# Microsoft Azure
Veza connects to Azure tenants using an App Registration granted read-only permissions for the Microsoft Graph API. You will need an app client ID, client secret, and the Azure tenant ID to enable the connection in Veza.
Adding an Azure tenant will parse all its services, including Azure AD as an Identity Provider (IdP), and [Microsoft SharePoint Online](/4yItIzMvkpAvMVFAamTf/integrations/integrations/sharepoint.md) as an additional data source.
See [Notes & Supported Entities](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md) for more details and supported Microsoft services.
### Supported services
Veza extracts the following Azure services. Use the **Limit Services** option when configuring the integration to enable only the services needed — see [Limiting Extractions](/4yItIzMvkpAvMVFAamTf/integrations/configuration/limits.md#limit-services).
* **Azure AI Foundry**: Accounts, projects, agents, model deployments
* **Azure AI Services**: Accounts
* **Azure AKS**: Kubernetes clusters
* **Azure Blob Storage**: Containers, blobs, immutability policies
* **Azure Cosmos DB**: Accounts, databases, SQL roles
* **Azure Data Lake**: Filesystems, directories, ACL permissions
* **Azure Database**: MySQL, PostgreSQL, and MariaDB instances
* **Azure Databricks**: Workspaces
* **Azure Key Vault**: Keys, secrets, certificates
* **Azure PostgreSQL**: Flexible server instances
* **Azure Private Link**: Services, private endpoints
* **Azure SQL Server**: Servers, databases, failover groups
* **Azure Storage**: Storage accounts, file shares, access keys
* **Azure Virtual Machines**: VMs, virtual networks, security groups
* **Exchange Online**: Mailboxes, distribution groups, role groups
* **Microsoft Copilot Studio**: Bots, topics, AI models, actions
* **Microsoft Dynamics 365**: Environments, users, security roles
* **Microsoft Dynamics ERP**: Environments, users, security roles
* **Microsoft Intune**: Managed devices, roles
* **Microsoft Teams**: Teams, channels, users
* **SharePoint**: Sites, libraries, lists, folders
{% hint style="warning" %}
**Required steps**: Complete Steps 1, 2, 4, 5, and 8 to enable Azure AD/Entra ID discovery. Steps 3, 6, and 7 are optional enhancements for SharePoint, Azure subscriptions, and Key Vault.
{% endhint %}
### Integrating with Microsoft Azure
To integrate with Microsoft Azure, you will need to create an App Registration with read-only permissions for the services to discover. You will enter the App Registration's credentials when adding the Veza integration:
#### 1. Register a new application for Veza
1. From your Azure tenant profile, navigate to **App Registrations** > *New Registration*
2. Name the new application (for example `Veza Integration`)
3. Select *Accounts in this organizational directory only (`tenantname` only - Single tenant)*, and click "Register" to save your changes.
For more information, see the [full instructions from Microsoft](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).
#### 2. Grant permissions for the new app
1. With the new app registration selected, choose **Manage** > API Permissions and click "Add a Permission"
2. Choose *Microsoft Graph*, click "Application Permissions" and grant the [required permissions](#required-permissions) and [optional permissions](#optional-permissions) listed below.
3. **Optional for Lifecycle Management**: For Lifecycle Management support, additional permissions are required. See the [Azure Lifecycle Management](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/provisioning.md#prerequisites) integration guide for the complete list of required permissions.
4. Enable "Grant Admin Consent" on the API permissions screen.
> The delegated `User.Read` permission should be granted automatically. If it isn't present, add the permission from *Add a Permission* > *Microsoft Graph* > *Delegated Permissions*.
**Required permissions**
The following Microsoft Graph application permissions are required. Extraction will fail without them.
* **`AuditLog.Read.All`**: Reads `/reports/authenticationMethods/userRegistrationDetails`. Used to collect last sign-in dates and authentication method details for users.
* **`CustomSecAttributeAssignment.Read.All`**: Reads the `customSecurityAttributes` property on `/users/{id}`. Used to collect custom security attribute values assigned to users.
