Connect Azure
Reference for the Connect Azure step in the onboarding wizard. Escher auto-discovers every subscription you have access to and lets you pick which ones to include.
What Escher needs
The built-in Reader role at the subscription scope is sufficient for most use cases. For deeper IAM and storage analysis, add the Security Reader role on the same subscription.
Escher does not need any write permissions for normal use.
How the wizard step works
The Connect Azure screen in the wizard does the work for you. When you reach it:
- The wizard runs
az login, which pops a browser window for Microsoft sign-in. - Authenticate against your tenant.
- The wizard shows Discovering subscriptions... while it enumerates everything your account has access to.
- You'll see a subscription tree organised by Default Directory (your tenant), with every subscription as a checkbox row showing name, subscription ID, and any tags (e.g.
DEFAULT). - Tick the subscriptions you want Escher to include in scans and questions.
- Click Get Started to finish onboarding.
TIP
The picker has a search box (filter by name, ID, or tenant) and a Hide disabled subscriptions toggle. For tenants with many subscriptions, Select / Clear visible is the fastest way to bulk-toggle after filtering.
The Azure CLI version installed by the wizard is shown as a green badge on the header card (e.g. ● Azure CLI - 2.86.0).
Pre-onboarding setup (if you haven't already)
If your account doesn't have Reader on the subscriptions you want to include, you'll see them in the picker but they'll be greyed out / show no access.
Your Azure admin can grant the role:
# For your user account
az role assignment create \
--assignee your-email@company.com \
--role "Reader" \
--scope /subscriptions/YOUR_SUBSCRIPTION_ID
# Optionally add Security Reader for deeper IAM and storage analysis
az role assignment create \
--assignee your-email@company.com \
--role "Security Reader" \
--scope /subscriptions/YOUR_SUBSCRIPTION_IDFor tenants with many subscriptions, assigning Reader at the management group level scopes Escher across all child subscriptions in one step.
Adding subscriptions later
You can change which subscriptions are active at any time from Settings → Profiles. Each subscription shows up as a toggle switch — flip on the ones you want Escher to use, flip off the rest. See Switching Profiles.
To add a tenant or subscription that wasn't visible during onboarding, re-run az login in Terminal against the new tenant, then revisit the Connect Azure flow from Settings.
Troubleshooting
| Symptom | Fix |
|---|---|
| Browser opens but returns no subscriptions | Check az account list --output table in Terminal. If empty, you're not assigned Reader anywhere — talk to your Azure admin. |
| A subscription is greyed out in the picker | Insufficient role (typically missing Reader). Get the role assigned, then re-open the Connect Azure step. |
| Cost data missing from results | Add Cost Management Reader to the principal, or use a different account that has it: az role assignment create --assignee YOU --role "Cost Management Reader" --scope /subscriptions/SUB_ID |
What's next
- Connect AWS — AWS connection reference
- Multi-Cloud — Mix AWS and Azure profiles
- Switching Profiles — Manage profiles after onboarding