Azure Integration
Connect OpsCompanion to your Azure subscriptions using Azure Lighthouse delegation or service principal authentication.
Connect your Azure subscriptions to OpsCompanion for infrastructure monitoring and observability.
Deploy delegation template for simplified access
Deploy service principal with Terraform module
Setup Methods
OpsCompanion supports multiple ways to connect your Azure subscription:
Azure Lighthouse (Recommended)
Azure Lighthouse provides delegated access without creating credentials in your tenant. This is the simplest and most secure method.
Benefits:
- One-click deployment via Azure Portal
- No credentials to manage in your tenant
- Instant revocation capability
- Full transparency (ARM template review)
Terraform
Automate service principal creation using Infrastructure as Code.
Bash Script
Single-command setup using Azure CLI.
What OpsCompanion Discovers
Compute
- Virtual machines and their configuration
- VM scale sets
- Azure Kubernetes Service (AKS) clusters
- App Services and Function Apps
Storage
- Storage accounts and their configuration
- Managed disks
Databases
- SQL databases and servers
- Cosmos DB accounts
- Azure Database for PostgreSQL/MySQL
Networking
- Virtual networks and subnets
- Network security groups
- Load balancers
- Application gateways
Monitoring
- Azure Monitor metrics
- Log Analytics workspaces
- Application Insights
- Activity logs
How Azure Integration Works
With Lighthouse (Recommended)
- You deploy an ARM template that creates a delegation
- The delegation grants OpsCompanion's service principal read-only access
- You provide your subscription ID to OpsCompanion
- OpsCompanion uses its own credentials to access your delegated subscription
Key advantage: No credentials created or stored in your tenant.
With Service Principal (Terraform/Bash)
- You create a service principal with Reader role in your tenant
- You provide the client credentials to OpsCompanion
- OpsCompanion authenticates using those credentials
- No user credentials required
What OpsCompanion Can Access
With Reader permissions, OpsCompanion can view:
- Resource metadata and configuration
- Azure Monitor metrics and logs
- Activity logs
- Cost and billing data
- Resource topology and dependencies
What OpsCompanion Cannot Access
The Reader role explicitly cannot:
- Read secret values from Key Vault
- Access storage account keys or connection strings
- View file contents or database data
- Create, update, or delete resources
- Modify RBAC assignments or policies
- Change billing settings or payment methods
- Start/stop VMs or execute operations
Security and Compliance
Read-Only Access
All setup methods grant Reader permissions only, following the principle of least privilege:
- Cannot modify your infrastructure
- Cannot access secrets or keys
- Cannot change permissions
- All actions logged in Azure Activity Logs
Audit Trail
All OpsCompanion actions are logged in your Azure Activity Log:
# View OpsCompanion activity
az monitor activity-log list \
--caller <service-principal-id> \
--max-events 50 \
--output tableCompliance
- ✓ SOC 2 compliant
- ✓ ISO 27001 compliant
- ✓ GDPR compliant
- ✓ HIPAA eligible (when Azure subscription is HIPAA-compliant)
Constraints
- Reader role permissions only: No write access to resources
- Subscription-scoped: Access limited to subscriptions you explicitly grant
- No secret access: Cannot read Key Vault secrets, storage keys, or connection strings
- Read-only operations: Cannot create, update, delete, or execute actions on resources
Getting Started
Choose your preferred setup method:
- Azure Lighthouse - Recommended for all users
- Terraform - For Infrastructure as Code users
- Bash Script - For quick CLI-based setup