# Azure

**Note** - Each of your Azure subscriptions must be onboarded as a separate account in MechCloud.

### **Step 1: Sign in to Azure Portal**

1. Open your web browser and navigate to the [Azure Portal](https://portal.azure.com/).
2. Sign in using your Azure account credentials.

### **Step 2: Register a New Application**

**Follow below instructions to create one application (service account) per every subscription whose assets you want to discover in MechCloud.**

1. In the Azure Portal, search for and select **Microsoft Entra ID**.
2. Under **Manage**, click on **App registrations**.
3. Click on **New registration** at the top.
4. Enter a name for your application/service account.
5. Choose **Accounts in this organizational directory only** under Supported account types.
6. Optionally, enter a Redirect URI if your application requires one. For most service accounts, this can be left blank.
7. Click **Register**.

### **Step 3: Add Federated Credentials**

MechCloud uses OpenID Connect (OIDC) federation to authenticate with Azure, eliminating the need for client secrets. This is more secure as there are no long-lived credentials to manage or rotate.

1. Once your application is registered, navigate to your application's overview page.
2. Select **Certificates & secrets** from the left-hand menu.
3. Click on the **Federated credentials** tab.
4. Click **Add credential**.
5. Select **Other issuer** under **Federated credential scenario**.
6. Fill in the following details:

| Field                  | Value                      | Description                            |
| ---------------------- | -------------------------- | -------------------------------------- |
| **Issuer**             | `https://id.mechcloud.io/` | MechCloud's OIDC issuer URL            |
| **Subject identifier** | Your MechCloud `sub` claim | Found in your JWT token (see below)    |
| **Name**               | `mechcloud-federation`     | A descriptive name for this credential |
| **Audience**           | Your MechCloud `aud` claim | Found in your JWT token (see below)    |

#### Finding Your JWT Token Claims

To get the values for **Subject identifier** and **Audience**:

1. Log in to [MechCloud Portal](https://portal.mechcloud.io)
2. Open a new browser tab and navigate to: `https://portal.mechcloud.io/oauth2/auth1`
3. This displays your JWT token. Decode it using [jwt.io](https://jwt.io) or similar tool.
4. Find the following claims:
   * **sub** (Subject) - Use this value for the **Subject identifier** field (e.g., `auth0|690895c8b0ac201506c31175`)
   * **aud** (Audience) - Use this value for the **Audience** field (e.g., `n6dMQIo8ZCE5QxLY4o2KjeBaSn8eefTX`)
5. Click **Add** to save the federated credential.

### **Step 4: Assign Roles and Permissions**

1. Navigate to **Subscriptions** in the Azure Portal.
2. Select the subscription you want the service account to access.
3. Search for and click **Access control (IAM)** in left menu.
4. Click **Add** -> **Add role assignment**.
5. Choose the appropriate role(s) based on your needs:
   * **Reader** - For read-only access to list resources
   * **Contributor** - For Stateless IaC to create/update/delete resources
6. Search for and select the application you registered earlier.
7. Click **Save** to assign the role.

### **Step 5: Obtain Application (Client) ID and Tenant ID**

1. Go back to the **App registrations** page and select your application.
2. Copy the **Application (client) ID** and **Directory (tenant) ID** from the overview page.

### Step 6: Register your Azure account in MechCloud

1. Log on to [MechCloud](https://portal.mechcloud.io) and navigate to **Infrastructure** -> **Cloud Accounts**.
2. Select a team.
3. Select **Azure** under **Select a cloud provider** dropdown.
4. Click on **New Cloud Account** button.
5. Enter a name for your account.
6. Fill in the credentials:
   * **Azure Tenant Id** - Enter the Directory (tenant) ID from Step 5.
   * **Client Id** - Enter the Application (client) ID from Step 5.
   * **Subscription Id** - Enter the subscription ID (from Azure Portal -> Subscriptions) that you associated with the service account in Step 4.
7. Click **Save** to add the cloud account.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mechcloud.io/cloud-computing/add-an-account/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.