Skip to main content
The Azure integration discovers subscriptions, resource groups, and RBAC role assignments across your Azure environment. Use it to maintain a cloud infrastructure inventory and generate compliance evidence for access-control and asset-management controls in Axiom Codex.

What you’ll need

  • An Azure subscription.
  • Permission to create an app registration in Microsoft Entra ID (Azure AD).
  • Five minutes.

Set it up

1

Register an app in Azure

In the Azure portal, go to Microsoft Entra ID → App registrations → New registration.
  • Name: Axiom Layer — Azure
  • Supported account types: Single tenant
After creation, copy the Application (client) ID and Directory (tenant) ID from the overview page.
2

Create a client secret

Go to Certificates & secrets → New client secret. Copy the secret value — you won’t be able to see it again.
3

Assign the Reader role on your subscription

Go to Subscriptions → (your subscription) → Access control (IAM) → Add role assignment.
  • Role: Reader
  • Assign access to: Application
  • Select the Axiom Layer — Azure app you just created
Also copy the Subscription ID from the subscription overview page.
4

Paste credentials into Layer

In Layer, go to Integrations, find Azure, and click Connect. Enter:
  • Subscription ID
  • Client ID (Application ID)
  • Client Secret
5

Wait for the first sync

The initial sync runs immediately and typically finishes in under 10 minutes.

What gets synced

Layer also emits a HostedOn relationship from every discovered resource group to its parent subscription, with the resource group’s location stored as relationship metadata. The result is a connected view of how each Azure resource group rolls up to the subscription that owns it — useful when scoping access reviews to a specific subscription, tracing role-assignment blast radius down the hierarchy, and feeding subscription-level evidence in Axiom Codex.

Compliance evidence

Azure data generates evidence records for the following SOC 2 controls: See the SOC 2 evidence catalog for full control descriptions.

Least-privilege permissions

The Reader role on the subscription is sufficient for all synced data. If you want to scope access more narrowly, create a custom role with these permissions:

Troubleshooting

Verify the Tenant ID, Client ID, and Client Secret are correct. If the client secret expired, generate a new one in Certificates & secrets and update it in Layer.
Confirm the app registration has the Reader role (or equivalent) assigned on the target subscription. Role assignments can take a few minutes to propagate after creation.
Create a separate connection for each subscription. Each connection requires its own Subscription ID but can share the same app registration if you assign the Reader role on each subscription.