Azure Management

Overview

The Microsoft Azure Management connector enables your Leena AI Agents to integrate with Azure Resource Manager (ARM), facilitating automated management of Azure role-based access control (RBAC) across your subscriptions.

Microsoft Azure Management (Azure Resource Manager) is the deployment and management layer of Azure that lets you manage resources and access at scale. The Azure Management connector allows Leena AI to list subscriptions, role definitions and role assignments, and grant or revoke a principal's access to a subscription — all through a service principal, without manual portal work.

API Details

Leena AI integrates with Microsoft Azure Management via REST APIs (Azure Resource Manager).

Documentation link: https://learn.microsoft.com/en-us/rest/api/azure/

Setup

The Azure Management connector uses OAuth 2.0 authentication with the client-credentials (service principal) grant type. A token is minted for the Azure Resource Manager scope (https://management.azure.com/.default) using a Microsoft Entra ID app registration's Tenant ID, Client ID and Client Secret.

Prerequisites

Before setting up the Azure Management connector, ensure you have:

  • An Azure account with an active subscription
  • Permission to register applications in Microsoft Entra ID
  • Permission to assign roles on the target subscription(s) — the service principal must be granted an RBAC role such as User Access Administrator or Owner to manage role assignments (a Reader-level role is sufficient for the read-only actions)
  • Access to your Leena AI workspace with connector management permissions

Get credentials

Here is how to create a Microsoft Entra ID app registration and client secret:

  1. Sign in to the Azure portal (https://portal.azure.com) as an administrator.
  2. Register an application:
    1. Search for and open Microsoft Entra ID
    2. Go to App registrations > + New registration
    3. Enter a Name for the application
    4. Select the supported account types
    5. Click Register
  3. Note the identifiers:
    1. On the app's Overview page, copy the Application (client) ID
    2. Copy the Directory (tenant) ID
  4. Create a client secret:
    1. Go to Certificates & secrets > Client secrets > + New client secret
    2. Add a description and choose an expiry
    3. Click Add, then copy the secret Value immediately (it is displayed only once — copy the value, not the secret ID)
  5. Grant the app RBAC access on the subscription:
    1. Go to Subscriptions and select the target subscription
    2. Open Access control (IAM) > + Add > Add role assignment
    3. Select a role (e.g. User Access Administrator or Owner to manage assignments; Reader for read-only usage)
    4. Assign access to the app registration's service principal (search by the application name)
    5. Review and assign

Add connection

Here is how to add a connection on Leena AI:

  1. Log in to your Leena AI workspace
  2. Navigate to Settings > Integrations
  3. Search for "Microsoft Azure Management" and select it from the list to add its new connector
  4. Start configuring the connector
    1. Auth Type: Select Service Principal (Client Secret)
    2. Tenant ID: Directory (tenant) ID of the Entra ID app registration
    3. Client ID: Application (client) ID of the Entra ID app registration
    4. Client Secret: The client secret value generated under the app registration
    5. ARM Base URL: Azure Resource Manager endpoint (Pre-filled with https://management.azure.com; change only for sovereign clouds such as Azure Government or China)
    6. ARM Scope: OAuth scope used to mint the ARM token (Pre-filled with https://management.azure.com/.default)
    7. Subscriptions API Version: Azure api-version for the Subscriptions endpoint (Pre-filled with 2025-03-01)
    8. Authorization API Version: Azure api-version for role definitions and role assignments (Pre-filled with 2022-04-01)
    9. Resource Graph Path: ARM path for the Azure Resource Graph query endpoint that backs the searchable dropdowns (Pre-filled with providers/Microsoft.ResourceGraph/resources)
    10. Resource Graph API Version: Azure api-version for the Resource Graph query endpoint (Pre-filled with 2022-10-01)
  5. Save the connector. Leena AI validates the credentials by making a lightweight call to the ARM endpoint; a successful test confirms the connection is working.

Actions

The following actions are supported for the Azure Management connector:

Subscriptions: List subscriptions

Lists Azure subscriptions accessible to the service principal. The Agent can leverage the skill (workflow), which has been designed to retrieve the subscriptions a connection can access — typically as the first step before listing roles or managing access.

Input Parameters

This action requires no input parameters.