* **`DeviceManagementManagedDevices.Read.All`**: Reads `/deviceManagement/managedDevices`. Used to collect Intune-managed devices.
* **`DeviceManagementRBAC.Read.All`**: Reads `/deviceManagement/roleAssignments` and `/deviceManagement/roleDefinitions`. Used to collect Intune RBAC role assignments and role definitions.
* **`Directory.Read.All`**: Reads `/users`, `/groups`, `/directoryRoles`, `/roleDefinitions`, `/oauth2PermissionGrants`, and other directory endpoints. Provides read access to core directory objects including users, groups, roles, service principals, and organization data. Also provides the access described in [Permissions covered by Directory.Read.All](#permissions-covered-by-directoryreadall) below.
* **`IdentityRiskyUser.Read.All`**: Reads `/identityProtection/riskyUsers`. Used to collect user risk levels from Identity Protection.
* **`Reports.Read.All`**: Reads `/reports/getSharePointActivityUserDetail`. Used to collect SharePoint activity and usage reports.
* **`Sites.Read.All`**: Reads `/sites`, `/sites/getAllSites`, `/sites/root`, and `/sites/{id}/drives`. Used to collect SharePoint site properties, structure, and drive metadata.
**Optional permissions**
These permissions enable additional features. Extraction will succeed without them, but the corresponding entities will not be collected.
* **`InformationProtectionPolicy.Read.All`**: Reads `/beta/security/informationProtection/sensitivityLabels`. Used to collect sensitivity labels.
* **`Policy.Read.All`**: Reads `/identity/conditionalAccess/policies`. Used to collect [Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview) policies for service principals.
* **`Policy.Read.AuthenticationMethod`**: Reads `/policies/authenticationMethodsPolicy`. Used to collect authentication method configuration.
* **`PrivilegedAccess.Read.AzureAD`**: Reads `/privilegedAccess/aadRoles`. Used to collect PIM eligible role assignments.
* **`RoleEligibilitySchedule.Read.Directory`**: Reads `/roleManagement/directory/roleEligibilitySchedules`. Used to collect PIM role eligibility schedules.
* **`SecurityEvents.Read.All`**: Reads `/security/secureScores`. Used to collect tenant secure scores.
* **`SharePointTenantSettings.Read.All`**: Reads `/admin/sharepoint/settings`. Used to collect SharePoint sharing capability settings.
* **`Sites.FullControl.All`**: Reads `/sites/{id}/permissions`. Used to collect SharePoint site permission assignments.
**Permissions covered by `Directory.Read.All`**
The required `Directory.Read.All` permission already provides read access to the following APIs. **You do not need to grant these permissions separately.** They are listed here as granular replacements for organizations that need to remove `Directory.Read.All` in favor of least-privilege alternatives.
* **`Application.Read.All`**: Reads `/applications` and `/servicePrincipals`. Used to collect app registrations and service principals.
* **`Device.Read.All`**: Reads `/devices`. Used to collect Entra ID device objects.
* **`Domain.Read.All`**: Reads `/domains`. Used to collect tenant domains.
* **`Group.Read.All`**: Reads `/groups`. Used to collect group properties and memberships.
* **`GroupMember.Read.All`**: Reads `/groups/{id}/members` and `/groups/{id}/owners`. Used to collect group membership and ownership details.
* **`Organization.Read.All`**: Reads `/organization`. Used to collect organization-level properties.
* **`RoleManagement.Read.All`**: Reads `/roleManagement/directory/roleAssignments` and `/roleManagement/directory/roleDefinitions`. Used to collect PIM role assignments and role definitions.
* **`User.Read.All`**: Reads `/users` and `/users/{id}`. Used to collect user profiles and properties.
* **`User-Mail.ReadWrite.All`**: Reads the `otherMails` property on `/users/{id}`. `Directory.Read.All` provides read access to this property. The write scope is not used.
* **`User-PasswordProfile.ReadWrite.All`**: Reads the `passwordProfile` property on `/users/{id}`. `Directory.Read.All` provides read access to this property. The write scope is not used.
