Integrations
Microsoft Azure
Configuring Azure integration
The Microsoft Azure integration enables Tidal Control to automatically execute compliance tests on your Azure environment and Entra ID configuration.
Requirements:
- Super User role in Tidal Control
- Entra ID app registration rights
- Azure subscription access for role assignments
Required permissions
The Azure integration uses two distinct permission sets — one for Entra ID (Azure AD) and one for Azure resources. All access is read-only — Tidal Control never writes, modifies, or deletes anything in your Azure environment.
Microsoft Graph API permissions
These permissions give Tidal read access to your Entra ID configuration:
| Permission(s) | Why we need it |
|---|---|
| User.Read.All, Directory.Read.All | We check for stale user accounts and pending forced password changes. |
| Policy.Read.All, Organization.Read.All | We verify conditional access policies — such as MFA enforcement for administrators and access restrictions to the Entra admin portal. |
| Device.Read.All, DeviceManagementManagedDevices.Read.All | We verify Intune MDM enrollment, device encryption status, and whether devices have synced recently. |
| Group.Read.All, GroupMember.Read.All, Application.Read.All | We resolve group memberships used in conditional access policies and verify application registrations. |
Reader role on Azure subscriptions
The Reader role gives Tidal read access to your Azure resource configurations:
| Resource type | Why we need access |
|---|---|
| Virtual machines | We verify auto-patching configuration, Trusted Launch (Secure Boot), and disk encryption at rest. |
| Storage accounts | We check for public blob access, HTTPS enforcement, soft delete and retention policies, and encryption at rest. |
| Key Vault | We verify that key vaults do not have public network access enabled. |
| AKS (Kubernetes) | We check whether Kubernetes API servers are publicly accessible and whether automatic upgrade channels are configured. |
| PostgreSQL Flexible Server | We verify public network access, backup retention, maintenance window, TLS settings, and encryption at rest. |
Configuration methods
App integration (recommended)
Benefits of app integration:
- Faster and simpler - Fewer manual steps and configuration
- Less error-prone - Automatic permissions setup
- No credential management - Tidal manages authentication automatically
Setup process:
- Go to Settings → Integrations in Tidal Control
- Click Microsoft Azure tile
- Select "App integration (recommended)"
- Click "Click here to begin"
- Log in via Azure portal when redirected
- Review permissions and click "Accept"
Service Principal
When to use service principal:
- Full control over app registration and permissions required
- Organisation security policy doesn't allow external app integrations
- Custom credential management desired
Service principal disadvantages:
- More configuration steps and higher chance of errors
- Manual credential management (expiration tracking)
- Risk of incomplete permissions causing test failures
Service principal configuration:
The goal of these steps is to create a service principal in Azure and collect the required values to enter into Tidal later. Note the following values during configuration:
- Tenant ID
- Client ID
- Client Secret
- Integration name
Azure app registration:
- Go to Azure portal → Entra ID → App registrations
- Click "New registration"
- Name:
Tidal Control - Integration - Account types:
Single tenant
- Name:
- Note Application (client) ID (save for Tidal configuration)
- Note Directory (tenant) ID (save for Tidal configuration)
Generate client secret:
- Go to "Certificates & secrets"
- Click "New client secret"
- Description:
Tidal Control - Integration - Expires: 12 months
- Description:
- Click "Add"
- Note secret value immediately (no longer visible after leaving page)
Important: Note all values (Tenant ID, Client ID, Secret) in a secure location. You'll need these for Tidal configuration and the client secret cannot be retrieved later.
Configure API permissions:
- Go to "API permissions" → "Add a permission"
- Select Microsoft Graph → Application permissions
- Add all permissions:
Directory.Read.AllUser.Read.AllDevice.Read.AllApplication.Read.AllDeviceManagementManagedDevices.Read.AllGroupMember.Read.AllGroup.Read.AllOrganization.Read.AllPolicy.Read.All
- Click "Grant admin consent" for your tenant
Complete integration in Tidal:
- Go to Settings → Integrations → Microsoft Azure
- Select "Service Principal"
- Fill in noted values:
- Name: Recognisable name for the integration
- Tenant ID: Directory (tenant) ID from Azure
- Client ID: Application (client) ID from Azure
- Client Secret: The created client secret
Azure subscription access
Assign Reader role per subscription:
For each Azure subscription you want to monitor:
- Azure portal → Subscriptions → [Select subscription]
- Access control (IAM) → Add role assignment
- Select "Reader" role
- Search for your Tidal integration (name you used in step 1)
- Select integration and click "Assign"
Reader role: Gives Tidal read-only access for compliance monitoring without security risks. Sufficient for all Azure tests.
Integration verification in Tidal
Check successful configuration:
- Settings → Integrations shows "Connected" status for Azure
- Test refresh delivers results without (authentication) errors
Troubleshooting issues:
- Verify all credentials are correctly entered
- Check admin consent has been granted for API permissions
- Confirm Reader role is assigned to relevant subscriptions
Still having trouble?
Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.
Gathering support info: Note which browser you're using, exact error messages, which steps you've already tried, and screenshots of the problem. This significantly speeds up the solution.