Connect Infragraph to Azure

The Azure connection connects your Microsoft Azure data to the resource graph.

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features with production workflows, as features may not function seamlessly and you may encounter unexpected issues.

Set up the connection

Complete the following steps to establish a new Azure connection:

From the Resource graph Overview at the top right, click Create Connection.
Select Microsoft Azure from the list of data sources.
Click Select Microsoft Azure.
Under Connection target, enter your Azure Tenant ID. This identifies the Microsoft Entra tenant that Infragraph connects to. To find your Tenant ID, navigate to Microsoft Entra ID in the Azure portal and copy the Tenant ID field on the Overview page.
Click View Terraform module in Registry to review the Azure App Registration, Federated Identity Credential, and Role Assignment requirements.
Copy the generated module block and add it to your HCP Terraform or Terraform Enterprise linked VCS repository.
Configure your Azure credentials. Refer to the Azure Terraform provider authentication documentation for more information.
Run a Terraform apply operation to create the required resources in your Azure environment.
Copy the application_id output value and paste it into the Application (client) ID field in the connection setup page.
1. We recommend clicking the module repo link and subscribing to the module GitHub repository to be notified of changes to ensure your connections continue to work.
Click the Provide connection details button.
On the Provide connection details page, choose one of the following Sync scopes:
- Management Group: Infragraph syncs all accounts in the organization. This is best for organizations using Azure Management Groups. Enter the Management Group ID. Infragraph syncs all subscriptions under this management group. This option requires Management Group Reader and Reader roles at the management group scope.
- Specific Subscriptions: Infragraph only syncs data from the specified accounts. This is best for granular control. Enter the Subscription IDs for Infragraph to sync. You can manually enter IDs separated by commas or new lines or click Upload CSV to import up to 100 accounts in bulk.
Click the Create connection button.

Infragraph only requires read-only permissions. The Terraform module assigns the Azure Reader role at the appropriate scope level. Some resource types, such as Key Vault secrets, may require additional reader roles, such as Key Vault Reader, to discover metadata. Refer to Troubleshooting for more information.

Sync Azure data

To find the current sync status for your connector, complete the following steps:

Click Connections in your HCP organization's left navigation panel.
Check the connection sync status.

Infragraph reports one of the following statuses:

Awaiting initial sync means that the connection was created but Infragraph has not initiated the first data sync.
Successful means there were no errors in the latest sync and Infragraph synced the data.
Partial failure means at least one error occurred in the latest sync.

To manually initiate a new sync, select Sync connection from the … menu in the Actions column.

View Azure data

To find Azure data connected to your resource graph, complete any of the following actions:

Go to the Inventory page. Click an individual resource type to view it in the graph explorer.
Query resources with a saved query that includes Azure resources.
Build the query from scratch using Azure resources in the query editor.

Troubleshoot Key Vault secret metadata discovery issues

The following guidance can help you resolve issues connecting to and viewing Azure data.

Key Vault secret metadata discovery issues

During the sync, the Azure connector discovers Key Vault secret metadata properties such as enabled status, expiry dates, content type, and tags, but it does not retrieve secret values.

If the Infragraph connector finds Azure Key Vaults using the legacy Access Policies model, the Sync status shows as Partially successful. This is because Access Policies are configured per vault and do not honor RBAC role assignments of the Infragraph connector.

We recommend either of the following options to resolve this issue.

Migrate to Azure RBAC

Complete the following steps to migrate your Key Vault to use Azure RBAC instead of Access Policies:

In the Azure Portal, navigate to your Key Vault.
Go to Access configuration.
Change the permission model to Azure role-based access control.
Click Save.

Refer to the Azure Key Vault RBAC migration guide for detailed instructions.

Add Access Policy for each vault

If you cannot migrate to RBAC, manually add an Access Policy granting List permission under Secret Permissions for the connector service principal on each Key Vault that uses Access Policies.

You can manually configure this using the Azure Portal or automate it using the following Azure CLI command or Terraform configuration.

You only need to grant the List permission under Secret Permissions. We recommend that you follow the principle of least privilege and not grant the service principal extra permissions. The Infragraph connector does not require permissions to read secret values.

Use the az keyvault set-policy command to grant list permissions to the service principle, for example:

$ az keyvault set-policy \
  --name <vault-name> \
  --object-id <service-principal-object-id> \
  --secret-permissions list

The following Terraform configuration uses the azurerm_key_vault_access_policy resource to grant the List permission to the service principal:

resource "azurerm_key_vault_access_policy" "infragraph" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_subscription.primary.tenant_id
  object_id    = azuread_service_principal.example.object_id

  secret_permissions = ["List"]
}