptions in Azure Portal:

2. Select the subscription that will be added to Cloudaware:

3. Select Access control (IAM):


4. Click +Add Add role assignment:

5. In 'Add role assignment' select:

a. Role: Reader

b. Assign Access to: User, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

The steps 1-5 are required for each subscription that will be integrated into Cloudaware.

6 - Grant Access To Key Vaults


Сloudaware has to be granted with the access to Key Vault* to check the expiration date of keys and secrets. Set up the access policy for the Cloudaware application on the Key Vault level.

*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.

1. Navigate to Key Vaults in Azure Portal.

2. Select Access Policies +Add Access Policy.

3. Select the following settings:

a. Key permissions: List

b. Secret permissions: List

c. Certificate permissions: List

d. Select principal: cloudaware-api-access (start typing the application name to choose it from the list → Select)

Click Add.

4. Repeat steps 2-3 for each Key Vault.

7 - Azure Reservations Discovery in Cloudaware (optional)


Cloudaware can discover and collect your Azure Reservations, provided that the appropriate permissions are granted in Azure.


1. Log in to your Azure Portal. Navigate to Reservations.

2. Select the tab 'Role Assignment'.

3. Click +AddAdd role assignments.

4. Under the tab 'Job function roles' select Reservations Reader.

Under the tab 'Members' select the following settings:

a. Role: Reservations Reader

b. Assign access to: User, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Review + assign.

Please allow up to 24 hours for Azure reservations to be displayed in Cloudaware CMDB.

5. To view your Azure Reservations and related data, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → RESERVATIONS.

8 - Azure Kubernetes Discovery in Cloudaware (optional)


Cloudaware supports auto-discovery of Azure AKS Clusters and Azure AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable the discovery and collection of the following Azure AKS cluster objects:

Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Replica Set
Azure AKS Cluster Resource Quota
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set

1. Log in to your Azure Portal. Navigate to Subscriptions.

2. Select the subscription in question → Access Control (IAM).

3. Click +AddAdd role assignment. Select the following settings:

a. Role: Azure Kubernetes Service Cluster User Role

b. Assign access to: Azure AD user, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Save.


4. To view your Azure AKS resources, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → Compute → AKS.

If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.

9 - Microsoft Devices Discovery (Intune) (optional)

Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more

Cloudaware requires the following permissions to be assigned to Azure Active Directory Application:

DeviceManagementManagedDevices.Read.All

DeviceManagementConfiguration.Read.All

Select 'Application' permissions.

The following objects are supported:

  • Azure Active Directory Devices

  • Azure Active Directory Compliance Policies

  • Azure Active Directory Device Config

10 - Tagging Permissions for Cloudaware (optional)

Use the Tag Contributor role or create a custom role to define the scope of provided permissions on tagging (see 'Custom Role For Tagging').

To assign the Tag Contributor role to Cloudaware application, follow the steps below:

1. Log in to your Azure Portal. Navigate to Subscriptions.

2. Select the subscription in question → Access Control (IAM).

3. Click +AddAdd role assignment. Select the following settings:

a. Role: Tag Contributor

b. Assign access to: Azure AD user, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Save.

The role Tag Contributor uses a recently released Azure API method. Learn more about the role

Cloudaware Setup

1 - Adding Azure Active Directory to Cloudaware

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

2. Fill out the form:

a. Name: Azure Active Directory name

b. Active Directory ID (Tenant ID): Tenant ID (to locate, log in Azure portal → Azure Active Directory → Overview → copy 'Tenant ID')

c. Check the box 'Automatically Discover Subscriptions' to allow Cloudaware to automatically discover and add all the subscriptions to which it has been granted access in Azure Active Directory. Leave it unchecked if you would like to add your Azure subscriptions manually.

d. Environment: select Azure environment (Azure, Azure China, Azure Government, Azure Germany)

e. Under 'Select Application', click +CREATE NEW.

a) If you selected Client Secret (key) in Configure Certificates & Secrets:

  • Check the radio button Using Client Secret.

  • Provide Application ID (Client ID) and Client Secret that you saved in a secure location﹣ see a) in Configure Certificates & Secrets.

b) If you selected Certificate in Configure Certificates & Secrets:

  • Check the radio button Using Certificate.

  • Provide Application ID (Client ID).

  • Click Generate Certificate to download the file.

Once the certificate is uploaded, click Save and continue the configuration from the step Getting The Active Directory ID (Tenant ID).

3. The green light in 'Status' means that the Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.

2 - Adding Azure Subscription to Cloudaware

If you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to add subscriptions manually.

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

2. Select the tab 'Subscriptions'. Click +Add Azure Subscription.

3. Fill out the form

  • Name: Azure subscription name

  • Subscription ID: Azure subscription ID [to locate it, log in to Azure portal → Subscriptions → select the subscription in question → copy 'Subscription ID']

  • Active Directory: select an Active Directory from the list

Click Save.

4. Review all subscriptions under the tab 'Subscriptions'. The green light in 'Status' means that the Azure Subscription has been successfully added. If there is a red light, please contact support@cloudaware.com.

5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions that Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to SubscriptionsReader by default or higher).

3 - Understanding Azure Application in Cloudaware

Credentials such as the Azure Active Directory Application ID (Client  ID) and Client Secret are stored within the Azure Application entity in Cloudaware. Please note that an Azure Application can only be created when adding Azure AD.


Cloudaware supports updating the Azure Application credentials. In 'Azure Active Directories & Subscriptions' open the tab Applications, and click three dots → Edit.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.