Skip to main content

About Microsoft Azure Authorization

The Microsoft Azure Authorization source reads Azure RBAC role assignments and role definitions, plus Azure Policy definitions and assignments, from the subscription you connect. Evidence in Iru reflects who can access what and which policies are assigned; Iru does not write changes back to Azure. Iru uses delegated OAuth 2.0 against Azure Resource Manager on behalf of the user who signs in, so collections respect that user’s existing Azure permissions.

How It Works

Iru uses Microsoft’s OAuth 2.0 authorization code flow (delegated permissions) against Azure Resource Manager (management.azure.com). After you sign in and consent in the pop-up, Iru receives a short-lived access token and renews it automatically (including rotating refresh tokens where applicable). The OAuth scope requested is: https://management.azure.com/user_impersonation That grants read access to ARM APIs as the signed-in user, limited by that user’s RBAC on the subscription.
DetailValue
CategoryDeveloper tools
AuthenticationOAuth 2.0 (Microsoft Entra ID, Azure Resource Manager)
Vendor planAny Azure subscription

What Iru collects

Data typeAzure ARM resource type
Role assignmentsMicrosoft.Authorization/roleAssignments
Role definitions (built-in and custom)Microsoft.Authorization/roleDefinitions
Azure Policy definitionsMicrosoft.Authorization/policyDefinitions
Azure Policy assignmentsMicrosoft.Authorization/policyAssignments
Iru does not modify role assignments or policy configuration. Official references: Azure RBAC documentation, REST API, List role assignments (concept), Built-in roles, OAuth 2.0 auth code flow.

Prerequisites

  • Microsoft Entra ID account that can sign in at the Azure portal.
  • At minimum the built-in Reader role (or equivalent read access) on the subscription you want Iru to read. That includes Microsoft.Authorization/*/read for assignments, definitions, and policy metadata.
  • Browser pop-ups allowed so the connector wizard can open when you enable the source.
To confirm access: Subscriptions → your subscription → Access control (IAM)View my access, and check for Reader (or higher) at that scope. If you need a role assignment, your subscription administrator can use Azure CLI (replace placeholders): 
az role assignment create \
  --assignee <your-user-principal-name> \
  --role "Reader" \
  --scope /subscriptions/<subscription-id>

Connect Microsoft Azure Authorization to Iru

Use Microsoft Azure first to confirm portal access and Reader coverage, then complete OAuth in Iru Compliance. The wizard shows Step 1 of 1: Perform OAuth Authentication.
Complete this tab before you start OAuth in Iru Compliance.
1

Sign in to the Azure portal

Open portal.azure.com and sign in with the Microsoft Entra ID account you will use in the Iru wizard (same tenant you want Iru to read).
2

Open your target subscription

Search for Subscriptions, open the subscription whose Authorization metadata (role assignments, definitions, policy) Iru should collect.
3

Verify Reader access

In the subscription, open Access control (IAM)View my access. Confirm you see Reader (or another role that includes Microsoft.Authorization/*/read at this scope), as described under Prerequisites.
4

Allow pop-ups in your browser

Allow pop-ups for your Iru hostname so the Microsoft consent screen can open from the connector wizard.
5

Note multi-tenant pitfalls

If your company uses several Entra tenants, sign out of personal Microsoft accounts in the same browser profile, or use a private window, so the OAuth popup picks the correct work account.
Continue on the Iru Compliance tab.
Authorization metadata is read at subscription scope. To cover multiple subscriptions, repeat the flow per subscription or use an account with Reader on each subscription you need.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Confirm the authenticating account has the Reader role on the subscription (see Prerequisites).
If your organization has several tenants, sign out of the Microsoft pop-up and sign in with the account for the correct tenant.
Access tokens renew about every hour while the connection is active. If refresh is interrupted (for example after long inactivity), the card may show Broken. Turn the source off and on, then complete OAuth again.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.