> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure

> Connect Microsoft Azure to CloudThinker for multi-cloud operations, cost analysis, and compliance monitoring

Connect your Azure subscriptions to enable CloudThinker agents to analyze costs, optimize resources, and manage infrastructure across Microsoft Azure services.

***

## Setup

<Steps>
  <Step title="Register Application">
    Create an app registration in Azure AD

    1. Navigate to [Azure Portal](https://portal.azure.com/)
    2. Go to **Azure Active Directory → App registrations → New registration**
    3. Enter application name: `CloudThinker-ReadOnly`
    4. Select **Accounts in this organizational directory only**
    5. Click **Register**
  </Step>

  <Step title="Note Application Details">
    Copy and save these values from the app overview:

    * **Application (client) ID**
    * **Directory (tenant) ID**
  </Step>

  <Step title="Create Client Secret">
    Generate a secret for authentication

    1. In your app registration, go to **Certificates & secrets**
    2. Click **New client secret**
    3. Add a description and set expiration (recommended: 12 months)
    4. Click **Add**
    5. **Immediately copy the secret value** (it won't be shown again)
  </Step>

  <Step title="Assign Reader Role">
    Grant access to your subscription(s)

    1. Go to **Subscriptions → Your Subscription**
    2. Click **Access control (IAM) → Add → Add role assignment**
    3. Select **Reader** role
    4. Search for and select your app registration
    5. Click **Save**
  </Step>

  <Step title="Add Connection in CloudThinker">
    Navigate to **Connections → Azure** and enter:

    * **Client ID** (Application ID)
    * **Client Secret** (the secret value you copied)
    * **Tenant ID** (Directory ID)
    * **Subscription ID**
  </Step>
</Steps>

<Warning>
  Copy the client secret immediately after creation. Azure will not show it again, and you'll need to create a new secret if lost.
</Warning>

***

## Required Roles

### Minimum (Read-Only Analysis)

```
Reader                          # Basic read access to resources
Cost Management Reader          # Cost and billing data
```

### Recommended (Full Analysis)

```
# All of the above, plus:
Security Reader                 # Security Center access
Log Analytics Reader           # Log Analytics workspace access
Monitoring Reader              # Azure Monitor access
```

***

## Agent Capabilities

Once connected, agents can:

| Agent                              | Azure Capabilities                                                                       |
| ---------------------------------- | ---------------------------------------------------------------------------------------- |
| **[Alex](/guide/agents/alex)**     | Cost analysis, VM right-sizing, Reserved Instance recommendations, resource optimization |
| **[Oliver](/guide/agents/oliver)** | Security Center findings, Azure AD audits, compliance checks, policy violations          |
| **[Tony](/guide/agents/tony)**     | SQL Database performance, Cosmos DB optimization, PostgreSQL tuning                      |
| **[Kai](/guide/agents/kai)**       | AKS cluster management, container optimization, workload analysis                        |

***

## Multi-Subscription Setup

For organizations with multiple Azure subscriptions:

<Steps>
  <Step title="Management Group Access">
    Assign Reader role at the Management Group level for all subscriptions
  </Step>

  <Step title="Add Cost Management Access">
    Grant **Cost Management Reader** at the billing account level
  </Step>

  <Step title="Configure in CloudThinker">
    Add all subscription IDs or select "All Subscriptions"
  </Step>
</Steps>

***

## Troubleshooting

<Accordion title="Authentication failed">
  * Verify Tenant ID, Client ID, and Client Secret are correct
  * Check the client secret hasn't expired
  * Confirm the app registration is in the correct Azure AD tenant
  * Ensure no conditional access policies are blocking
</Accordion>

<Accordion title="Client secret expired">
  * Go to Azure AD → App registrations → Your app
  * Navigate to Certificates & secrets
  * Create a new client secret
  * Update the secret in CloudThinker connection settings
</Accordion>

<Accordion title="Missing resources">
  * Verify Reader role is assigned to the correct subscription(s)
  * Check if resources are in a different subscription
  * Ensure the app has access to all required subscriptions
</Accordion>

<Accordion title="No cost data">
  * Verify **Cost Management Reader** role is assigned
  * Check Cost Management + Billing access
  * Ensure EA/MCA billing account access if applicable
</Accordion>

***

## Security Best Practices

* **Minimal permissions** - Use Reader role, not Contributor
* **Secret rotation** - Rotate client secrets every 90 days
* **Expiration** - Set appropriate expiration on secrets (not "Never")
* **Audit logging** - Enable Azure AD sign-in logs
* **Conditional access** - Consider IP restrictions for the app

***

## Related

<CardGroup cols={2}>
  <Card title="AWS Connection" icon="https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/aws.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=45d526a3e9345214c0345f277da2e829" href="/guide/connections/aws" width="24" height="24" data-path="images/icons/aws.svg">
    Connect Amazon Web Services
  </Card>

  <Card title="Oliver Agent" icon="shield-check" href="/guide/agents/oliver">
    Security-focused agent for Azure compliance
  </Card>
</CardGroup>