Microsoft Azure

CloudOAuth 2.0Live

Connect your customers' Azure subscriptions so your product can read resource groups, virtual machines, and ARM resources without handling per-customer secrets. The customer's Azure admin consents on Microsoft's own screen and Askel manages token refresh from there.

Book a demo

View docs

What you can do

List subscriptions and resource groups

Read all subscriptions the consented user can access and all resource groups within each, including tags and location. Lets your product scope later reads without additional setup.

Inventory virtual machines across all regions

Fetch VM names, sizes, power state, OS type, and associated resource group. Covers all Azure regions in a single authenticated session.

Read storage accounts and blob container policies

List storage accounts, their SKU, replication type, and public access settings. Useful for flagging containers that allow anonymous blob access during a security review.

Inspect Azure RBAC role assignments

Pull role assignments at the subscription or resource group scope to see which principals hold which built-in or custom roles. Surface overly broad Owner or Contributor grants.

Read network security groups and their rules

Fetch NSG rules including source and destination address ranges, ports, and allow or deny actions. Verify that inbound internet access is restricted to expected ports before go-live.

Query Azure Policy compliance state

Read policy assignment results to see which resources are compliant and which are in a non-compliant state, without asking the customer to export their policy dashboard.

Sample use case

Establishing a cloud security baseline for a new customer

You sell a cloud security posture product. A new customer, Pinnacle Logistics Group, runs their ERP and warehouse management systems on Azure across two subscriptions: production and development. Your product needs to read their VM inventory, check NSG rules, and review RBAC assignments before the initial findings meeting.

1
Admin opens the connection wizard
Pinnacle's Azure Global Administrator clicks Connect Microsoft Azure in your product's onboarding flow. Askel redirects to Microsoft's consent screen, listing the read-only ARM API scopes required.
2
Consent and token exchange
The admin approves the consent for the production subscription. Microsoft issues an access token and a refresh token. Askel stores only the refresh token; access tokens are minted per request using the Microsoft identity platform.
3
Repeat for development subscription
The admin adds the development subscription through the same OAuth flow. Each subscription is stored as a separate Askel connection under the same customer record.
4
Resource inventory pull
Askel reads VMs, storage accounts, NSGs, and RBAC assignments across both subscriptions. Your product receives structured data in a few minutes without Pinnacle exporting anything.
5
Findings ready before the meeting
Your dashboard shows 18 VMs, 2 storage accounts with anonymous blob access, 4 NSG rules allowing inbound traffic from 0.0.0.0/0, and 3 users with Owner at subscription scope. The findings meeting starts from concrete data.

Authentication

OAuth 2.0

The customer's Azure admin (with at least Reader role on the target subscriptions) consents on Microsoft's standard OAuth screen. Askel requests read-only scopes against the Azure Resource Manager API (management.azure.com) and the Microsoft Graph API for user data. Only the refresh token is stored; access tokens are minted per request using the Microsoft identity platform token endpoint.

Data flow

How Askel sits between your product and the customer's system

SubscriptionsVirtual machinesStorage accountsRBAC assignmentsNSG rulesPolicy compliance

Related integrations

AWS

Read configuration and metrics across the customer's AWS account via a least-privilege role.

Google Cloud Platform

Read inventory, IAM, and storage from customer GCP projects.

Microsoft Entra ID

Read users, groups, and conditional-access policies from customer Entra tenants.

FAQ for Microsoft Azure

What Azure role does the consenting user need?+

Reader role at the subscription scope is the minimum required for inventory reads. If you need to read across multiple subscriptions, the user should have Reader at the management group or root level. For policy compliance data, the Policy Reader role is also needed.

Does this use a service principal or a user account?+

The OAuth flow creates an application-level consent using Askel's registered Azure AD app. The token is associated with the consenting user's account and the scopes they approved. No service principal is created in the customer's tenant.

What happens if the admin who consented leaves the company?+

The OAuth refresh token is tied to the consenting user account. If that account is disabled or deleted, the token will stop working. The customer should have a new admin re-consent from your product's connection page, which replaces the stored token.

Can we read Azure Active Directory (Entra ID) data through this integration?+

The Azure integration covers ARM resources (VMs, storage, NSGs, RBAC). For Entra ID data like users, groups, and conditional-access policies, use the Microsoft Entra ID integration, which targets the Microsoft Graph API with different scopes.

Ready to ship integrations faster?customers faster?implementations faster?

Join onboarding teams delivering integrations without the engineering queue,
catching drift before it breaks, and hitting go-live dates.

Book a demo

Security & Compliance

Askel.ai

Automation for customer onboarding teams

Product

Features Documentation Integrations

Company

About us Our team Blog Contact

Resources