Skip to main content
The Azure integration discovers subscriptions, resource groups, and RBAC role assignments across your Azure environment. Use it to maintain a cloud infrastructure inventory and generate compliance evidence for access-control and asset-management controls in Axiom Codex.

What you’ll need

  • An Azure subscription.
  • Permission to create an app registration in Microsoft Entra ID (Azure AD).
  • Five minutes.

Set it up

1

Register an app in Azure

In the Azure portal, go to Microsoft Entra ID → App registrations → New registration.
  • Name: Axiom Layer — Azure
  • Supported account types: Single tenant
After creation, copy the Application (client) ID and Directory (tenant) ID from the overview page.
2

Create a client secret

Go to Certificates & secrets → New client secret. Copy the secret value — you won’t be able to see it again.
3

Assign the Reader role on your subscription

Go to Subscriptions → (your subscription) → Access control (IAM) → Add role assignment.
  • Role: Reader
  • Assign access to: Application
  • Select the Axiom Layer — Azure app you just created
Also copy the Subscription ID from the subscription overview page.
4

Paste credentials into Layer

In Layer, go to Integrations, find Azure, and click Connect. Enter:
  • Subscription ID
  • Client ID (Application ID)
  • Client Secret
5

Wait for the first sync

The initial sync runs immediately and typically finishes in under 10 minutes.

What gets synced

ObjectFieldsRefresh cadence
Subscriptionsubscription ID, tenant IDDaily
Resource groupsname, location, tagsDaily
RBAC role assignmentsprincipal, role, scopeDaily

Compliance evidence

Azure data generates evidence records for the following SOC 2 controls:
EvidenceControls
RBAC role assignmentsCC6.1, CC6.2, CC6.3
Resource group inventoryCC6.6, CC6.7
See the SOC 2 evidence catalog for full control descriptions.

Least-privilege permissions

The Reader role on the subscription is sufficient for all synced data. If you want to scope access more narrowly, create a custom role with these permissions: 
{
  "Name": "Axiom Layer Read",
  "Actions": [
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Authorization/roleAssignments/read"
  ],
  "AssignableScopes": [
    "/subscriptions/YOUR_SUBSCRIPTION_ID"
  ]
}

Troubleshooting

Verify the Tenant ID, Client ID, and Client Secret are correct. If the client secret expired, generate a new one in Certificates & secrets and update it in Layer.
Confirm the app registration has the Reader role (or equivalent) assigned on the target subscription. Role assignments can take a few minutes to propagate after creation.
Create a separate connection for each subscription. Each connection requires its own Subscription ID but can share the same app registration if you assign the Reader role on each subscription.