About Microsoft Azure Monitor
The Microsoft Azure Monitor source pulls diagnostic settings, subscription activity logs, metric and log alert rule configuration, and Log Analytics workspace settings from the connected subscription. Data is read through Azure Resource Manager with delegated OAuth as the signing-in user. Iru does not create or change diagnostic settings, alert rules, or workspaces. Activity log visibility follows Azure’s default retention (about 90 days at the subscription). Iru reads what Azure exposes for that window. For longer retention, export activity logs to a Log Analytics workspace or storage in Azure.How It Works
Iru uses Microsoft’s OAuth 2.0 authorization code flow against Azure Resource Manager. The requested scope is:https://management.azure.com/user_impersonation
| Detail | Value |
|---|---|
| Category | Developer tools |
| Authentication | OAuth 2.0 (Microsoft Entra ID, Azure Resource Manager) |
| Vendor plan | Any Azure subscription |
What Iru collects
| Data type | Notes |
|---|---|
| Diagnostic settings | Log categories, retention, destinations (storage, event hub, Log Analytics) |
| Activity logs | Subscription-level audit events (create, delete, policy, role changes, and similar) |
| Metric alert rules | Definitions, thresholds, evaluation frequency |
| Log alert rules | Scheduled query rules and activity log alert configuration |
| Log Analytics workspaces | Workspace configuration and data retention settings |
Prerequisites
- Microsoft Entra ID sign-in to the Azure portal.
- The built-in Monitoring Reader role at subscription scope (or Reader, which includes the needed read paths). Monitoring Reader grants
Microsoft.Insights/*/readfor diagnostic settings, alert rules, and activity log access without write permissions. - Browser pop-ups allowed so the connector wizard can open when you enable the source.
Connect Microsoft Azure Monitor to Iru
Use Microsoft Azure first to confirm portal access and Monitoring Reader (or Reader) coverage, then complete OAuth in Iru Compliance. The wizard shows Step 1 of 1: Perform OAuth Authentication.- Microsoft Azure
- Iru Compliance
Complete this tab before you start OAuth in Iru Compliance.
Sign in to the Azure portal
Open portal.azure.com and sign in with the account you will use in the Iru wizard.
Open your target subscription
Search for Subscriptions, then open the subscription whose Monitor diagnostics and metrics Iru should read.
Verify Monitoring Reader or Reader access
Open Access control (IAM) → View my access. Confirm Monitoring Reader or subscription Reader, per Prerequisites.
Allow pop-ups in your browser
Allow pop-ups for your Iru hostname so the Microsoft consent window can open.
Continue on the Iru Compliance tab.
Troubleshooting
Nothing opens when you turn the source on
Nothing opens when you turn the source on
Check pop-up blocker settings for the Iru site and try again.
Missing or incomplete diagnostic settings
Missing or incomplete diagnostic settings
The signed-in account may lack Monitoring Reader (or Reader) at subscription scope. Verify IAM (see Prerequisites).
Activity log looks short
Activity log looks short
Azure retains subscription activity logs for about 90 days by default. Iru reflects what is available in that window unless you have extended retention via export to Log Analytics or storage.
Wrong Microsoft Entra tenant
Wrong Microsoft Entra tenant
Sign out of the Microsoft pop-up and sign in with the account for the correct tenant.
Broken status
Broken status
Turn Microsoft Azure Monitor off and on in Sources, then complete OAuth again.
Related Articles
Sources Management
Browse and manage every Compliance source.
Getting Started With Compliance
Frameworks, actions, and Artifacts.
Iru Overview
How Endpoint, Compliance, and Identity fit together.
Artifacts Management
Upload, review, and organize evidence from sources and actions.