Microsoft Azure Integration - Overview

Chariot integrates with Microsoft Azure using OpenID Connect (OIDC) federation with Azure Entra ID to provide secure, temporary access to your Azure resources, i.e., no client secrets or long-term credentials. The integration is supported at the tenant level as well as subscription-level access.

Chariot uses a secure OIDC-based authentication pattern:

1. Cognito Authentication: Chariot creates a unique user in its AWS Cognito pool for your integration with a unique subject identifier (UUIDv4)
2. OIDC Token Exchange: Chariot authenticates with Cognito to obtain an ID token with your unique subject claim
3. Azure Entra ID Federation: The ID token is exchanged for Azure access tokens (both ARM and Microsoft Graph) through your configured federated identity credential
4. Temporary Credentials: As a result, only short-lived Azure access tokens (1-hour expiration) are used for secure access to your resources

This architecture ensures proper isolation through unique subject claims and eliminates the security risks associated with client secrets.

Integration Options

Chariot provides integrations at both the tenant level and the subscription level. Praetorian recommends integrating at the tenant level for the most comprehensive coverage and experience.

For either integration level, the necessary setup can be performed by deploying infrastructure as code (IaC) in the form of Terraform, or by deploying resources manually through the Azure Portal. Praetorian recommends deploying via Terraform.

Refer to the following articles for detailed instructions on each of the deployment methods:

• Infrastructure as Code - Covers Terraform deployments for both tenant and subscription-level integrations.
• Manual Deployment - Step-by-step portal-based setup instructions.

Requested Access

For Azure integrations, Chariot requires the following permissions:

Azure Role Assignments:

• Security Reader (Tenant Root Management Group scope for tenant-level, or subscription scope for subscription-level integration) - Provides read access to security-related configurations and resources across Azure services

Microsoft Graph API Permissions (Application Permissions - Require Admin Consent):

• Directory.Read.All - Read directory data including users, groups, and organizational information
• Policy.Read.All - Read your organization's policies including conditional access and compliance policies
• RoleManagement.Read.All - Read role management data across Azure AD and Azure resources
• RoleManagement.Read.Directory - Read directory role management data and assignments
• RoleEligibilitySchedule.Read.Directory - Read Privileged Identity Management (PIM) role eligibility schedules
• RoleManagementPolicy.Read.AzureADGroup - Read role management policies for Azure AD groups
• RoleManagementPolicy.Read.Directory - Read directory role management policies and configurations

Next Steps

Once you've chosen your preferred integration method and deployment approach, you're ready to begin connecting your Azure environment to Chariot. The integration process will establish secure, temporary access to your Azure resources while maintaining the highest security standards through OIDC federation.

After successful integration, Chariot will begin monitoring your Azure environment and providing comprehensive security insights across your tenant or subscription, depending on your chosen scope. You can monitor the status of your integration and view security findings through the Chariot dashboard.

For detailed step-by-step instructions, proceed to the appropriate deployment guide based on your preferred method:

• Follow the Infrastructure as Code guide for automated Terraform deployment
• Use the Manual Deployment guide for portal-based configuration

Your Azure resources will be continuously monitored with the security permissions outlined above, ensuring comprehensive visibility into your cloud security posture.