This section covers the manual deployment process for integrating Azure with Chariot. While this method provides complete control over each step, we recommend using the Terraform/IaC approach for better consistency and maintainability. Manual deployment requires creating several Azure resources through the Azure Portal, with the process being similar for both tenant-level and subscription-level integrations.
Important: Manual deployment is more complex and error-prone than the automated Terraform method. Consider using the IaC approach unless you have specific requirements that necessitate manual configuration.
Manual deployment requires creating several Azure resources through the Azure portal. The process is similar for both scopes, with role assignment being the key difference.
Prerequisites
Before starting the integration, ensure you have:
- Azure portal access with Global Administrator permissions to create app registrations and assign roles
- User Access Administrator permissions are required for tenant-level integration role assignments at tenant root
- Subscription Owner or User Access Administrator permissions for subscription-level integration
Integration Process
Step 1: Initiate Integration Setup
- Navigate to the Integrations section in your Chariot dashboard
- Click "Add Integration" and select "Azure"
- Choose your integration scope and provide the required information
Tenant-Level Integration (Recommended)
For tenant-level integration, you'll need to provide:
- Tenant ID: Your Azure AD tenant ID (GUID format)
- Deployment Type: Choose Manual
TIP: To get your Tenant ID, navigate to Azure Active Directory (or Microsoft Entra ID) in the Azure Portal. The tenant ID is displayed in the Overview section, or you can find it in the URL when viewing your directory.
Subscription-Level Integration
For subscription-level integration, you'll need to provide:
- Tenant ID: Your Azure AD tenant ID (GUID format)
- Subscription ID: The specific Azure subscription ID you want to integrate
- Deployment Type: Choose Manual
Step 2: Record Your Unique Subject
Chariot will provide
Manual Deployment Instructions
Step 1: Create App Registration
- Sign in to the Azure Portal
- Navigate to "Azure Active Directory" (or "Microsoft Entra ID")
- Go to "App registrations" > "New registration"
- Set application details:
- Name: Praetorian Chariot Integration
- Supported account types: "Accounts in this organizational directory only"
- Redirect URI: Leave blank
- Click "Register"
Step 2: Configure API Permissions
- In your app registration, go to "API permissions"
- Click "Add a permission" > "Microsoft Graph" > "Application permissions"
- Add the following permissions:
- Directory.Read.All
- Policy.Read.All
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- RoleManagementPolicy.Read.Directory
Step 3: Grant Admin Consent
- In the "API permissions" section, click "Grant admin consent for [Your Organization]"
- Confirm the consent by clicking "Yes"
- Verify all permissions show "Granted for [Your Organization]" status
Step 4: Create Federated Identity Credential
- In your app registration, go to "Certificates & secrets"
- Click the "Federated credentials" tab
- Click "Add credential"
- Select "Other issuer" as the federated credential scenario
- Set credential details:
- Issuer: https://cognito-idp.us-east-2.amazonaws.com/COGNITO-POOL-ID
- Subject identifier: YOUR-UNIQUE-USERNAME
- Audience: AZURE-APP-CLIENT-ID
- Name: FederationChariot
- Description: Federated credential for Chariot
- Click "Add"
Step 5: Assign the Reader Role
The role assignment process differs based on your integration scope:
For Tenant-Level Integration:
- Navigate to "Management groups" in the Azure Portal
- Select your tenant root management group (named with your tenant ID)
- Go to "Access control (IAM)"
- Click "Add" > "Add role assignment"
- Select "Reader" role
- Click "Next"
- Choose "User, group, or service principal"
- Click "Select members"
- Search for and select "Praetorian Chariot Integration"
- Click "Select" > "Review + assign" > "Assign"
For Subscription-Level Integration:
- Navigate to "Subscriptions" in the Azure Portal
- Select your target subscription
- Go to "Access control (IAM)"
- Click "Add" > "Add role assignment"
- Select "Reader" role
- Follow the same member selection process as above
Step 6: Record Application Details
- Go back to your app registration "Overview" page
- Copy the "Application (client) ID" - this will be needed for verification
- Note the "Directory (tenant) ID" for reference
- Provide the information back to Chariot
Completing Your Manual Integration
After completing all manual deployment steps, return to the Chariot integration modal and enter the Application (client) ID you recorded in Step 6. Click "Finish" to complete the integration process.
Chariot will validate the integration by performing authentication tests and verifying the configured permissions. Once validated, your Azure integration will appear in your integrations list and begin monitoring your Azure environment.
Need Help?
If you encounter any issues during the manual deployment process or have questions about the integration setup, please contact our support team at support@praetorian.com. Include your Application ID and any error messages you've encountered to help us assist you more effectively.
Articles in this section
- Amazon Web Services Integration - Overview
- Amazon Web Services - IaC Deployment (Recommended)
- Amazon Web Services - Manual Deployment
- Google Cloud Platform Integration - Overview
- Google Cloud Platform - IaC Deployment (Recommended)
- Google Cloud Platform - Manual Deployment
- Microsoft Azure Integration - Overview
- Microsoft Azure - IaC Deployment (Recommended)
- Microsoft Azure - Manual Deployment
- Digital Ocean Integration