> For the complete documentation index, see [llms.txt](https://docs.cortex.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cortex.io/ingesting-data-into-cortex/integrations/azureresources.md).

# Azure Resources

{% hint style="info" %}
Cortex connects to many third-party vendors whose system interfaces frequently change. As a result, integration behavior or configuration steps may shift without notice. If you encounter unexpected issues, check with your system administrator or refer to the vendor's documentation for the most current information. Additionally, integration sync times vary and are subject to scheduling overrides and timing variance.
{% endhint %}

[Azure Resources](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview) provides on-demand cloud computing platforms and APIs. Cortex uses the Azure Resource API to pull in resource details and import entities such as SQL servers, virtual machines, virtual networks, load balancers, and others.

Integrating Azure Resources with Cortex allows you to:

* [Automatically import entities](#enable-automatic-discovery-of-azure-resource-entities) and track ownership of entities
* Create [Scorecards](#scorecards-and-cql) to drive alignment and track progress on projects involving resources from Azure

{% hint style="info" %}
Cortex conducts a background sync of Azure Resources every day at 00:00 a.m. UTC and an ownership sync every day at 6 a.m. UTC.
{% endhint %}

## How to configure Azure Resources with Cortex

### Prerequisites

Before getting started, you will need the following information. These can be found in the **Enterprise applications** section of Azure:

* Azure tenant ID
* Azure client ID and [client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials)
* Azure subscription ID
  * Ensure that the service principal for the subscription ID has a [Reader role](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#assign-a-role-to-the-application).

### Configure the integration in Cortex

1. In Cortex, navigate to the [Azure Resources settings page](https://app.getcortexapp.com/admin/integrations/azureresources).
   * Click **Integrations** from the main nav. Search for and select **Azure Resources**.
2. Click **Add configuration**.
3. Configure the Azure Resources integration form:
   * **Account alias**: Enter your Azure account alias. Account aliases are used to tie service registrations to different configuration accounts.
   * **Azure tenant ID**: Enter your Azure tenant ID.
   * **Client ID** and **Client secret**: Enter your Azure client ID and secret.
   * **Subscription ID**: Enter your Azure subscription ID.
4. Click **Save**.
   * You will be redirected to the Azure Resources Settings page in Cortex, where you can optionally choose to include only specified Azure resource types for this integration. You can also enable [automatic import](#enable-automatic-discovery-of-azure-resource-entities) for any discovered entities of known types.

After saving your configuration, you are redirected to the integration settings page in Cortex. In the upper right corner of the page, click **Test configuration** to ensure Azure Resources was configured properly.

## How to connect Cortex Entities to Azure Resources

{% hint style="info" %}
For Azure Resources, Cortex replaces non-alphanumeric characters in entity names with a space. For example, `resource_1` would become `resource 1`.

For the [Cortex tag](/ingesting-data-into-cortex/entities-overview/entities.md#cortex-tag), Cortex replaces non-alphanumeric characters with `-` and lowercases the letters. If multiple special characters appear together in a tag, Cortex replaces the group of characters with only one `-`. For example, `mY_e%ntity#$_tag` would become `my-e-ntity-tag`.
{% endhint %}

### Enable automatic discovery of Azure Resource entities

You can configure automatic import from Azure:

1. In Cortex, navigate to the [Entities Settings page](https://app.getcortexapp.com/admin/settings/entities).
2. Next to **Auto import from AWS, Azure, and/or Google Cloud**, click the toggle to enable the import.\\

   <figure><img src="/files/p4fNmdV0qFSbUMX1YwGD" alt=""><figcaption></figcaption></figure>

### Discover ownership for Azure Resources

Cortex can automatically discover ownership for your Azure resources. To configure this:

* Make sure that your Azure resources have a tag matching the `x-cortex-tag` of the corresponding Cortex team
* Enable the “Sync ownership from Azure” toggle in the [Azure Resources Settings page](https://app.getcortexapp.com/admin/settings/azureresources) in Cortex.
  * By default, Cortex looks for the `owner` tag. You can also customize the tag key name on the Settings page.

Cortex syncs ownership from Azure Resources every day at 6 a.m. UTC.

### Define a dependency

Cortex automatically discovers dependencies between your services and resources by scanning for resources with specific Azure Resources tags. By default, a service will have dependencies on any Cortex resource that has a corresponding Azure Resources resource with Azure Resources tag key = "service" and tag value = the service's Cortex tag.

On the [Azure Resources settings page](https://app.getcortexapp.com/admin/settings/azureresources), you can customize the tag key names for dependencies.

