Integrations

Connect Microsoft Azure

Dun connects to Azure with a single Microsoft sign-in — no service principal to create, no secrets to paste. One authorization powers Container Apps, Container Registry, Monitor, Key Vault, Redis, Front Door, Postgres, and Azure DNS. You grant access per product, and every change Dun makes is gated behind your approval in chat.

Note

You sign in with Microsoft and approve access — Dun never sees a password, client secret, or any token to copy. Dun requests ARM (control-plane) access only and stores the authorization encrypted. You can revoke it at any time from your Microsoft account.

Before you start

You’ll need a Microsoft account that can sign in to the Azure subscription you want Dun to manage, with at least the Reader role on that subscription. Reader is the minimum Dun needs to connect and verify access; write access for individual products is granted separately (see the access table below). The whole flow takes under a minute — no portal setup, no command line.

Connect in one sign-in

There’s nothing to set up in the Azure portal first — Dun walks you straight through Microsoft’s sign-in.

Open the Azure connector

In Dun, go to Integrations → browse to Microsoft Azure and click Connect with Microsoft Azure.

Sign in with Microsoft

You’ll be redirected to Microsoft. Sign in with an account that has at least Reader on the subscription you want Dun to manage.

Approve the access

Microsoft shows you exactly what Dun is asking for — ARM (management.azure.com) control-plane access. Approve it, and you’re sent back to Dun, connected.

Choose your products

Toggle on the products you want Dun to manage and the permissions within each. Dun only acts on what you turn on, and every write still waits for your approval in chat.

What access each product needs

Because you connect by signing in, Dun acts with your account’s Azure permissions. Reader covers everything Dun reads — health, logs, metrics, DNS records. For products that change things, your account needs the matching write role — scoped to a resource group, never your whole subscription. You only need this for the products you actually turn on.

Product	Read (covered by Reader)	Write role your account needs when enabled
Container Apps	Reader	`Contributor` on the resource group — redeploy / scale
Container Registry	Reader / `AcrPull`	`Contributor` — prune tags
Monitor	`Monitoring Reader` + `Log Analytics Reader`	— read-only
Key Vault	`Key Vault Secrets User`	`Key Vault Secrets Officer` — set / rotate
Redis Cache	Reader	`Contributor` — flush (non-prod guard)
Front Door	Reader	— read-only
PostgreSQL	Reader	— inspect-only
Azure DNS	Reader	`DNS Zone Contributor` — record CRUD, scoped to the zone

Least privilege by default

Hold write roles on a dedicated resource group rather than the whole subscription, so the blast radius stays small. Read-only products (Monitor, Front Door, Postgres) never need anything beyond Reader.

How Dun keeps it safe

Every mutating action — a redeploy, a scale, a secret rotation, a DNS change — surfaces a plan in chat first. Dun never touches your Azure resources until you approve it.

Note

There are no credentials for you to manage. Dun holds an OAuth authorization (stored encrypted), scoped to ARM control-plane access — you can revoke it any time from your Microsoft account, and Dun loses access immediately.

Next steps

Connect a provider →

The general connect flow — products, permissions, and resource scope toggles.

Key concepts →

How approval gates, plans, and the confirm-before-mutate model work.