* **`User.EnableDisableAccount.All`**: Reads the `accountEnabled` property on `/users/{id}`. `Directory.Read.All` provides read access to this property. The write scope is not used.
The required `Sites.Read.All` permission also provides access to:
* **`Files.Read.All`**: Reads `/drives/{id}/items`, `/drives/{id}/root`, and `/sites/{id}/drives`. Used to collect drive items and file metadata.
{% hint style="info" %}
Veza recommends `Directory.Read.All` because it provides the broadest compatibility. Organizations with strict permission policies can coordinate with Veza support to replace it with the granular permissions listed above.
{% endhint %}
#### 3. Enable SharePoint integration (optional)
{% hint style="info" %}
**Skip this step** if you don't need SharePoint. Continue to [Step 4](#4-generate-a-client-secret) to complete the required setup.
{% endhint %}
Additional API permissions are required if you plan to connect to SharePoint Online. To grant read-only access for Veza, choose *SharePoint* on the app registration "Add a Permission" screen, and grant the application permissions:
* `User.Read.All`
* `Sites.Read.All`
The app registration will also need the `Reports.Read.All` Microsoft Graph permission from the previous step.
For a complete overview and visual guide, see the official Azure documentation on [configuring client application access](https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis).
**Enable audit log parsing for activity-based extraction**
> Audit log extraction for SharePoint is provided as an Early Access feature. Please contact your support team to enable this configuration option.
When [audit log extraction](/4yItIzMvkpAvMVFAamTf/integrations/configuration.md#audit-log-extraction) is enabled for an Azure tenant, Veza will gather audit logs using the **Office 365 Management Activity API**, and only connect to SharePoint Online for a full update when changes occur.
Enabling activity-based scheduling should help reduce lag between extractions, reducing the total time required to ingest large SharePoint environments. Please see below for the requirements and optional steps to enable:
1. Auditing must be enabled in the [Microsoft Purview compliance portal](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide#turn-on-auditing)
1. Go to `https://purview.microsoft.com` and sign in. Click **Audit**.
2. If auditing isn't enabled, a banner will prompt to **Start recording user and admin activity**.
3. Click the banner to enable auditing, and wait for the changes to propogate.
4. Alternatively, use the [Exchange Power Shell](https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell):
1. `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`
2. The Enterprise App used by Veza must have `ActivityFeed.Read` permission on the Office 365 Management API:
1. When adding permisions to [Enable SharePoint integration (optional)](#3-enable-sharepoint-integration-optional), add the additional permission for the app registration: **API permissions** → **Office 365 Management APIs** → **Application permissions** → `ActivityFeed.Read`
3. After you finish integrating the Azure tenant, enable audit log extraction under Veza **Configuration** → *Cloud Providers*. The audit log status column should update to show that extraction is *enabled*:
#### 4. Generate a Client Secret
1. From **Certificates & Secrets**, click "New Client Secret" and select an expiration date. Click "Add" to generate a new client secret value and ID.
2. Copy the client secret `Value`, which you'll use to configure the integration within Veza.
#### 5. Get the Application and Directory unique identifier
1. Open the **Overview** screen for the new application. Copy the `Application (client) ID`.
2. Copy the value for `Directory (tenant) ID.` You will need both values when adding the provider to Veza.
#### 6. Assign the `Reader` role for the Veza app
For each Azure subscription to discover, you will need to add the new Veza app as a [Reader](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal). If you don't have any subscriptions (as will be the case if only integrating with Azure AD as an identity provider), this step is optional.
1. From the Azure **Subscription**, select *Access control (IAM)*
2. Click on "+ Add" -> "Add role assignment"
3. Select "Reader" as the role
4. Select User, Group, or Service Principal" under *Assign Access To*
5. Select or search for the Veza app, and assign it the "Reader" role
6. (Optional) Assign the "Reader and Data Access" role to discover storage accounts and keys.