Response

The action returns a list of subscriptions, each containing:

  • Subscription ID
  • Display name
  • State
  • Tenant ID

Roles: List role definitions

Lists role definitions available in a subscription. The Agent can leverage the skill (workflow), which has been designed to look up the roles (built-in or custom) that can be assigned within a subscription. Here are some common use cases:

  • Find a role ID: Look up the role definition ID for a role such as Reader or Contributor before granting access
  • Audit custom roles: List custom roles defined in a subscription
  • Filter built-in roles: Retrieve only built-in roles

Input Parameters

Here are the input parameters required to set up this action:

Mandatory

NameDescription
SubscriptionThe subscription to list role definitions from

Optional

NameDescription
Filter (OData)Optional OData $filter to narrow the role definitions — e.g. type eq 'BuiltInRole' or roleName eq 'Reader'

Here is a sample JSON input:

{
  "subscriptionId": "00000000-0000-0000-0000-000000000000",
  "filter": "type eq 'BuiltInRole'"
}

Response

The action returns a list of role definitions, each containing:

  • Role definition ID
  • Role name
  • Type (BuiltInRole or CustomRole)
  • Description
  • Permissions (allowed and denied actions)

Roles: List role assignments

Lists role assignments in a subscription. The Agent can leverage the skill (workflow), which has been designed to review who has access to a subscription and with which roles. Here are some common use cases:

  • Access review: List all role assignments on a subscription
  • Per-principal audit: Find the roles assigned to a specific user, group or service principal
  • Direct vs inherited: Distinguish direct assignments from group-inherited access

Input Parameters

Here are the input parameters required to set up this action:

Mandatory

NameDescription
SubscriptionThe subscription to list role assignments from

Optional

NameDescription
Filter byHow to narrow the results, options:
All assignments
At this subscription only
For a specific principal (direct)
For a principal (incl. group-inherited)
Custom (raw $filter)
PrincipalThe principal to filter assignments by (shown when Filter by is set to a principal option)
Raw filter (OData)A raw Azure OData $filter for aggregate/combined filters — e.g. atScope() and assignedTo('{objectId}') (used only when Filter by is Custom)

Here is a sample JSON input:

{
  "subscriptionId": "00000000-0000-0000-0000-000000000000",
  "filterType": "assignedTo",
  "principalId": "11111111-1111-1111-1111-111111111111"
}

Response

The action returns a list of role assignments, each containing:

  • Role assignment ID
  • Principal ID
  • Role definition ID
  • Scope

Access: Grant role to principal

Assigns a role to a principal on a subscription. The Agent can leverage the skill (workflow), which has been designed to grant a user, group or service principal access to a subscription with a chosen role, once the user provides the required details. Here are some common use cases:

  • Onboard access: Grant a new team member the Reader or Contributor role on a subscription
  • Elevate access: Assign an owner or administrator role to a principal
  • Automated provisioning: Grant access as part of an access-request workflow

Input Parameters

Here are the input parameters required to set up this action:

Mandatory

NameDescription
SubscriptionThe subscription on which the role will be granted
RoleThe role to assign (accepts a role definition GUID or a fully-qualified role definition ID)
Principal (object ID)The object ID of the user, group or service principal to grant the role to

Here is a sample JSON input:

{
  "subscriptionId": "00000000-0000-0000-0000-000000000000",
  "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "principalId": "11111111-1111-1111-1111-111111111111"
}

Response

Upon successful assignment, the action returns the created role assignment details including:

  • Role assignment ID
  • Principal ID
  • Role definition ID
  • Scope

Access: Revoke role from principal

Removes a role assignment from a subscription. The Agent can leverage the skill (workflow), which has been designed to revoke a principal's existing access, once the user specifies the role assignment to remove. Here are some common use cases:

  • Offboard access: Remove a departing team member's access from a subscription
  • Reduce standing access: Revoke elevated roles that are no longer needed
  • Automated deprovisioning: Remove access as part of an access-revocation workflow

Input Parameters

Here are the input parameters required to set up this action:

Mandatory

NameDescription
SubscriptionThe subscription containing the role assignment
Role assignmentThe existing role assignment to revoke

Here is a sample JSON input:

{
  "subscriptionId": "00000000-0000-0000-0000-000000000000",
  "roleAssignmentId": "22222222-2222-2222-2222-222222222222"
}

Response

Upon successful removal, the action returns confirmation of the revoked role assignment, including:

  • Role assignment ID
  • Principal ID
  • Role definition ID
  • Scope


Did this page help you?