Aiyoda

Entra ID App Registration for Azure

Step-by-step guide to creating an Entra ID App Registration for Aiyoda's Azure discovery capabilities.

v3.5 · Updated 2026
Resource Hub/Azure App
ℹ️
What is this for? To discover Azure data in Aiyoda, you need to register an application in Microsoft Entra ID (formerly Azure Active Directory) and grant it Azure permissions at the tenant level. This gives Aiyoda read-only access to your Azure tenant data without using a user account or password.
6
Steps to Complete
~15
Minutes to Complete
Read-Only
Permissions Required
Prerequisites
✅ What You Need Before Starting
Step-by-Step App Registration
1

Navigate to App Registrations

Open the Azure Portal and go to Microsoft Entra ID

🌐 portal.azure.com Microsoft Entra ID App registrations + New registration
a

Sign in to portal.azure.com with your admin account.

b

In the search bar at the top, type "Microsoft Entra ID" and select it.

c

In the left sidebar, click "App registrations" under the Manage section.

d

Click the "+ New registration" button at the top of the page.

2

Register the Application

Fill in the app details and create the registration

a

Name: Enter a meaningful name, e.g. "Aiyoda-Discovery"

b

Supported account types: Select "Accounts in this organizational directory only (Single tenant)"

c

Redirect URI: Leave this blank, Aiyoda uses client credentials flow (no user redirect needed)

d

Click the "Register" button to create the app.

💡 After registering, you will land on the app's Overview page. Copy and save the Application (client) ID and Directory (tenant) ID, you'll need these for the Aiyoda configuration.
3

Create a Client Secret

Generate credentials for Aiyoda to authenticate with

App Overview Certificates & secrets + New client secret
a

In the left sidebar click "Certificates & secrets" under Manage.

b

Click "+ New client secret".

c

Description: Enter "Aiyoda Secret" (or similar).

d

Expires: Select an appropriate expiry period.12 months (recommended).

e

Click "Add". Immediately copy the Secret Value shown as it will be hidden after you leave this page.

⚠️ Important: Copy the secret Value immediately. Once you navigate away from this page, the full value is hidden and you will need to create a new secret.
4

Assign Reader & Cost Management Reader Roles

Grant subscription-level read access via Management Groups

🌐 portal.azure.com Management Groups Tenant Root Group Access Control (IAM) + Add role assignment
a

In the Azure Portal search bar type "Management Groups" and select it.

b

Select "Tenant Root Group" (or the root group of your tenant).

c

Click "Access Control (IAM)" in the left sidebar, then click "+ Add""Add role assignment".

d

Search for the role, select it, then click "Next". Under Members click "+ Select members", search for your app registration by name (e.g. "Aiyoda-Discovery"), select it, then click "Review + assign".

e

Repeat for both roles in the table below.

RoleTypePurpose
ReaderBuilt-inRead all Azure resources across subscriptions
Cost Management ReaderBuilt-inRead cost and usage data across subscriptions
💡 Scope matters: Assigning at the Tenant Root Group level automatically applies to all child management groups and subscriptions, so you only need to do this once.
5

Assign Reservations Reader Role

Grant access to Reserved Instance data — this must be done via the Reservations blade, not Management Groups

Why a separate step? Reserved Instances sit under Microsoft.Capacity — a tenant-level provider scope that is not covered by Management Group IAM. The Reservations Reader role must be assigned directly inside the Reservations blade.
🌐 portal.azure.com Reservations Any reservation Access Control (IAM) + Add role assignment
a

In the Azure Portal search bar type "Reservations" and select it.

b

Click on any reservation in the list to open it.

c

In the left sidebar click "Access Control (IAM)".

d

Click "+ Add""Add role assignment".

e

Search for "Reservations Reader", select it, then click "Next".

f

Under Members click "+ Select members", search for your app registration (e.g. "Aiyoda-Discovery"), select it, then click "Review + assign".

g

Repeat for each reservation order if you need to grant per-order access, or use the PowerShell method below to assign it at the full capacity scope in one step.

Alternative: Assign via PowerShell (covers all reservations at once)

# Get the service principal Object ID for your app registration $sp = Get-AzADServicePrincipal -ApplicationId "<your-app-client-id>" # Assign Reservations Reader at the full Microsoft.Capacity scope New-AzRoleAssignment ` -ObjectId $sp.Id ` -RoleDefinitionName "Reservations Reader" ` -Scope "/providers/Microsoft.Capacity"
⚠️ Propagation delay: Role assignments can take up to 5 minutes to propagate. If you still receive a 403 error after assigning the role, wait a few minutes and retry the collection.
6

Configure Aiyoda with Your App Details

Enter the details into the Aiyoda portal

In the Aiyoda portal, navigate to the Horizon Azure API configuration and enter the following values collected from the previous steps:

Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Directory (tenant) ID Client ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Application (client) ID Client Secret : your-secret-value-here // From Certificates & secrets → Value
a

Login to the Aiyoda Portal and navigate to Horizon → Azure Api.

b

Paste your Tenant ID, Client ID, and Client Secret into the respective fields.

c

Click "Test Connection" to verify Aiyoda can authenticate successfully.

d

Once the connection test passes, you can run an Azure Discovery.

✅ Success indicator: After a successful connection test you are now ready to scan your Azure environment.
Security Best Practices
Keeping Your App Secure
  • Rotate secrets regularly — Set calendar reminders before expiry (12 months recommended)
  • Limit permissions — Only grant the permissions listed above, nothing more
  • Store secrets securely — Never store the client secret in plain text or source control
  • Monitor sign-ins — Review the app's sign-in logs in Entra ID periodically
  • Dedicated app — Use a dedicated registration for Aiyoda only
Troubleshooting Common Issues
  • 401 Unauthorized — Check that admin consent was granted for all permissions
  • 403 Forbidden on Reservations — Reservations Reader must be assigned via the Reservations blade IAM, not Management Groups (see Step 5)
  • 403 Forbidden on other resources — Check Reader / Cost Management Reader are assigned at Tenant Root Group level (Step 4)
  • Secret expired — Create a new client secret and update Aiyoda config
  • Invalid tenant — Verify the Tenant ID matches your M365 directory
  • Consent not granted — Global Admin must approve permissions in Entra ID