7. Save your changes
#### (Optional) Assign the Cosmos DB Account Reader role
To discover Azure CosmosDB resources, assign the `Cosmos DB Account Reader` role to the Veza app:
1. Navigate to your CosmosDB account in Azure Portal
2. Select *Access control (IAM)*
3. Click "+ Add" -> "Add role assignment"
4. Select "Cosmos DB Account Reader" as the role
5. Choose "User, Group, or Service Principal" under *Assign access to*
6. Search for and select the Veza app
7. Save the role assignment
This role provides the minimum required permissions to discover CosmosDB accounts, SQL role definitions, SQL role assignments, and databases. See [Azure CosmosDB Support](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md#azure-cosmosdb-support) for more details.
#### 7. Add Key Vault Permissions (Optional)
To connect to Azure Key Vault, a [Key Vault access policy](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy) must grant the Veza app `List` permissions on Keys, Secrets, and Certificates. To create this policy:
1. On the **Key Vaults** services page, choose the vault Veza will discover.
2. Select *Access policies.*
3. Click *+ Create*.
4. Select *List* under *Key Permissions*, *Secret permissions,* and *Certificate permissions.*
5. Click *Next*.
6. Search and select the Veza app as the *Authorized Application*.
7. Click *Next*, *Next*, and *Create* to save the policy.
{% hint style="info" %}
**Rotate Key (NHI)**: The `List` permission above is sufficient for Key Vault extraction. If you are using Veza's [Rotate Key](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/actions/rotate-key.md) LCM action, the Veza app registration also needs the `rotate` operation on each target vault. For RBAC-model vaults (recommended), assign the **Key Vault Crypto Officer** role. For access-policy vaults, add **Rotate**, **Get Rotation Policy**, and **Set Rotation Policy** under Key Permissions.
{% endhint %}
#### 7.1 Enable Key Vault Audit Logging (Optional)
To enable audit logging for Azure Key Vault operations and track key/secret access patterns:
1. **Configure Key Vault Diagnostic Settings**:
* In the Azure portal, navigate to your Key Vault
* Select **Diagnostic settings** from the monitoring section
* Click **+ Add diagnostic setting**
* Provide a name for the diagnostic setting
2. **Select Log Categories**:
* Enable **AuditEvent** - Key Vault audit events including key and secret access
* Select **Send to Log Analytics workspace** as the destination
* Choose or create a Log Analytics workspace
3. **Grant Log Analytics Permissions**:
* Assign the **Log Analytics Reader** role to your Veza app registration on the Log Analytics workspace
* Navigate to the Log Analytics workspace → **Access control (IAM)** → **Add role assignment**
* Role: Select **Log Analytics Reader**
* Assign access to: **User, group, or service principal**
* Members: Search for and select your Veza app registration
* Click **Review + assign**
4. **Configure the Veza Integration**:
* When adding the Azure tenant to Veza (step 8), include the **Log Analytics Workspace ID**
* The workspace ID can be found in the Azure portal under your Log Analytics workspace properties
* Only one workspace ID can be specified per integration
When audit logging is enabled, Veza will extract key and secret access events from the `AzureDiagnostics` table and track rotation activities and timestamps for Access Monitoring dashboards and queries. For more information about Key Vault audit logs, see [Microsoft Learn: Key Vault audit logging](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging).
{% hint style="warning" %}
Veza reads from the `AzureDiagnostics` table (legacy collection mode). When configuring Diagnostic Settings, select **Azure diagnostics** as the destination table — not **Resource specific**. If resource-specific mode is configured, logs are written to `AZKVAuditLogs` and Veza will not find them.
{% endhint %}
**Supported Key Vault Operations:**
* **Secret operations**: Get, Set, Update, Delete, Purge, Recover, Backup, Restore, GetDeleted, ListDeleted, NearExpiryEventGridNotification, ExpiredEventGridNotification, ResourceGet
* **Key operations**: Get, Set, Update, Delete, Purge, Recover, Backup, Restore, GetDeleted, ListDeleted, NearExpiryEventGridNotification, ExpiredEventGridNotification, ResourceGet
* **Vault operations**: Get (vault metadata)
> **Note**: Key Vault audit logging uses existing Azure app registration credentials to authenticate to the Log Analytics API. No additional Microsoft Graph API permissions are required beyond the **Log Analytics Reader** role on the workspace.
