With the Azure Resource Manager (RM) integration, you can collect evidence of your Azure configurations directly from your cloud infrastructure. This integration supports two collection methods — Terraform and Script Runner — so you can choose the approach that best fits what you're trying to collect. Both methods use the same authentication setup and support automated collection.

There are a lot of different types of evidence you can collect from Azure Resource Manager (AzureRM), including:

The Terraform method gives you the broadest flexibility, limited only by the data sources supported by Terraform's AzureRM provider. The Script Runner method makes it easy to collect common evidence types without writing any code.

Important note: You do not need to use Terraform in your tech stack in order to use this integration.

To configure this integration, you (or someone in your organization) will need access and permissions to configure a new Azure Service Principal.

Get started by navigating to the Integration Manager in Strike Graph and opening the Azure Resource Manager integration. Note: if you do not see this integration listed, it may not be available for your organization or role yet; reach out to customer success to inquire.

Click the "+ Connect" button to begin configuring a new connection.

We authenticate to Azure Resource Manager using a Service Principal with a Client Secret. A service principal is a security identity used to access specific Azure data sources — think of it as a login identity (similar to a username/password) that has access to resources in a particular Azure tenant. Roles can be assigned to a service principal, such as "Reader" access to a specific Azure subscription or management group.

Each service principal has a Client ID (appID), Client Secret (password), and Tenant ID. For more information about service principals, see Microsoft's documentation.

In your Azure Portal, configure a new service principal that Strike Graph can use to read data from your Azure environments. Alternatively, you can create a service principal using the Azure CLI. Instructions for either approach can be found here.

For proper security, only assign the "Reader" role to your service principal — that is all Strike Graph requires for evidence collection. More information about Azure roles can be found here.

When assigning the Reader role to your service principal, you have two options:

Subscription-level scope (default): Assign Reader to a specific subscription. This is the most common approach when collecting evidence from a single Azure subscription.

Management Group-level scope: If your organization uses Azure Management Groups, you can assign the Reader role at the Management Group level instead. This gives your service principal read access to all subscriptions within that group without needing separate credentials per subscription. To do this, navigate to your Management Group in the Azure Portal, go to Access control (IAM), and add your service principal as a Reader.

Note that Strike Graph integrations are keyed on a unique combination of client_id, tenant_id, and subscription_id, so you will configure one connection per subscription you intend to collect evidence from, even if your service principal has management group-level access.

Back in the Strike Graph interface, enter your service principal credentials into the matching fields:

Click "Save" to finalize the configuration.

You can configure as many connections as needed to manage different subscriptions or permission scopes. Everyone with access to your GRC organization will be able to use any configured connections during evidence collection.

Once your integration is configured, navigate to the evidence item you want to collect for and click Attach Directly or Automated Collection. Select your Terraform & Scripts - Azure Resource Manager integration from the list of available integrations.

The evidence collection form has two tabs: Terraform and Scripts. Choose the method that works best for your needs.

The Scripts tab lets you collect evidence using Strike Graph's library of pre-built compliance collection scripts. No code required — just search, preview, and run.

Strike Graph will run the script and attach the results to your evidence item. A loading indicator will appear while the script runs — this may take a moment to complete.

Once finished, the modal will close and the collected data will appear as an attachment.

The Terraform tab lets you write your own HCL data blocks to collect from specific AzureRM data sources. This approach gives you the most flexibility and is well suited for evidence types that aren't covered by the available scripts.

Terraform integrations use "data blocks" to define what data to collect. More information about data blocks and local values can be found on the Terraform overview page. A full list of supported data sources is available at the bottom of this page and on the Terraform AzureRM provider page.

Step 1: Define the data block. Data blocks follow a typical pattern:

Step 2: Define the local values for the execution. This follows a typical pattern derived from the data block: data.data_source.temp_name (sometimes followed by a key, like "metadata").

Click "Attach" to run the collection. This may take a few minutes as we set up the data pipeline. Once finished, the modal will close and the collected data will appear as an attachment on your evidence item.

The Terraform tab offers two input modes: Basic and Advanced. You can toggle between them at the top of the form.

Basic mode uses a structured form where you fill in individual fields for the data_source, temp_name, query constraints, and local values. This is the recommended starting point as it guides you through the correct data block structure and validates your inputs as you go.

