ops0 connects to Azure using subscription-level access through a service principal. After connecting, you can run discovery and deployment workflows against the selected subscription.
Go to Settings > Integrations > Add Integration.
Choose Azure from the provider list.
Provide the subscription, tenant, client, and secret values.
Click Connect to verify the integration.
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Subscription ID | Yes | Azure subscription |
| Tenant ID | Yes | Microsoft Entra tenant ID |
| Client ID | Yes | App registration client ID |
| Client Secret | Yes | Secret for the app registration |
Use the Azure CLI to create a service principal with a role assignment scoped to the subscription:
az ad sp create-for-rbac \
--name "ops0-integration" \
--role Contributor \
--scopes /subscriptions/YOUR_SUBSCRIPTION_ID
Copy the output values into the integration form in brew.ops0.ai.
| Scope | Description |
|---|---|
| Subscription | Manage or discover resources across the selected subscription |
| Role Assignment | Controls whether ops0 can read only or also deploy changes |
Use the smallest possible role and scope. If discovery is the only goal, don't give the integration full contributor access.
By default the integration operates against a single subscription. To span multiple subscriptions via a management group, configure the scope:
| Scope | Description |
|---|---|
| Subscription | Access a single Azure subscription (default) |
| Management Group | Access all subscriptions under a management group |
| Selected Subscriptions | Access specific subscriptions you list |
| Field | When Required | Description |
|---|---|---|
| Management Group ID | Management Group scope | The management group ID |
| Included Subscriptions | Optional | Limit to specific subscription IDs |
| Excluded Subscriptions | Optional | Skip specific subscription IDs |
For Management Group scope, the service principal needs the Reader role assigned at the management group level (not just subscription level):
az role assignment create \
--assignee YOUR_CLIENT_ID \
--role Reader \
--scope /providers/Microsoft.Management/managementGroups/YOUR_MG_ID
Also grant Microsoft.Management/managementGroups/read permission so ops0 can enumerate subscriptions under the management group.
Check that the tenant ID, client ID, and secret all belong to the same app registration.
Make sure the service principal has access to the target subscription.
Review the assigned Azure role and scope for the service principal.