#### 8. Add the Azure tenant to Veza
After completing the steps above, you can add the credentials and enable discovery by navigating to Veza **Integrations** > **Add Integration**. Choose **Azure** as the *Integration Type*.
| Field | Notes |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| Insight Point | Leave default unless using an Insight Point |
| Name | Friendly name for the account |
| Tenant ID | Azure tenant ID to discover |
| Application ID | App UUID |
| Client Secret Value | App client secret value |
| Auth Certificate | Optional certificate for connecting to SharePoint |
| Auth certificate password | Password for SharePoint certificate (optional) |
| Subscription ID Allow List | Comma-separated list of subscription IDs; if present, discovery will be limited to the listed subscriptions (optional) |
| Subscription ID Deny List | Comma-separated list of subscription IDs; if present, listed subscriptions will be excluded from discovery (optional) |
| Limit Azure services extracted | Choose individual services to discover (See below) |
| Domains | Comma-separated list of domains to discover, ignoring any others |
| Dynamics 365 CRM Environments | Optional list of Dynamics 365 CRM environments to discover, e.g. `https://org50e57fbd.crm.dynamics.com`. |
| Dynamics 365 ERP Environments | Optional list of Dynamics 365 ERP environments to discover, e.g. `https://company.operations.dynamics.com`. |
| Azure Gov Cloud | Azure Government Cloud region where the tenant is located (currently supported: "None," "US"). |
| Extract PIM Eligibility | Optionally discover temporary role assumptions based on Privileged Identity Management scheduling rules. |
| Log Analytics Workspace ID | Optional. Single workspace ID for Key Vault audit log extraction. |
{% hint style="success" %}
Veza will gather metadata for all discovered Azure AD (Entra ID) domains for the tenant. Use the *Domains* list to only include the specified domains in the extraction.
{% endhint %}
#### Limit Services
Additional options when adding or editing an integration enable [limits on the data sources and identities](/4yItIzMvkpAvMVFAamTf/integrations/configuration/limits.md) that are extracted. When configuring limited services, you can select specific Microsoft 365 services to enable, including:
* **Exchange Online** - Email permissions and distribution groups (see [Exchange Online setup](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md))
* **SharePoint** - Document and site permissions
* **Teams** - Team channels and collaboration access
* **Intune** - Device management
* **Microsoft Copilot Studio** - AI bots and components in Power Platform Dataverse environments (see [Enable Microsoft Copilot Studio](#enable-microsoft-copilot-studio))
* And other Azure services (SQL Server, Azure VM, CosmosDB, etc.)
| Option | Details |
| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Gather disabled users | Whether to include disabled users |
| Gather guest users | Whether to parse identity metadata for Azure AD Guest users |
| Gather personal sites | Whether to include personal SharePoint sites |
| Gather Group Extra Information | Whether to collect additional group attributes (`allow_external_senders`, `hide_from_address_lists`, `hide_from_outlook_clients`). Requires separate API calls that significantly increase extraction time. Unchecking improves performance but loses these group attributes. |
| Gather Group Owner Details | Whether to identify and collect group ownership information. Requires additional API calls that can delay extraction. Unchecking improves performance but loses group ownership visibility. |
| Data source allow/deny lists | Indicate resources to ignore by name or `*` |
| Custom Properties | Indicate [custom security attributes](#custom-security-attributes) to gather |
#### Azure Subscription Filtering
You can control which Azure subscriptions are discovered by configuring subscription allow and deny lists. This is particularly useful for focusing extraction on production or specific environment subscriptions, excluding test, development, or deprecated subscriptions, and improving extraction performance by reducing API calls.
