--- title: Onboarding Azure accounts description: When an Azure subscription is added to PingOne Privilege, its resources are automatically discovered and can be managed for just-in-time developer access. component: privilege page_id: privilege:configuration:cloud-accounts/azure canonical_url: https://docs.pingidentity.com/privilege/configuration/cloud-accounts/azure.html revdate: May 4, 2026 section_ids: step-1-create-the-connector-app-in-azure: "Step 1: Create the Connector App in Azure" step-2-assign-required-roles: "Step 2: Assign Required Roles" step-3-grant-api-permissions: "Step 3: Grant API Permissions" step-4-add-the-azure-account-to-pingone-privilege: "Step 4: Add the Azure Account to PingOne Privilege" validation: Validation --- # Onboarding Azure accounts Onboarding an Azure subscription allows PingOne Privilege to automatically discover its resources and manage them for just-in-time access. The process involves creating a connector application in Azure, assigning it the necessary permissions, and then adding the account to PingOne Privilege. ## Step 1: Create the Connector App in Azure First, create an Azure App Registration to act as a service principal. 1. In the Azure Portal, go to **Azure Active Directory > App Registrations** and select **New registration**. 2. Name the application (e.g., `ProcyonConnectorApp`) and click **Register**. 3. From the application's **Overview** page, copy and save the **Application (client) ID** and the **Directory (tenant) ID**. You will need these later. 4. Go to **Certificates & secrets** and select **New client secret**. 5. Provide a description, set an expiration period, and click **Add**. 6. Immediately copy and save the secret's **Value**. This is the **App Key** you will need later. | | | | - | ------------------------------------------------------------------------------------------ | | | The client secret value is only displayed once. If you lose it, you must create a new one. | ## Step 2: Assign Required Roles For each Azure subscription you intend to manage, you must assign the `ProcyonConnectorApp` several roles. 1. In the Azure portal, navigate to the target **Subscription** and select **Access control (IAM)**. 2. Select **Add > Add role assignment**. 3. On the **Role** tab, find and select the role. For privileged roles, you must first select the **Privileged administrator roles** tab. 4. On the **Members** tab, click **+ Select members**, search for your `ProcyonConnectorApp`, and select it. 5. Click **Review + assign** to complete the assignment. 6. Repeat this process to assign the following roles: * `Reader` * `User Access Administrator` (Privileged role) * `Azure Kubernetes Service Cluster Admin Role` * `Azure Kubernetes Service RBAC Cluster Admin` ## Step 3: Grant API Permissions Next, grant the `ProcyonConnectorApp` the necessary Microsoft Graph API permissions. 1. In the Azure portal, go to **Azure Active Directory > App Registrations** and select your `ProcyonConnectorApp`. 2. In the sidebar, select **API permissions**. 3. Click **+ Add a permission**, select **Microsoft Graph**, and then choose **Application permissions**. 4. Search for and add the following permissions: ```text Application.ReadWrite.OwnedBy Directory.Read.All Domain.ReadWrite.All IdentityProvider.ReadWrite.All RoleManagement.ReadWrite.Directory User.ReadWrite.All ``` 5. After adding the permissions, click **Grant admin consent for \**. 6. Verify that all permissions have a green checkmark in the **Status** column. ## Step 4: Add the Azure Account to PingOne Privilege Finally, use the credentials from the `ProcyonConnectorApp` to add the account to PingOne Privilege. 1. In the PingOne Privilege admin console, go to **Cloud > Clouds**. 2. Click **Add Account Wizard** and select the **Azure** icon. 3. Enter a **Name** and **Description** for the account. Click **Next**. 4. (Optional) Adjust the SAML and guest user settings if needed. Click **Next**. 5. Enter the **Tenant ID**, **App ID**, and **App Key** that you recorded earlier. Click **Next**. 6. Verify the details and click **Verify & Add Account**. ## Validation After adding the account, go to the **Cloud > Clouds** page in the PingOne Privilege admin console. Your new Azure account should be listed with a "Verified" status. You can click on the account to see the discovered resources.