Azure Management
Overview
The Microsoft Azure Management connector enables your Leena AI Agents to integrate with Azure Resource Manager (ARM), facilitating automated management of Azure role-based access control (RBAC) across your subscriptions.
Microsoft Azure Management (Azure Resource Manager) is the deployment and management layer of Azure that lets you manage resources and access at scale. The Azure Management connector allows Leena AI to list subscriptions, role definitions and role assignments, and grant or revoke a principal's access to a subscription — all through a service principal, without manual portal work.
API Details
Leena AI integrates with Microsoft Azure Management via REST APIs (Azure Resource Manager).
Documentation link: https://learn.microsoft.com/en-us/rest/api/azure/
Setup
The Azure Management connector uses OAuth 2.0 authentication with the client-credentials (service principal) grant type. A token is minted for the Azure Resource Manager scope (https://management.azure.com/.default) using a Microsoft Entra ID app registration's Tenant ID, Client ID and Client Secret.
Prerequisites
Before setting up the Azure Management connector, ensure you have:
- An Azure account with an active subscription
- Permission to register applications in Microsoft Entra ID
- Permission to assign roles on the target subscription(s) — the service principal must be granted an RBAC role such as User Access Administrator or Owner to manage role assignments (a Reader-level role is sufficient for the read-only actions)
- Access to your Leena AI workspace with connector management permissions
Get credentials
Here is how to create a Microsoft Entra ID app registration and client secret:
- Sign in to the Azure portal (https://portal.azure.com) as an administrator.
- Register an application:
- Search for and open Microsoft Entra ID
- Go to App registrations > + New registration
- Enter a Name for the application
- Select the supported account types
- Click Register
- Note the identifiers:
- On the app's Overview page, copy the Application (client) ID
- Copy the Directory (tenant) ID
- Create a client secret:
- Go to Certificates & secrets > Client secrets > + New client secret
- Add a description and choose an expiry
- Click Add, then copy the secret Value immediately (it is displayed only once — copy the value, not the secret ID)
- Grant the app RBAC access on the subscription:
- Go to Subscriptions and select the target subscription
- Open Access control (IAM) > + Add > Add role assignment
- Select a role (e.g. User Access Administrator or Owner to manage assignments; Reader for read-only usage)
- Assign access to the app registration's service principal (search by the application name)
- Review and assign
Add connection
Here is how to add a connection on Leena AI:
- Log in to your Leena AI workspace
- Navigate to Settings > Integrations
- Search for "Microsoft Azure Management" and select it from the list to add its new connector
- Start configuring the connector
- Auth Type: Select Service Principal (Client Secret)
- Tenant ID: Directory (tenant) ID of the Entra ID app registration
- Client ID: Application (client) ID of the Entra ID app registration
- Client Secret: The client secret value generated under the app registration
- ARM Base URL: Azure Resource Manager endpoint (Pre-filled with
https://management.azure.com; change only for sovereign clouds such as Azure Government or China) - ARM Scope: OAuth scope used to mint the ARM token (Pre-filled with
https://management.azure.com/.default) - Subscriptions API Version: Azure api-version for the Subscriptions endpoint (Pre-filled with
2025-03-01) - Authorization API Version: Azure api-version for role definitions and role assignments (Pre-filled with
2022-04-01) - Resource Graph Path: ARM path for the Azure Resource Graph query endpoint that backs the searchable dropdowns (Pre-filled with
providers/Microsoft.ResourceGraph/resources) - Resource Graph API Version: Azure api-version for the Resource Graph query endpoint (Pre-filled with
2022-10-01)
- Save the connector. Leena AI validates the credentials by making a lightweight call to the ARM endpoint; a successful test confirms the connection is working.
Actions
The following actions are supported for the Azure Management connector:
Subscriptions: List subscriptions
Lists Azure subscriptions accessible to the service principal. The Agent can leverage the skill (workflow), which has been designed to retrieve the subscriptions a connection can access — typically as the first step before listing roles or managing access.
