> ## Documentation Index > Fetch the complete documentation index at: https://docs.envzero.com/llms.txt > Use this file to discover all available pages before exploring further. # Configure an Azure Cloud Account > Connect an Azure subscription to env zero Cloud Compass by exporting activity logs to Log Analytics and granting OIDC permissions with Log Analytics Reader. ## Configure a Cloud Account Cloud Account configuration wizard for Azure showing the initial setup form

Cloud Account configuration wizard for Azure showing the initial setup form

## Requirements ### Export Activity Logs to an Azure Log Activity Workspace * Open the Azure Console and login to the relevant tenant * Go to the *Activity Log* service * Follow [Azure official procedure](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace) to send the activity logs to a Log Analytics Workspace * env zero reads and uses the *Administrative* logs only: Azure Diagnostic settings with Administrative log category selected for export to Log Analytics Workspace

Azure Diagnostic settings with Administrative log category selected for export to Log Analytics Workspace

### Grant permissions to env zero via OIDC * Open the Azure Console and login to the relevant tenant * Go to the *Microsoft Entra ID* service * Follow [this procedure](/guides/integrations/oidc-integrations/oidc-with-azure/#azure-ad-app--federated-credential) to configure a proper *App registration* * After the App registration is created, Go to the *Log Analytics Workspaces* service * Select the relevant Log Analytics Workspace, and select *Access Control (IAM)* from the left pane menu Azure Log Analytics Workspace Access Control (IAM) pane for assigning the Log Analytics Reader role

Azure Log Analytics Workspace Access Control (IAM) pane for assigning the Log Analytics Reader role

* Click *+ Add* and select *Add role assignment* * Add the **Log Analytics Reader** permission to the relevant App registration To enrich the data and provide better insights into the account, the **Application.Read.All** permission is required. This permission enables the app to retrieve Azure AD application details, helping map app IDs to human-readable names for better account understanding. #### Adding the Permission in Azure Portal 1. Go to **Azure Active Directory** in the Azure portal. 2. Select your app under **App registrations**. 3. Navigate to **API permissions**, click **Add a permission**, select **Microsoft Graph**, choose **Application permissions**, and add **Application.Read.All**. 4. Click **Grant admin consent for \** under **Configured permissions**. You must have a role like Global Administrator to perform this action. #### Adding the Permission with Azure CLI You can also use the Azure CLI for this: 1. Add the permission: ```bash theme={null} az ad app permission add --id --api 00000003-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Role ``` 2. Grant admin consent: ```bash theme={null} az ad app permission grant --id --api 00000003-0000-0000-c000-000000000000 ``` ## Next steps * [Configure an AWS Cloud Account](/guides/cloud-compass/cloud-compass/configure-cloud-accounts) - Connect your AWS account to Cloud Compass. * [Configure a GCP Cloud Account](/guides/cloud-compass/cloud-compass/configure-a-gcp-cloud-account) - Connect a GCP project to Cloud Compass. * [Link Environments to Cloud Compass](/guides/cloud-compass/cloud-compass/linking-environments-to-cloud-compass-resources) - Map environments to discovered cloud resources.