**To configure subscription filtering:**
1. When adding or editing an Azure integration, navigate to the **Advanced Settings** section
2. Use the following fields:
* **Subscription ID Allow List**: Comma-separated list of subscription IDs to include (if specified, only these subscriptions will be extracted)
* **Subscription ID Deny List**: Comma-separated list of subscription IDs to exclude
**Examples:**
* To extract only production subscriptions: Add their IDs to the allow list
* To exclude dev/test subscriptions: Add their IDs to the deny list
* If both lists are provided, the allow list takes precedence
{% hint style="info" %}
Subscription filtering applies to all Azure services including RBAC, Storage, SQL, PostgreSQL, CosmosDB, Key Vault, AKS, and others. The filtering occurs at the subscription discovery level, ensuring consistent behavior across all extractors.
{% endhint %}
#### Troubleshooting
If the initial connection fails with the status "Insufficient privileges to complete the operation," validate that the correct [API Permissions](#2-grant-permissions-for-the-new-app) are granted, and are granted with the type *application* and not *delegated*.
### Connecting to SharePoint
To connect to SharePoint Online, Veza requires an X.509 certificate for app-only authentication. You can generate the certificate directly in Veza or provide a `.PFX` file generated externally. You will also need to grant `User.Read.All` and `Sites.Read.All` permissions to the Veza app. See the [SharePoint setup instructions](/4yItIzMvkpAvMVFAamTf/integrations/integrations/sharepoint.md) for the full configuration steps.
### Custom Security Attributes
Veza can optionally gather and show [custom security attributes](https://learn.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview) on Azure AD objects. The custom properties to discover must be identified by name and type in the Azure tenant configuration.
> An Azure AD Premium P1 or P2 license is [required](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/custom-security-attributes-overview#license-requirements) to use Custom Attributes for Azure AD. The Enterprise Application used by Veza must have the `CustomSecAttributeAssignment.Read.All` Microsoft Graph permission.
To enable custom property extraction:
1. Add or edit a new Azure cloud provider configuration.
2. On the provider configuration modal, click *+ Add Custom Property*.
3. Provide the `type` and `name` of the custom property.
1. For Azure AD, the name is the `attribute name` of the custom security attribute. The data type is a property of the custom security attribute (Boolean, Integer, or String).
2. For example: (`EngineeringCertification`, `Boolean`), (`MarketingLevel`, `String`).
3. If the custom properties are part of an [Attribute Set](https://learn.microsoft.com/en-us/graph/api/resources/attributeset?view=graph-rest-beta), include the attribute set name as a prefix, for example `_`.
4. *Save* the configuration. The custom attributes will be collected the next time the data source is parsed.
### Enable Privileged Identity Management (PIM)
Veza supports Azure Privileged Identity Management (PIM) for both roles and groups. For more information about PIM support, see the [Azure AD documentation](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure-ad.md#privileged-identity-management-pim).
To enable PIM extraction:
1. Ensure the required permissions are granted to the Veza app:
* `RoleManagement.Read.All`
* `PrivilegedAccess.Read.AzureAD`
* `Group.Read.All`
2. When configuring the Azure integration, set the "Extract PIM Eligibility" option to "Yes"
3. Save the configuration. PIM assignments will be collected during the next extraction
### Enable Dynamics 365
The Microsoft Azure integration includes optional support for Microsoft Dynamics 365. This integration allows Veza to discover connections between Azure AD Users, Groups, and Service Principals, and the permissions they can assume within Dynamics 365 environments.
Veza supports both Dynamics 365 CRM and Dynamics 365 ERP environments:
* [**Dynamics 365 CRM**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/dynamics-365-crm.md) - Customer relationship management environments (URLs such as `https://orgXXXXXXX.crm.dynamics.com`)
* [**Dynamics 365 ERP**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/dynamics-365-erp.md) - Enterprise resource planning environments (URLs such as `https://xxx.operations.dynamics.com`)
For full setup instructions and supported entities, see the specific integration guides.
### Enable Microsoft Intune
The Microsoft Azure integration includes optional support for Intune, including Managed Devices and Role Definitions. Veza discovers and shows connections between Azure AD Users and Groups, and the Devices and Roles to which they are assigned in Intune.
