What the connector discovers

• Hierarchy & Scopes

  Management groups, subscriptions, resource groups and resources; scope-normalized view of assignments and inheritance.

---

• Role Definitions (built-in & custom)

  Role definition permissions, assignable scopes and changes over time to surface privilege creep and custom-role sprawl.

---

• Role Assignments & Deny Assignments

  Assignments at all scopes (including inherited) and deny assignments that restrict otherwise allowed actions.

---

• Service Principals & App Registrations

  Enterprise apps, app registrations, owners, credential expiry (secrets/certs) and application permissions to Azure resources & Graph.

---

• PIM (Privileged Identity Management)

  Eligible vs active assignments, activation history, approval flow and justifications for privileged roles.

---

• Effective Permissions

  Identity → role(s) → scope → resource → allowed actions, correlated to activity logs at time-of-execution.

Azure IAM spans multiple scopes and PIM workflows. ClarioSec turns this complexity into **runtime governance**: drift-aware scoring, pre-execution controls, and audit-grade narratives.

Connect Azure IAM

Use an **App Registration** with the minimum read roles/permissions; ClarioSec calls Azure Resource Manager (ARM), Microsoft Graph and PIM endpoints as needed.

• 1) Create an App Registration

  Azure Portal → Entra ID → App registrations → New registration. Record Application (client) ID and Directory (tenant) ID.

• 2) Client secret or certificate

  Certificates & secrets → New client secret (or upload certificate). Store the value securely (shown once for secrets).

• 3) Assign least-privilege roles

  At management group/subscription: Reader; at Graph: Directory.Read.All, AppRoleAssignment.Read.All, RoleManagement.Read.Directory. Add PIM read access if applicable.

• 4) Grant admin consent

  Grant consent for Graph permissions and confirm ARM access at the targeted scopes.

• 5) Add credentials in ClarioSec

  Open the Azure IAM connector and paste Tenant ID, Client ID, Client Secret/Certificate (stored per tenant).

High-value signals pulled via ARM, Microsoft Graph, and (optional) PIM:

• Management groups, subscriptions, resource groups, resources (hierarchy & metadata)
• Role definitions (built-in/custom) & changes; Deny Assignments
• Role assignments incl. inheritance; effective permissions per identity & scope
• Service principals & app registrations, owners, secrets/certs (expiry)
• PIM eligibility/activations & approvals (if enabled)
• Key Vault RBAC (via ARM) and data-plane role hints (optional)

• Over-privileged custom roles & high-scope assignments

  Wide permissions bound at management group/subscription scopes; missing deny assignments.

• Stale app credentials & owner gaps

  Secrets/certs nearing expiry without rotation; app registrations with no accountable owner.

• PIM misuse or bypass

  Privileged roles active without justification or activated too broadly for routine tasks.

• Key Vault exposure patterns

  RBAC drifts allowing broad secret access across teams or automation paths.

• Prioritized role/scope minimization with deny-assignment guidance
• Automatic credential rotation & owner attestations
• Just-in-time approvals for sensitive role activations
• Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act