This guide walks you through connecting your Azure environment to Chariot for comprehensive security monitoring and management using Infrastructure as Code (IaC) deployment methods. The integration uses Azure's federated identity credentials and role-based access control to provide Chariot with the necessary permissions to assess your Azure resources while maintaining security best practices.
You can choose between tenant-level integration (recommended for full Azure environment coverage) or subscription-level integration (for specific subscription monitoring). The process involves creating an Azure AD app registration, configuring the appropriate permissions, and validating the connection through automated Terraform deployment.
Note: While manual integration is also available, we strongly recommend using the Terraform/IaC approach for consistency, reliability, and easier maintenance of your integration.
Prerequisites
Before starting the integration, ensure you have:
- Azure portal access as a Global Administrator permissions to create app registrations and assign roles
- Global Administrator permissions are necessary for creating app registrations and granting admin consent
- User Access Administrator permissions are required for tenant-level integration role assignments at tenant root
- Subscription Owner or User Access Administrator permissions for subscription-level integration
- Terraform is required
Integration Process
Step 1: Initiate Integration Setup
- Navigate to the Integrations section in your Chariot dashboard
- Click "Add Integration" and select "Azure"
- Choose your integration scope and provide the required information
Tenant-Level Integration (Recommended)
For tenant-level integration, you'll need to provide:
- Tenant ID: Your Azure AD tenant ID (GUID format)
- Deployment Type: Choose Terraform
TIP: To get your Tenant ID, navigate to Azure Active Directory (or Microsoft Entra ID) in the Azure Portal. The tenant ID is displayed in the Overview section, or you can find it in the URL when viewing your directory.
Subscription-Level Integration
For subscription-level integration, you'll need to provide:
- Tenant ID: Your Azure AD tenant ID (GUID format)
- Subscription ID: The specific Azure subscription ID you want to integrate
- Deployment Type: Choose Terraform
Step 2: Download Integration Template
After providing your tenant information, Chariot will generate the appropriate deployment template. This template is generated dynamically based on the information you provided.
- Click "Download IAC Template" to download the deployment files
- The template contains the app registration configuration, federated credentials, and role assignments pre-configured with your unique subject ID
- On submission, the next step will ask for an "Application ID", which you will get after completing the infrastructure deployment
NOTE: Your integration information is temporarily cached while your browser tab is open. You can close the integration modal using the X icon and return later to continue the integration process once the IaC deployment is complete. This cache is maintained only as long as you keep the browser tab open. If you close the tab, a new dynamic template will be generated.
Step 3: Deploy the Template
Perform the necessary tasks based on the deployment task you chose above. Please make sure to complete this deployment successfully before completing the integration.
Terraform Deployment (Recommended)
Open Azure Cloud Shell or ensure you're authenticated to Azure within your workstation (you will need to ensure Terraform is installed; Azure Cloud Shell comes pre-installed with Terraform).
Ensure that the credentials you signed in with possess the necessary administrator privileges:
- Global Administrator
- User Access Administrator
- Subscription Owner (for subscription-level integration)
If you're integrating at the tenant level, ensure you have access to manage the tenant root management group. To be able to consent to the new application at the tenant root level, you need to grant yourself User Access Administrator, even as a Global Administrator. See the following screenshot to identify where to enable that access:
If you're integrating a single subscription, set CLI to use that subscription:
az account set --subscription "YOUR_SUBSCRIPTION_ID"
Create a new directory, initialize Terraform, and create a plan:
mkdir chariot-deployment && \ cd chariot-deployment
Upload the template from previous step to this directory
terraform init && \ terraform plan
Review the planned changes and save to a file if necessary. Once satisfied, apply the changes and monitor for deployment errors:
terraform apply
Ensure there are no errors during deployment, then observe the output at the end of the execution output. The deployment will produce an Application ID, which you need to provide back to Chariot.
Under the hood, the Terraform template performs a number of actions. More specifically, for the tenant-level integration, the template will:
- Create an Azure AD app registration for Chariot and its service principal
- Automatically grant admin consent for all API permissions
- Set up federated identity credential with Chariot's Cognito pool and your unique subject identifier
- Configure required Microsoft Graph API permissions
- Assign Security Reader role at tenant root management group scope
- Elevate access to manage all Azure subscriptions and management groups
For a subscription-level integration, the template will perform similar actions:
- Similar steps as the tenant-level permissions
- Assign Security Reader role at the specific subscription scope selected for integration
Step 4: Complete Integration
- After deploying the template or completing manual setup, return to the Chariot integration modal
- Enter the Application ID value provided as an output of your deployment
- Click "Finish" to complete the integration
Chariot will automatically:
- Validate the integration by authenticating with Cognito
- Perform OIDC token exchange with Azure Entra ID for both ARM and Microsoft Graph tokens
- Verify validity of access using simple Azure API calls
- Add the integration to your integrations list upon successful validation
Support and Troubleshooting
If you encounter any issues during the Azure integration process or need additional assistance, our support team is here to help. Please don't hesitate to reach out to support@praetorian.com with:
- Details about your integration setup (tenant-level or subscription-level)
- Any error messages encountered during deployment
- Screenshots of relevant Azure portal configurations
- Your Application ID and Tenant ID for reference
Our team will work with you to resolve any integration challenges and ensure your Azure environment is properly connected to Chariot for comprehensive security monitoring.
Articles in this section
- Amazon Web Services Integration - Overview
- Amazon Web Services - IaC Deployment (Recommended)
- Amazon Web Services - Manual Deployment
- Google Cloud Platform Integration - Overview
- Google Cloud Platform - IaC Deployment (Recommended)
- Google Cloud Platform - Manual Deployment
- Microsoft Azure Integration - Overview
- Microsoft Azure - IaC Deployment (Recommended)
- Microsoft Azure - Manual Deployment
- Digital Ocean Integration