In order to extract Intune, Veza requires the following Application Permissions for the Microsoft Graph API:
* `DeviceManagementManagedDevices.Read.All`
* `DeviceManagementRBAC.Read.All`
### Enable Exchange Online
The Microsoft Azure integration includes optional support for [Exchange Online](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md), providing visibility into email and collaboration permissions. This integration discovers mailbox permissions, distribution groups, folder-level access controls, and delegation rights.
{% hint style="warning" %}
**Important:** Many organizations using Microsoft 365 require both Azure AD and Exchange Online visibility for complete access governance.
{% endhint %}
To enable Exchange Online:
1. **Add API Permission**: Grant `Office 365 Exchange Online` > `Exchange.ManageAsApp` permission to your Azure app registration
2. **Assign Role**: Add the Exchange Administrator role to your Azure app
3. **Enable Service**: In your Azure integration settings, go to **Limit Services** and select **Exchange Online**
For detailed setup instructions, see the [Exchange Online integration guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md).
### Enable Microsoft Teams
To discover [Microsoft Teams](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md#microsoft-teams) resources, including teams, channels, and relationships to external organization users, Veza requires the additional Graph API permissions:
* `Team.ReadBasic.All`
* `TeamMember.Read.All`
* `Channel.ReadBasic.All`
* `ChannelMember.Read.All`
* `User.Read.All`
### Enable Azure AI Foundry
The Microsoft Azure integration includes optional support for [Azure AI Foundry](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md#azure-ai-foundry), providing visibility into AI services, model deployments, agents, and their access patterns. This integration discovers AI infrastructure resources and maps permissions to show which identities can access, deploy, or manage AI models.
{% hint style="info" %}
Azure AI Foundry uses a two-tier permission model. The Veza service principal needs both control plane (ARM) permissions and data plane permissions to discover all resources. For detailed information about Azure AI Foundry RBAC, see [Role-based access control for Azure AI Foundry](https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/rbac-azure-ai-foundry).
{% endhint %}
To enable Azure AI Foundry extraction:
1. **Assign Control Plane Role**: The standard `Reader` role assigned at the subscription level (from [Step 6](#6-assign-the-reader-role-for-the-veza-app)) provides the required control plane permissions:
* `Microsoft.CognitiveServices/accounts/read`
* `Microsoft.CognitiveServices/accounts/projects/read`
* `Microsoft.CognitiveServices/accounts/deployments/read`
* `Microsoft.CognitiveServices/accounts/raiPolicies/read`
* `Microsoft.BotService/botServices/read`
2. **Assign Data Plane Role**: Assign the `Azure AI User` role to the Veza app at the AI Foundry account or subscription level. This is Microsoft's recommended least-privilege role for read access to AI Foundry resources. For instructions on assigning Azure roles, see [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal).
This role provides the data plane permissions required to discover:
* `Microsoft.CognitiveServices/accounts/AIServices/agents/read` - AI agents
* `Microsoft.CognitiveServices/accounts/AIServices/vector_stores/read` - Vector stores
* `Microsoft.CognitiveServices/accounts/AIServices/connections/read` - Connections
* `Microsoft.CognitiveServices/accounts/AIServices/indexes/read` - Search indexes
3. **Enable Service**: When configuring the Azure integration, go to **Limit Services** and select **Azure AI Foundry**
See [Azure AI Foundry](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md#azure-ai-foundry) for the complete list of supported entities and properties.
### Enable Microsoft Copilot Studio
The Microsoft Azure integration includes optional support for [Microsoft Copilot Studio](/4yItIzMvkpAvMVFAamTf/features/ai-agent-security/supported-entities.md#microsoft-copilot-studio), providing visibility into AI bots (Copilots) and their components within Power Platform Dataverse environments.
For full setup instructions — including required Graph and Dataverse permissions, Application User registration, and environment URL configuration — see [AI Agent Security: Microsoft Copilot Studio](/4yItIzMvkpAvMVFAamTf/features/ai-agent-security/configuration.md#microsoft-copilot-studio).
See [Supported Entities: Microsoft Copilot Studio](/4yItIzMvkpAvMVFAamTf/features/ai-agent-security/supported-entities.md#microsoft-copilot-studio) for the complete list of discovered entity types.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.