Skip to main content

Azure

Connect your Azure subscriptions to enable CloudThinker agents to analyze costs, optimize resources, and manage infrastructure across Microsoft Azure services.

Setup

1

Register Application

Create an app registration in Azure AD
  1. Navigate to Azure Portal
  2. Go to Azure Active Directory → App registrations → New registration
  3. Enter application name: CloudThinker-ReadOnly
  4. Select Accounts in this organizational directory only
  5. Click Register
2

Note Application Details

Copy and save these values from the app overview:
  • Application (client) ID
  • Directory (tenant) ID
3

Create Client Secret

Generate a secret for authentication
  1. In your app registration, go to Certificates & secrets
  2. Click New client secret
  3. Add a description and set expiration (recommended: 12 months)
  4. Click Add
  5. Immediately copy the secret value (it won’t be shown again)
4

Assign Reader Role

Grant access to your subscription(s)
  1. Go to Subscriptions → Your Subscription
  2. Click Access control (IAM) → Add → Add role assignment
  3. Select Reader role
  4. Search for and select your app registration
  5. Click Save
5

Add Connection in CloudThinker

Navigate to Connections → Azure and enter:
  • Client ID (Application ID)
  • Client Secret (the secret value you copied)
  • Tenant ID (Directory ID)
  • Subscription ID
Copy the client secret immediately after creation. Azure will not show it again, and you’ll need to create a new secret if lost.

Required Roles

Minimum (Read-Only Analysis)

Reader                          # Basic read access to resources
Cost Management Reader          # Cost and billing data

# All of the above, plus:
Security Reader                 # Security Center access
Log Analytics Reader           # Log Analytics workspace access
Monitoring Reader              # Azure Monitor access

Agent Capabilities

Once connected, agents can:
AgentAzure Capabilities
AlexCost analysis, VM right-sizing, Reserved Instance recommendations, resource optimization
OliverSecurity Center findings, Azure AD audits, compliance checks, policy violations
TonySQL Database performance, Cosmos DB optimization, PostgreSQL tuning
KaiAKS cluster management, container optimization, workload analysis

Multi-Subscription Setup

For organizations with multiple Azure subscriptions:
1

Management Group Access

Assign Reader role at the Management Group level for all subscriptions
2

Add Cost Management Access

Grant Cost Management Reader at the billing account level
3

Configure in CloudThinker

Add all subscription IDs or select “All Subscriptions”

Troubleshooting

  • Verify Tenant ID, Client ID, and Client Secret are correct
  • Check the client secret hasn’t expired
  • Confirm the app registration is in the correct Azure AD tenant
  • Ensure no conditional access policies are blocking
  • Go to Azure AD → App registrations → Your app
  • Navigate to Certificates & secrets
  • Create a new client secret
  • Update the secret in CloudThinker connection settings
  • Verify Reader role is assigned to the correct subscription(s)
  • Check if resources are in a different subscription
  • Ensure the app has access to all required subscriptions
  • Verify Cost Management Reader role is assigned
  • Check Cost Management + Billing access
  • Ensure EA/MCA billing account access if applicable

Security Best Practices

  • Minimal permissions - Use Reader role, not Contributor
  • Secret rotation - Rotate client secrets every 90 days
  • Expiration - Set appropriate expiration on secrets (not “Never”)
  • Audit logging - Enable Azure AD sign-in logs
  • Conditional access - Consider IP restrictions for the app

AWS Connection

Connect Amazon Web Services

Oliver Agent

Security-focused agent for Azure compliance