Connect a cloud · Azure · Expanding

Azure setup.

Axiom's Azure connector is live for scan + topology mapping. Reasoning + execution roll out in Q2 2026. This page documents what works today and what's coming honestly.

Honest state — Azure is expanding

Live today: Service Principal onboarding, subscription enumeration, VM + Storage + Network + IAM scanning, topology mapping, drift detection (basic).

Q2 2026: Full 12-step reasoning loop, execution plans, Terraform export, approval workflow, rollback orchestration — the same surface AWS has today.

Subscribe at /contact for the early-access invitation.

What works today

The Azure connector covers:

Service Principal onboarding — federated identity (workload identity federation) preferred; client secret supported as fallback
Subscription + resource-group scanning — scoped by your role assignment
Virtual Machines — VM size, OS, disk attachments, NIC config, availability sets
Storage Accounts — blob containers, tier, encryption settings, network rules
Networking — VNets, subnets, NSGs, NSG rules, public IPs, load balancers
IAM — role assignments, custom roles, Azure AD identities used for RBAC
Topology mapping — Azure resources appear in /dashboard/topology alongside AWS/GCP
Basic drift detection — out-of-band changes flagged in the activity feed

02 · Onboarding

Onboarding (preview path)

Onboarding is preview-only — the wizard exists; reasoning + execution arrive later. Today you can:

Register an Application in your Azure AD tenant
Create a Service Principal for that Application
Assign the Reader built-in role at subscription or resource-group scope
Configure federated identity credentials pointing at Axiom's issuer (no client secret to share)
Paste the Tenant ID + Subscription ID + Application ID into the Axiom onboarding wizard

See the onboarding wizard for the exact values to copy.

03 · Permissions

Expected permissions

Scan role (today):

Reader built-in role at subscription scope (or resource-group scope for tighter isolation)
Custom role for Cost Management read access (we provide the exact role definition during onboarding)

Execution role (Q2 2026):

Separate custom role with the smallest possible Modify/Delete actions per opt-in action class
Approval-gated assumption — same model as AWS

Full permissions model at /docs/permissions-model.

04 · Roadmap

Q2 2026 roadmap

April 2026 — Signal engine for Azure (cost waste, security exposure, drift signals)
May 2026 — Reasoning loop adapted for Azure resource model
June 2026 — Execution planning + Bicep / Terraform generation for Azure
Late Q2 2026 — Approval workflow + rollback orchestration parity with AWS

Roadmap visible at /dashboard/workflows as the reasoning loop ships.

Security model

Same constraints as AWS:

Federated identity preferred — no client secret stored on Axiom's side
Read-only by default
Subscription/resource-group scoping enforced at the role assignment level
Revocable instantly by removing the role assignment or disabling the Service Principal
All assume / scan events captured in Azure Activity Log on your side

Trust questions

Is Azure fully live?

Scan + topology + basic drift are live today. Reasoning + execution + approval ship Q2 2026.

Why connect now if reasoning isn't live?

Topology mapping + drift detection are immediately useful for multi-cloud teams. You'll be ready when reasoning ships.

Is the Azure connection safe?

Yes — read-only Reader role at the scope you choose. Federated identity over client secrets where possible.

What does Axiom store?

Resource metadata and topology graph. Never blob contents, never database row data, never secrets.

Can I revoke?

Yes — remove the role assignment or disable the Service Principal. Axiom loses access immediately.

How do I get early access to Q2 features?

Subscribe at /contact?topic=azure-preview. We invite teams in waves as each capability ships.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs