# Azure

By integrating Shisho Cloud with Azure, you can run security scans on your Entra ID tenant and Azure subscriptions.
This integration can be done in the following five steps:

1. Create an App Registration in your Entra ID that Shisho Cloud can use.
2. Add API permissions.
3. Create a related Federated Credential.
4. Grant the registered App Registration permissions for your Azure subscriptions.
5. Register the created App Registration and other information in Shisho Cloud.

:::info
Shisho Cloud does not use static keys for Azure applications.
Instead, it uses Federated Credentials to access Azure while issuing short-lived credentials as needed.
:::

## Create an App Registration

Follow the steps below.

1. Open [Microsoft Entra ID in the Azure portal](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps).
2. Click _App registrations_.
3. Click _New registration_.
4. Enter any application name (e.g., `shisho-cloud`).
5. Under _Supported account types_, select _Accounts in this organizational directory only_.
6. Click "Register".

## API Permissions

Follow the steps below.

1. On the page of the application you created, click _API permissions_.
2. Add API permissions from _Add a permission_ as follows.
   - Permission type: Application permissions
   - API to be authorized (Microsoft Graph)
     - `Directory.Read.All`
     - `Group.Read.All`
     - `Policy.Read.All`
     - `User.Read.All`
3. Click _Grant admin consent for (your tenant name)_ to give consent as an administrator to use the API.
4. Verify that the status of each API above is _Granted_.

## Create a Federated Credential

Follow the steps below.

1. On the page of the application you created, click _Certificates & secrets_.
2. Click _Federated credentials_.
3. Click _Add credential_.
4. For _Federated credential scenario_, select _Other issuer_.
5. Create credentials as follows.
   - Issuer: `https://tokens.cloud.shisho.dev`
   - Type: _Explicit subject identifier_
   - Value: `job:<Shisho Cloud Organization Name>:default` (e.g. `job:your-organization-id:default`)
   - Name: Any (e.g., `shisho-cloud`)
   - Description: Any
6. Select the created credential.
7. Click _Add credential_.

## Grant Permissions to Subscriptions

Assign the following role to the subscriptions you want to scan with Shisho Cloud, as well as the resource groups and management groups that contain them.

- Reader
- Security Reader

For how to assign, please refer to the [Azure official documentation](https://learn.microsoft.com/ja-jp/azure/role-based-access-control/role-assignments-portal).

Shisho Cloud retrieves and evaluates configuration data for all subscriptions that it can access through the application.

## Register the Integration

Click the "Settings" button on the "Azure" card displayed on the "Gear icon :gear: > Integrations" screen, and enter the information according to the instructions on the screen.

The information you need is displayed on the page of the application you created.
![](/docs/_md-assets/5de8916091-integration-info.png)