Input Parameters
This action requires no input parameters.
Response
The action returns a list of subscriptions, each containing:
- Subscription ID
- Display name
- State
- Tenant ID
Roles: List role definitions
Lists role definitions available in a subscription. The Agent can leverage the skill (workflow), which has been designed to look up the roles (built-in or custom) that can be assigned within a subscription. Here are some common use cases:
- Find a role ID: Look up the role definition ID for a role such as Reader or Contributor before granting access
- Audit custom roles: List custom roles defined in a subscription
- Filter built-in roles: Retrieve only built-in roles
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Subscription | The subscription to list role definitions from |
Optional
| Name | Description |
|---|---|
| Filter (OData) | Optional OData $filter to narrow the role definitions — e.g. type eq 'BuiltInRole' or roleName eq 'Reader' |
Here is a sample JSON input:
{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"filter": "type eq 'BuiltInRole'"
}Response
The action returns a list of role definitions, each containing:
- Role definition ID
- Role name
- Type (BuiltInRole or CustomRole)
- Description
- Permissions (allowed and denied actions)
Roles: List role assignments
Lists role assignments in a subscription. The Agent can leverage the skill (workflow), which has been designed to review who has access to a subscription and with which roles. Here are some common use cases:
- Access review: List all role assignments on a subscription
- Per-principal audit: Find the roles assigned to a specific user, group or service principal
- Direct vs inherited: Distinguish direct assignments from group-inherited access
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Subscription | The subscription to list role assignments from |
Optional
| Name | Description |
|---|---|
| Filter by | How to narrow the results, options: • All assignments • At this subscription only • For a specific principal (direct) • For a principal (incl. group-inherited) • Custom (raw $filter) |
| Principal | The principal to filter assignments by (shown when Filter by is set to a principal option) |
| Raw filter (OData) | A raw Azure OData $filter for aggregate/combined filters — e.g. atScope() and assignedTo('{objectId}') (used only when Filter by is Custom) |
Here is a sample JSON input:
{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"filterType": "assignedTo",
"principalId": "11111111-1111-1111-1111-111111111111"
}Response
The action returns a list of role assignments, each containing:
- Role assignment ID
- Principal ID
- Role definition ID
- Scope
Access: Grant role to principal
Assigns a role to a principal on a subscription. The Agent can leverage the skill (workflow), which has been designed to grant a user, group or service principal access to a subscription with a chosen role, once the user provides the required details. Here are some common use cases:
- Onboard access: Grant a new team member the Reader or Contributor role on a subscription
- Elevate access: Assign an owner or administrator role to a principal
- Automated provisioning: Grant access as part of an access-request workflow
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Subscription | The subscription on which the role will be granted |
| Role | The role to assign (accepts a role definition GUID or a fully-qualified role definition ID) |
| Principal (object ID) | The object ID of the user, group or service principal to grant the role to |
Here is a sample JSON input:
{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"principalId": "11111111-1111-1111-1111-111111111111"
}Response
Upon successful assignment, the action returns the created role assignment details including:
- Role assignment ID
- Principal ID
- Role definition ID
- Scope
Access: Revoke role from principal
Removes a role assignment from a subscription. The Agent can leverage the skill (workflow), which has been designed to revoke a principal's existing access, once the user specifies the role assignment to remove. Here are some common use cases:
- Offboard access: Remove a departing team member's access from a subscription
- Reduce standing access: Revoke elevated roles that are no longer needed
- Automated deprovisioning: Remove access as part of an access-revocation workflow
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Subscription | The subscription containing the role assignment |
| Role assignment | The existing role assignment to revoke |
Here is a sample JSON input:
{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"roleAssignmentId": "22222222-2222-2222-2222-222222222222"
}Response
Upon successful removal, the action returns confirmation of the revoked role assignment, including:
- Role assignment ID
- Principal ID
- Role definition ID
- Scope
Updated about 12 hours ago
