# Azure **Note** - Each of your Azure subscriptions must be onboarded as a separate account in MechCloud. ### **Step 1: Sign in to Azure Portal** 1. Open your web browser and navigate to the [Azure Portal](https://portal.azure.com/). 2. Sign in using your Azure account credentials. ### **Step 2: Register a New Application** **Follow below instructions to create one application (service account) per every subscription whose assets you want to discover in MechCloud.** 1. In the Azure Portal, search for and select **Microsoft Entra ID**. 2. Under **Manage**, click on **App registrations**. 3. Click on **New registration** at the top. 4. Enter a name for your application/service account. 5. Choose **Accounts in this organizational directory only** under Supported account types. 6. Optionally, enter a Redirect URI if your application requires one. For most service accounts, this can be left blank. 7. Click **Register**. ### **Step 3: Add Federated Credentials** MechCloud uses OpenID Connect (OIDC) federation to authenticate with Azure, eliminating the need for client secrets. This is more secure as there are no long-lived credentials to manage or rotate. 1. Once your application is registered, navigate to your application's overview page. 2. Select **Certificates & secrets** from the left-hand menu. 3. Click on the **Federated credentials** tab. 4. Click **Add credential**. 5. Select **Other issuer** under **Federated credential scenario**. 6. Fill in the following details: | Field | Value | Description | | ---------------------- | -------------------------- | -------------------------------------- | | **Issuer** | `https://id.mechcloud.io/` | MechCloud's OIDC issuer URL | | **Subject identifier** | Your MechCloud `sub` claim | Found in your JWT token (see below) | | **Name** | `mechcloud-federation` | A descriptive name for this credential | | **Audience** | Your MechCloud `aud` claim | Found in your JWT token (see below) | #### Finding Your JWT Token Claims To get the values for **Subject identifier** and **Audience**: 1. Log in to [MechCloud Portal](https://portal.mechcloud.io) 2. Open a new browser tab and navigate to: `https://portal.mechcloud.io/oauth2/auth1` 3. This displays your JWT token. Decode it using [jwt.io](https://jwt.io) or similar tool. 4. Find the following claims: * **sub** (Subject) - Use this value for the **Subject identifier** field (e.g., `auth0|690895c8b0ac201506c31175`) * **aud** (Audience) - Use this value for the **Audience** field (e.g., `n6dMQIo8ZCE5QxLY4o2KjeBaSn8eefTX`) 5. Click **Add** to save the federated credential. ### **Step 4: Assign Roles and Permissions** 1. Navigate to **Subscriptions** in the Azure Portal. 2. Select the subscription you want the service account to access. 3. Search for and click **Access control (IAM)** in left menu. 4. Click **Add** -> **Add role assignment**. 5. Choose the appropriate role(s) based on your needs: * **Reader** - For read-only access to list resources * **Contributor** - For Stateless IaC to create/update/delete resources 6. Search for and select the application you registered earlier. 7. Click **Save** to assign the role. ### **Step 5: Obtain Application (Client) ID and Tenant ID** 1. Go back to the **App registrations** page and select your application. 2. Copy the **Application (client) ID** and **Directory (tenant) ID** from the overview page. ### Step 6: Register your Azure account in MechCloud 1. Log on to [MechCloud](https://portal.mechcloud.io) and navigate to **Infrastructure** -> **Cloud Accounts**. 2. Select a team. 3. Select **Azure** under **Select a cloud provider** dropdown. 4. Click on **New Cloud Account** button. 5. Enter a name for your account. 6. Fill in the credentials: * **Azure Tenant Id** - Enter the Directory (tenant) ID from Step 5. * **Client Id** - Enter the Application (client) ID from Step 5. * **Subscription Id** - Enter the subscription ID (from Azure Portal -> Subscriptions) that you associated with the service account in Step 4. 7. Click **Save** to add the cloud account.