Skip to main content
Connect your Azure subscriptions to Draftt to govern your cloud infrastructure. Draftt uses an Entra ID (Azure AD) App Registration with read-only access to your Azure resources.

Prerequisites

  • Azure subscription with permissions to create App Registrations in Entra ID and assign IAM roles
  • Access to the Draftt dashboard (Integrations > Azure)

Setup

Draftt supports connecting at the Subscription or Management Group scope. Management Group scope covers all subscriptions underneath it.
1

Register an App in Entra ID

In the Azure portal, go to Entra ID > App registrations > New registration.
  • Name: Draftt (or any identifiable name)
  • Supported account types: Single tenant
  • Redirect URI: Leave blank
After creation, copy the Application (client) ID and Directory (tenant) ID from the overview page. Enter these in the Draftt setup dialog.
2

Generate a client secret

In your new App Registration, go to Certificates & secrets > New client secret.
  • Description: Draftt access
  • Expires: Choose an appropriate expiration period
Copy the Value (not the Secret ID) immediately — it will not be shown again. Enter this in the Draftt setup dialog.
3

Get your Subscription or Management Group ID

  • For Subscription scope: Go to Subscriptions in the Azure portal and copy the Subscription ID
  • For Management Group scope: Go to Management groups and copy the Management Group ID
Enter the ID in the Draftt setup dialog.
4

Assign the Reader role

Navigate to the subscription or management group, then go to Access control (IAM) > Add role assignment.
  • Role: Reader
  • Assign access to: Application
  • Select: The App Registration you created (Draftt)
Click Save.
5

Assign the Key Vault Reader role (optional)

If you want Draftt to govern Key Vault resources, assign an additional role:
  • Role: Key Vault Reader
  • Assign access to: Application
  • Select: The App Registration you created (Draftt)
Alternatively, you can grant access at the individual Key Vault level using Access Policies if you prefer more granular control.
After completing these steps, click Create in the Draftt setup dialog.

What Draftt Reads

Draftt’s App Registration is read-only. It cannot create, modify, or delete any resources in your Azure environment. The Reader role provides access to resource metadata across compute (Virtual Machines, App Service, AKS, Container Instances), storage (Storage Accounts, Blob, Files), databases (SQL Database, Cosmos DB, Cache for Redis, MySQL, PostgreSQL), networking (Virtual Network, Load Balancer, Application Gateway, Firewall), and security (Key Vault, Entra ID, Defender for Cloud).

Verifying Your Connection

After setup, return to Integrations > Azure in Draftt. Each connected subscription or management group shows a status:
  • Healthy - All required access is in place. Draftt is collecting data as expected.
  • Unhealthy - Something is wrong with the App Registration or role assignments. Check the client secret expiration and IAM role bindings.

Troubleshooting

Authentication fails: Verify the client ID, tenant ID, and client secret are correct. Confirm the client secret has not expired. Status shows unhealthy: Check that the Reader role is assigned at the correct scope (subscription or management group). Verify the App Registration exists and has not been deleted. Missing Key Vault resources: The base Reader role does not include Key Vault data plane access. Assign the Key Vault Reader role or configure Access Policies on individual vaults. Missing resources in inventory: New connections may take one scan cycle to fully populate. Confirm the Reader role is assigned at the scope that contains the resources you expect to see.