Skip to content

Connect Azure

ScrinCloud supports Azure connections with Workload identity federation or an approved Service principal. The form also displays Managed identity for administrator review, but that method is not currently an execution-ready ScrinCloud runner path.

Typical time
20–30 minutes
You need
Entra, Azure RBAC, and ScrinCloud admin access
Next step
Test and activate
  1. Open Cloud Accounts and choose Connect Azure.
  2. Set Connection name, Environment, and the minimum Permission level.
  3. Choose Next: Provider access.

Azure 1 of 6 · Screenshot placeholder

Choose the Azure account boundary

Show Account details with a synthetic label, approved environment, and least-privilege Permission level.

Future capture briefDo not show a real tenant, subscription, management group, resource group, organization, or person.
  • Workload identity federation: preferred secret-free method. ScrinCloud exchanges its platform identity for a short-lived Azure token.
  • Service principal: uses an Entra application ID and client secret. The secret is submitted securely, never displayed again, and must have a future expiry.
  • Managed identity: visible for administrator review, but not an execution-ready ScrinCloud runner path. Do not select it for a workflow that needs live execution.

Azure 2 of 6 · Screenshot placeholder

Choose the Azure identity method

Show the Azure identity method selector and the current product notice for the chosen method.

Future capture briefCapture before entering identity values. Do not expose application IDs, tenant IDs, subscription IDs, or secrets.

For Workload identity federation:

  1. open the Azure setup guide;
  2. in Microsoft Entra, add a federated credential to the approved application;
  3. copy the exact Issuer URL, Subject, and Audience shown by the current ScrinCloud setup;
  4. assign scoped Azure RBAC at the approved subscription, resource group, or resource scope; and
  5. return to ScrinCloud.

Federation avoids storing an Azure client secret. Do not reuse the setup values for another application or organization.

Azure 3 of 6 · Screenshot placeholder

Configure the federated credential

Show the three setup-guide stages: Entra federated credential, scoped Azure RBAC, and return to ScrinCloud.

Future capture briefMask Issuer URL, Subject, application ID, tenant ID, subscription ID, and resource scope.

Step 4: Configure the Azure identity fields

Section titled “Step 4: Configure the Azure identity fields”

Enter the approved Client / application ID, Tenant ID, Subscription ID, and Resource scope.

For Service principal, also enter:

  • Client secret; and
  • Client secret expiry, using the exact future expiry from Entra.

The secret is cleared from the form after submission and is never shown again. Store and rotate it through your approved credential process.

Azure 4 of 6 · Screenshot placeholder

Enter the scoped Azure identity

Show the Azure identity fields with masked synthetic values and a subscription or resource-group scope.

Future capture briefNever capture a client secret. Mask application, tenant, subscription, credential expiry, and resource identifiers.
  1. add only approved Allowed regions;
  2. choose all supported services only when policy permits it, or select the required services;
  3. review the authentication method and resource scope; and
  4. choose Connect Azure.

Saving does not activate the connection.

Azure 5 of 6 · Screenshot placeholder

Review Azure access and scope

Show a narrow region and service scope beside the reviewed environment, permission level, and authentication method.

Future capture briefKeep decisions visible but mask every cloud identity and customer resource value.

Choose Test connection, then confirm:

  • the returned tenant, subscription, and application identity are expected;
  • required capability probes pass;
  • credential health is acceptable; and
  • the permission level matches the reviewed role.

Acknowledge the verified identity and choose Activate connection. For a service principal, use Rotate credential before the stored secret expires.

Azure 6 of 6 · Screenshot placeholder

Verify and activate Azure

Show a verified identity review, capability probes, acknowledgement, and activation control.

Future capture briefUse staged data and hide tenant, subscription, application, object, request, and credential identifiers.

The connection should show the intended authentication method and resource scope, Verified identity, healthy required probes, and Active status.

Federation issuer, subject, or audience mismatch

Section titled “Federation issuer, subject, or audience mismatch”

Compare the Entra federated credential with the values in the current setup guide. All three values must match exactly.

Authorization fails after identity succeeds

Section titled “Authorization fails after identity succeeds”

Review the exact Azure RBAC scope and failed action. Identity verification does not mean every requested capability is authorized.

Enter the current secret value and its future expiry. A secret value cannot be recovered from ScrinCloud; rotate it in Entra and ScrinCloud if necessary.

This method is not an execution-ready ScrinCloud runner path. Use an approved federated identity or service principal.

Next: Test and manage cloud accounts.