Contributor or Reader role on target subscriptions
Azure AD
Application registration permissions
Tenant ID
df4d171f-6cca-4c87-84cd-f299e4fca3a9 (StackFlow default) or your org tenant
StackFlow role
super_admin or cloud_admin
Step 1: Create Service Principal
# Create a service principal with Reader role on your subscription
az ad sp create-for-rbac --name "StackFlow-CloudIntegration" --role Reader --scopes /subscriptions/YOUR_SUBSCRIPTION_ID --sdk-auth
# Output includes:
# {
# "clientId": "...",
# "clientSecret": "...",
# "subscriptionId": "...",
# "tenantId": "df4d171f-6cca-4c87-84cd-f299e4fca3a9"
# }
# For Azure Monitor alert webhooks, also grant Monitoring Reader:
az role assignment create --assignee SERVICE_PRINCIPAL_OBJECT_ID --role "Monitoring Reader" --scope /subscriptions/YOUR_SUBSCRIPTION_ID
Service Principal Secret Rotation: Azure service principal client secrets expire (default 1 year). StackFlow stores them in Secrets Manager and the StackFlowGenericSecretRotation Lambda handles rotation. Configure a reminder 30 days before expiry.
Step 2: Configure Azure Monitor Alerts
In Azure Portal, go to Monitor → Alerts → Action Groups → Create
Create an action group named StackFlow Alerts
Add an action of type Webhook with URL: https://your-instance.stackflow-tech.com/prod/api/webhooks/inbound/azure-monitor
Enable Use common alert schema
Assign this action group to your Azure Monitor alert rules
Step 3: Enable Entra ID User Sync
StackFlow can sync users and groups from Microsoft Entra ID (formerly Azure AD) using the Microsoft Graph API. Grant the service principal the following Graph API application permissions:
Permission
Purpose
User.Read.All
Read user profiles for sync
Group.Read.All
Read group memberships for role mapping
Directory.Read.All
Read org structure for department mapping
Step 4: AKS and VM CMDB Sync
StackFlow discovers Azure resources via the Azure Resource Manager API and creates CMDB CIs:
Azure Resource
CMDB CI Class
Key Attributes
Virtual Machine
azure_vm
name, size, OS, resource group, region, private IP
AKS Cluster
azure_aks
cluster_name, k8s_version, node_pools, region
Azure SQL / Cosmos DB
azure_database
server_name, database, tier, region
App Service
azure_app_service
app_name, plan, region, runtime
Storage Account
azure_storage
account_name, sku, access_tier, region
Step 5: Connect in StackFlow
Navigate to Admin → Integration Hub → Microsoft Azure → Configure
Enter Tenant ID, Subscription ID, Client ID, and Client Secret
Select Azure regions and resource types to discover
Enable Entra ID user sync and configure group-to-role mapping
Set the Azure Monitor webhook URL in the Azure action group
Click Save & Test
Field Reference
Field
Required
Description
Tenant ID
Yes
Azure AD tenant ID
Subscription ID
Yes
Target Azure subscription
Client ID
Yes
Service principal application (client) ID
Client Secret
Yes
Service principal client secret
Regions
No
Azure regions to discover (default: all)
Entra ID Sync
No
Enable user/group sync from Entra ID (default: false)
CMDB Discovery
No
Enable Azure resource discovery to CMDB (default: true)
Testing the Integration
Click Test Service Principal to verify credentials and permissions
Click Run Discovery Now and verify Azure VMs/AKS clusters appear in CMDB
Send a test alert from Azure Monitor action group and verify incident creation
Troubleshooting
Issue
Cause
Fix
AADSTS70011 error
Invalid scope for Graph API
Add https://graph.microsoft.com/.default to token request scope
Resources not discovered
Reader role not applied to all resource groups
Apply Reader role at subscription scope, not resource group level
Alert webhook 400 error
Common schema not enabled
Enable Use common alert schema in Azure action group
User sync incomplete
Directory.Read.All not consented
Grant admin consent for Graph API permissions in Azure AD app registration