For more information on defining dependencies, please see the [Dependencies documentation](/ingesting-data-into-cortex/entities-overview/entities/adding-entities/dependencies.md).

### Import entities from Azure Resources

See the [Create services documentation](/ingesting-data-into-cortex/entities-overview/entities/adding-entities/add-services.md#creating-services) for instructions on importing entities.

### Editing the entity descriptor

You can associate a Cortex entity with one or more Azure Resources entities. Cortex will display those Azure Resources entities' metadata on the Cortex entity page.

When the entity is connected to Azure, the entity YAML will look like the following:

```yaml
x-cortex-azure:
  ids:
  - id: /subscriptions/1fbb2da1-2ce7-45e4-b85f-676ab8e685b9/resourceGroups/GROUP1/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e9
    alias: my-default-alias # alias is optional and only relevant if you have opted into multi account support
  - id: /subscriptions/1fbb2da1-2ce8-45e4-b85f-676ab8e685b0/resourceGroups/GROUP2/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e0
    alias: my-other-alias # alias is optional and only relevant if you have opted into multi account support
```

## Using the Azure Resources integrations

### Scorecards and CQL

With the Azure Resources integration, you can create Scorecard rules and write CQL queries based on Azure Resources details.

See more examples in the [CQL Explorer](https://app.getcortexapp.com/admin/cql-explorer) in Cortex.

<details>

<summary>Get Azure Resource details for entity</summary>

Get Azure Resource details for an entity.

**Definition:** `azureResource.details(): Object`

**Examples**

In a Scorecard, you can write a rule to make sure an entity has Azure Resource details:

```
azureResource.details() != null
```

Make sure an entity has an environment tag:

```
azureResource.details().resources.filter((resource) => jq(resource, ".metadata.\"environment\"") != null).length > 0
```

Make sure an entity has a health check:

```
jq(azureResource.details(), ".resources[].metadata.siteConfig.healthCheckPath") != null
```

Make sure an entity has a tag with a certain key and value:

```
azureResource.details().resources.filter((resource) => resource.tags.get("tag-key") == "tag-value").length > 0
```

</details>

<details>

<summary>Availability zones</summary>

Availability zone data (VM Scale Sets, Redis, Application Gateways) is a first-class `.zones` field, sourced directly from Azure Resource Graph.

If you have existing "Resource Redundancy" rules for these resource types, update them to reference `.zones` instead of deriving zone data from the ARM export template.

**Example**

```
azureResource.details().resources.filter((resource) => resource.zones != null && resource.zones.length > 0).length > 0
```

</details>

<details>

<summary>App Service health-check path and minimum TLS version</summary>

Cortex reads App Service configuration data, including `healthCheckPath` and minimum TLS version.

Existing "Health Check" and App Service Scorecard rules will continue to work as-is, no Scorecard rule changes needed.

**Example**

```
azureResource.details().resources.filter((resource) => resource.zones != null && resource.zones.length > 0).length > 0
```

</details>

### View integration logs <a href="#still-need-help" id="still-need-help"></a>

{% hint style="info" %}
This feature is available in Cortex cloud.
{% endhint %}

While viewing an integration's settings page, select the **Logs** tab to view error logs from the last 7 days. You can filter the logs list by configuration and by operation (for example, you could filter to view errors surfaced only via Scorecards).

<div align="left" data-with-frame="true"><figure><img src="/files/x8JmoPqXZTJ7YHeFJpOA" alt="The &#x27;Logs&#x27; tab on an integration&#x27;s settings page shows error information over the past 7 days."><figcaption></figcaption></figure></div>

Click into a row to get more information, including time stamp, status code, full error, and request path.

## Troubleshooting and FAQ

**Why is the Azure resource type `microsoft-resources-subscriptions-resourcegroups` not pulling in Azure Resource details?**

Cortex pulls from the Azure Resource API, but not from the Azure Resource Group API. If you would like to submit a feature request for support of Azure Resource Groups, please contact our customer engineering team.

**Why is ARM template data sometimes missing or stale?**

Cortex uses the Azure ARM export template endpoint to ingest resource data for some resource types. This endpoint has known reliability limitations [acknowledged in Microsoft's documentation](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal#limitations), which can cause intermittent failures that result in missing or outdated data.

Cortex is actively migrating away from ARM template-based ingestion toward Azure Resource Graph and the resource metadata endpoint. In the interim, if you see empty or stale data for a resource, this is likely caused by an ARM export failure on the Microsoft side.
