Azure Native Integrations
Developer Reference
This page covers internal implementation details. It is not included in the User Guide.
Azure data sources Escher reads from. Each row is verified against the corresponding script in v2-skills/ or a dedicated repo.
Verified data sources
| Azure service | Source repo / script | Used by |
|---|---|---|
| Subscriptions / Services | v2-skills/estate-scan/azure/subscriptions-with-services-*.sh | Infra Ops |
| Resource Groups | v2-skills/estate-scan/azure/resource-groups-*.sh | Infra Ops |
| Virtual Machines | v2-skills/estate-scan/azure/vm-details-*.sh | Infra Ops, FinOps |
| Storage Accounts | v2-skills/estate-scan/azure/storage-details-*.sh | SecOps, Compliance |
| Networking (NSGs, VNets) | v2-skills/estate-scan/azure/network-details-*.sh | SecOps, Infra Ops |
| Cost Management | v2-skills/cost/azure/azure_cost_report.sh | FinOps |
| Azure CLI (general) | v2-tauri-plugin-scanner-azure (TypeScript scanner plugin) drives in-app scans | All |
Roadmap (no shipped script today)
These are referenced in spec or in agent capabilities but have no standalone script in v2-skills/:
- Azure SQL / Flexible Server detailed configuration
- Azure AD / Entra ID identity inventory (referenced as a capability in
iam-security-agent/agent.yaml, no dedicated reader script) - Azure Activity Log query (referenced as capability; no standalone reader)
- Azure Resource Manager activity audit
When dedicated scripts ship, this list moves up to the verified table.
Read-only guarantee
All Azure interactions during scan are read calls — az ... list, az ... show. Playbook-based write operations require the Contributor role on the target resource, assigned to a separate principal — never the default scan identity.
Next steps
- Azure Connection — Azure CLI auth and role assignments
- Multi-Cloud — AWS + Azure combined