Skip to main content

Overview

This guide walks you through creating a Microsoft Entra service principal to enable the Antimetal integration for Azure. Once connected, Antimetal can investigate incidents across App Service, Azure SQL (Database, Elastic Pool, and Managed Instance), Storage, Service Bus, Function Apps, AKS, Container Apps, Cosmos DB, MySQL, PostgreSQL, Redis, Event Hubs, Data Explorer, and Application Insights. It queries Log Analytics (KQL), Azure Monitor metrics, Resource Health, and the Activity Log to correlate symptoms with configuration changes and deployment events.

Set up in Antimetal

Go to the Azure integration setup in the Antimetal dashboard.

Prerequisites

  • An Azure subscription you want to monitor
  • Permission to register applications in Microsoft Entra ID
  • Permission to assign roles on the target subscription (Owner or User Access Administrator)

Setup

1

Register an application in Entra ID

  1. Go to the Azure Portal
  2. Navigate to Microsoft Entra ID > App registrations
  3. Click + New registration
  4. Fill in:
    • Name: antimetal-monitoring
    • Supported account types: Accounts in this organizational directory only
  5. Click Register
  6. On the overview page, copy the Application (client) ID and Directory (tenant) ID
2

Create a client secret

  1. In the app registration, go to Certificates & secrets
  2. Click + New client secret, set a description and expiration
  3. Click Add
  4. Copy the secret Value immediately
The secret value is only shown once. Copy it before leaving the page.
3

Assign the Reader role on your subscription

For each subscription you want to monitor:
  1. Navigate to Subscriptions and open the target subscription
  2. Go to Access control (IAM)
  3. Click + Add > Add role assignment
  4. Select the Reader role, then click Next
  5. Under Members, select User, group, or service principal, click + Select members
  6. Search for antimetal-monitoring, select it, click Select
  7. Click Review + assign, then Review + assign again to confirm
  8. Copy the Subscription ID from the subscription overview

Configure the Antimetal integration

  1. Navigate to the Antimetal Azure integration page
  2. Paste the Tenant ID, Client ID, Client Secret, and (optional) default Subscription ID
  3. Click Connect

Permissions and Access

Antimetal uses a read-only service principal scoped to the subscriptions you select. No write, delete, or configuration changes are performed in your Azure environment.
RoleScopeAccess
ReaderSelected subscriptionsStandard Azure built-in role. Grants */read across the subscription — view all resources and their configuration, but no data-plane access (no Key Vault secrets, no Storage blob contents, no database rows) and no mutations.
Antimetal uses this access to list resources, read configuration and deployment state, query Azure Monitor metrics and Log Analytics (KQL), and read the Activity Log. Queries against databases (SQL, Cosmos, MySQL, PostgreSQL, Data Explorer) and Storage blob contents are only available if you separately grant the corresponding data-plane roles — Reader alone does not enable them.
If a Log Analytics workspace uses workspace-level access control mode (default for workspaces created before March 2019), additionally assign the Log Analytics Reader role at the workspace level. Workspaces created after March 2019 default to resource-context mode and do not require this.
Credentials are stored encrypted and rotated per your Entra app’s secret expiration policy. Revoke access at any time by deleting the antimetal-monitoring app registration or removing its role assignments.