Azure Reader Service Principal
The simplest way to connect Azure. Creates a service principal with the minimum role required (Reader at the chosen scope) and nothing else.
What you'll need
- Azure subscription, management group, or tenant root (whichever scope you want VinTekh to read).
- Permission to create an app registration in your Entra tenant (or someone who can do it for you).
- Permission to assign Reader at the chosen scope (Owner or User Access Administrator).
Step 1 — Create the app registration
Run from your laptop or Cloud Shell:
# Pick a display name + the scope you want to read
APP_NAME="vintekh-reader"
SCOPE="/subscriptions/<your-subscription-id>" # or /providers/Microsoft.Management/managementGroups/<id>
# Create app + SP
APP_ID=$(az ad app create --display-name "$APP_NAME" --query appId -o tsv)
az ad sp create --id "$APP_ID" >/dev/null
# Generate a client secret (valid 24 months)
SECRET=$(az ad app credential reset --id "$APP_ID" --years 2 --append --query password -o tsv)
TENANT=$(az account show --query tenantId -o tsv)
# Assign Reader at the scope you want to read
az role assignment create --assignee "$APP_ID" --role "Reader" --scope "$SCOPE"
echo "Tenant ID: $TENANT"
echo "Client ID: $APP_ID"
echo "Client secret: $SECRET # ← copy now; can't retrieve later"Step 2 — Paste into VinTekh
- Open Sources → Azure.
- Paste the three values (Tenant ID, Client ID, Client Secret).
- (Optional) Limit the SP to specific subscriptions if your scope is broader than you want VinTekh to read.
- Save.
Step 3 — Verify
Within ~60 seconds you should see:
- Source status Healthy.
- Resources appearing on the Resources page.
- If you have Defender for Cloud enabled, findings on Issues.
What roles are NOT needed
VinTekh never needs Owner, Contributor, User Access Administrator, or any data-plane key. If a wizard or guide ever asks for one of those, treat it as a bug and tell us.
Permissions inventory
What Reader actually grants us (and why):
- List + read all resource metadata (inventory + topology joins).
- Read role assignments + group memberships (identity reasoning).
- Read Defender for Cloud assessments + Secure Score (posture).
- Read Policy compliance state (governance).
- Read Activity Log (change correlation).
- Read Monitor metrics + diagnostic settings (observability).
We cannot read data-plane content (blob contents, SQL row data, secrets in Key Vault, etc.) — that requires data-plane roles which we never ask for.
Common problems
- Sync immediately fails 401: wrong client secret. Generate a fresh one and paste again.
- Sync succeeds but 0 resources: Reader role was assigned at the wrong scope. Re-assign at subscription or management-group level.
- Conditional Access denies the SP: ask your identity admin to exclude the SP from the policy or add a workload-identity exemption.
Browse docs
- Help home
- Getting started
- How VinTekh works
- Read-only model
- Connect a source
- Azure Reader SP
- AWS cross-account role
- GCP Workload Identity
- External ID & MAU
- SCIM 2.0 provisioning
- Investigate a finding
- Recommendations
- Service coverage
- Platform capabilities
- Troubleshooting
- Glossary
- REST API
- Admin guide
- Release notes
- Support