Advanced mode replaces the structured form with a single freeform code editor, letting you write complete HCL configurations directly. This is useful when you need to define multiple data blocks in one collection, chain data sources together, or work with more complex query constraints than the basic form supports. Advanced mode validates that your configuration only uses data blocks — resource, provider, module, and terraform blocks are not permitted.

If Security Assistant (described below) generates code for you, it will automatically switch the form to Advanced mode and populate the editor with the result.

If you're not sure which data source to use or how to structure your data block, Security Assistant can generate the Terraform configuration for you based on a plain-language description of what you want to collect.

To use it, click the "Use Security Assistant" button near the top of the Terraform tab. A prompt area will appear — describe the evidence you want to collect in plain language. For example:

"Database encryption settings for our Azure SQL servers"

Click Send. Security Assistant will think through the request and generate the appropriate Terraform data blocks for your Azure environment. Once complete, the form will automatically switch to Advanced mode with the generated code populated and ready to run. You can review the code before attaching, and use the Resubmit button to refine it further if needed.

Security Assistant is available as part of select plans. If you don't see the "Use Security Assistant" button in the Terraform tab, reach out to your Customer Success Manager to inquire about access.

It is highly recommended that you configure your evidence with automated collection. With Automated Collection, Strike Graph can recollect evidence attachments from Azure Resource Manager a few days before expiration, keeping your evidence in an audit-ready state without manual intervention.

Automated Collection works with both the Scripts and Terraform collection methods. To configure it, follow the collection steps above after clicking the "Automated Collection" button on the evidence item's detail page. Additional information about Automated Collection is available here.

You can remove the integration at any time. Removing an integration does not delete any files that were previously attached using it, but it will disrupt automated collection.

To remove:

Note: You may have access to remove integrations for other users on your team.

If you are fully removing access between Strike Graph and your Azure system, you may also wish to delete the service principal from the Azure Portal. Before deleting, verify that you are not using it for other purposes.

For additional Terraform troubleshooting tips, click here.

If you receive an error while setting up an integration, check for a specific error message at the top of the form. If one or more of your service principal fields are invalid, the message will indicate which field(s) to check. If you have multiple invalid fields, the error will update with each one as you correct and resubmit.

If you receive a generic error like "Something went wrong" during evidence collection, it may be a formatting issue. Check that your temp_name is formatted correctly (no spaces, only alphanumeric characters) and that there are no unexpected characters in the data block or local values.

If you receive a permissions error, ensure that your service principal has been granted the "Reader" role for the subscription or management group you are trying to collect from.

Check that the resource you defined in the data_source is available from the AzureRM Terraform provider, and ensure you have included any required query constraints or arguments.

Confirm that the local values are formatted correctly. Typically, the local value should start with "data" and include the data_source and temp_name. Check that these values are consistent between the data block and local values.

If a script fails to execute, an error message will appear in the Scripts tab. Verify that your integration credentials are still valid and that your service principal has the appropriate Reader permissions for the resources the script is targeting. If the issue persists, contact our support team through the in-app messenger and include the name of the script to help with troubleshooting.

The following list is a snapshot of supported data sources from the AzureRM Terraform provider. For up to date support and specific data source requirements, visit the Terraform documentation.

AAD B2C

API Management

Active Directory Domain Services

Advisor

App Configuration

App Service (Web Apps)

Application Insights

Attestation

Authorization

Automation

Azure Stack HCI

Batch

Billing

Blueprints

Bot

Cognitive Services

Compute

Confidential Ledger

Connections

Consumption

Container

CosmosDB (DocumentDB)

Cost Management

Data Explorer

Data Factory

Data Share

DataProtection

Database

Database Migration

Databricks

Dev Test

Digital Twins

Elastic

HDInsight

Healthcare

IoT Hub

Key Vault

Load Balancer

Log Analytics

Logic App

Machine Learning

Maintenance

Managed Applications

Management

Maps

Messaging

Mixed Reality

Monitor

NetApp

Network

Policy

Portal

Private DNS

Recovery Services

Redis

Redis Enterprise

Search

Sentinel

Spring Cloud

Storage

Stream Analytics

Synapse

Template

VMware (AVS)

Web PubSub