Azure Connection

Connect an Azure subscription to Escher using your local Azure CLI authentication.

Prerequisites

• Azure CLI installed (az --version)
• An Azure subscription with Reader role or equivalent
• Escher desktop app installed and running

---

How Escher reads Azure

Escher reads your Azure CLI authentication state (az login or service principal config). It uses the Azure SDK with read-only API calls during estate scans. No Azure resources are created or modified during scanning.

---

Step 1 — Authenticate the Azure CLI

# Interactive login (opens browser)
az login

# Verify
az account show
# {
#   "id": "a1b2c3d4-...",
#   "name": "Corp Subscription",
#   "tenantId": "e5f6g7h8-...",
#   "user": { "name": "alice@company.com", "type": "user" }
# }

For service principal authentication (CI/headless):

az login --service-principal \
  --username APP_ID \
  --password CLIENT_SECRET \
  --tenant TENANT_ID

az account set --subscription SUBSCRIPTION_ID

---

Step 2 — Assign the required role

Escher requires Reader role on the subscription, plus specific data-plane permissions.

# Assign Reader role
az role assignment create \
  --assignee alice@company.com \
  --role Reader \
  --scope /subscriptions/YOUR_SUBSCRIPTION_ID

For cost data access:

# Cost Management Reader — required for FinOps skills
az role assignment create \
  --assignee alice@company.com \
  --role "Cost Management Reader" \
  --scope /subscriptions/YOUR_SUBSCRIPTION_ID

---

Step 3 — Discover profiles in Escher

1. Open Escher → Estate → Discover Profiles
2. Escher reads your az account list output and registers each subscription as a profile
3. Select the subscription → click Enable → click Test Access

Profile: Corp Subscription (a1b2c3d4-...)
Provider: Azure
Tenant: e5f6g7h8-...
Status: ✓ Connected

---

Step 4 — Run an estate scan

Click Refresh Estate. Escher scans:

Corp Subscription (Azure)
  ✓ Virtual Machines  — 42 VMs
  ✓ Storage Accounts  — 18 accounts
  ✓ NSGs              — 31 network security groups
  ✓ Resource Groups   — 14 groups
  ✓ Databases (SQL)   — 8 instances
  ✓ Cost data         — available

---

Troubleshooting

AuthorizationFailed on specific resources

The account has Reader on the subscription but is missing data-plane access for a specific service. Check the error in Estate → Profile Diagnostics and add the relevant role assignment.

Cost data shows UNAVAILABLE

Ensure Cost Management Reader role is assigned. Cost data may also be unavailable if the subscription is not in a billing account you have access to.

---

Next steps

• Multi-Cloud — Manage AWS and Azure profiles together
• FinOps — Run cost analysis on the connected subscription
• SecOps — Scan Azure NSGs for exposure