> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Microsoft Azure connector

> C1 provides identity governance and just-in-time provisioning for Azure. Integrate your Azure instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

## Capabilities

| Resource           | Sync                                                          | Provision                                                     |
| :----------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts           | <Icon icon="circle-info" />                                   |                                                               |
| Groups             | <Icon icon="circle-info" />                                   |                                                               |
| Managed identities | <Icon icon="circle-info" />                                   |                                                               |
| Azure roles        | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Resource groups    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Subscriptions      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |

<Icon icon="circle-info" /> This connector pulls account, group, and managed identity information from the Entra ID connector. You'll configure this relationship when setting up the connector.

## Gather Azure credentials

Configuring the connector requires you to pass in credentials generated in Azure. Gather these credentials before you move on.

<Warning>
  A user with the **Global Administrator** permission in Azure must perform this task.
</Warning>

### Create a new Entra application

<Steps>
  <Step>
    In the Entra admin center, navigate to **App registrations**.
  </Step>

  <Step>
    Click **+ New registration**.
  </Step>

  <Step>
    Give the application a name, such as "C1", and select the supported account type relevant to your Entra installation. You do not need to set a redirect URL.
  </Step>

  <Step>
    Click **Register**.
  </Step>

  <Step>
    The new app is created. Carefully copy and save the **Application (client) ID** and the **Directory (tenant) ID** shown on the application summary page.
  </Step>

  <Step>
    Next, we'll generate a client secret for this app. Click **Certificates & secrets**.
  </Step>

  <Step>
    Click **+ New client secret**.
  </Step>

  <Step>
    Give the client secret a description and set its expiration.
  </Step>

  <Step>
    Click **Add**.
  </Step>

  <Step>
    The client secret is generated. Carefully copy and save the **Secret Value**.
  </Step>
</Steps>

### Assign Azure RBAC permissions to the application

Repeat this process for each subscription you want to sync to C1. Alternately, you can grant a Management Group scope encompassing all the desired subscriptions.

<Steps>
  <Step>
    In the Azure portal's search bar, type "Subscriptions" and select the relevant Azure subscription.
  </Step>

  <Step>
    In the left-hand menu of your subscription, select **Access control (IAM)**.
  </Step>

  <Step>
    Click **+ Add** > **Add role assignment**.
  </Step>

  <Step>
    On the **Role** tab, search for and select the **Reader** role.
    If you want to use the C1 connector to provision Azure roles, also grant the **User Access Administrator** role. Then, on the **Conditions** tab, select **Allow user to assign all roles**.
  </Step>

  <Step>
    Click **Next**.
  </Step>

  <Step>
    On the **Members** tab, ensure **User, group, or service principal** is selected for **Assign access to**.
  </Step>

  <Step>
    Click **+ Select members**.
  </Step>

  <Step>
    In the **Select members** pane, search for and select the name of your App Registration.
  </Step>

  <Step>
    Click **Select** at the bottom of the pane.
  </Step>

  <Step>
    Click **Review + assign** at the bottom.
    Allow time for the new role to propagate. Azure role assignments can take several minutes (typically five to 15, sometimes up to 30) to fully propagate.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Azure connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Azure credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Azure** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Azure connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Paste the application (client) ID into the **Azure client ID** field.
      </Step>

      <Step>
        Paste the client secret into the **Azure client secret** field.
      </Step>

      <Step>
        Paste the directory (tenant) ID into the **Azure tenant ID** field.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        Finally, tell the connector where to find the identities that will be used for this app in C1.

        1. In the **Shared identity source** area of the page, click **Edit**.
        2. Select your Entra connector.
        3. **Optional.** Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
        4. Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Azure connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Azure connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-azure): For stable binaries (Windows/Linux/macOS) and container images.

    ### Step 1: Set up a new Azure connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Azure connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Azure connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-microsoft-azure-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-microsoft-azure-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # Azure credentials
      BATON_ENTRA_CLIENT_ID: <Azure application (client) ID>
      BATON_ENTRA_CLIENT_SECRET: <Azure client secret>
      BATON_ENTRA_TENANT_ID: <Azure directory (tenant) ID>
      BATON_EXTERNAL_SYNC_MODE: true
      BATON_EXTERNAL_RESOURCE_C1Z: <The path to the c1z file to sync external Baton resources with>
      BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER: <Optional. The entitlement that external users, groups must have access to sync external Baton resources>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-microsoft-azure.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-microsoft-azure
      labels:
        app: baton-microsoft-azure
    spec:
      selector:
        matchLabels:
          app: baton-microsoft-azure
      template:
        metadata:
          labels:
            app: baton-microsoft-azure
            baton: true
            baton-app: microsoft-azure
        spec:
          containers:
          - name: baton-microsoft-azure
            image: ghcr.io/conductorone/baton-microsoft-azure:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-microsoft-azure
            envFrom:
            - secretRef:
                name: baton-microsoft-azure-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Azure connector to. Azure data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Azure connector is now pulling access data into C1.
  </Tab>
</Tabs>