Set up Microsoft Azure Connector

  • Latest Dynatrace
  • How-to guide
  • 4-min read
  • Published Dec 01, 2025

You'll learn how to set up a Microsoft Azure Connector by

  • Configuring an app registration.
  • Setting up a Microsoft Azure connection.
  • Adding a host to the allowlist.
  • Granting permissions to Workflows Workflows .

After completing this setup, you can start using all the Microsoft Azure Connector actions in your workflow.

Prerequisites

  • Permissions in Azure Portal to create an app registration and assign its required permissions.

  • The user needs the Dynatrace default policy AppEngine - Admin to install the Microsoft Azure Connector, add a connection, add a New host pattern in External requests, and authenticate with Azure. In detail, the following permissions are needed:

    ALLOW app-engine:apps:install;
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:hyperscaler-authentication.azure.connection";
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dt-javascript-runtime.allowed-outbound-connections";
    ALLOW hyperscaler-authentication:azure:authenticate;

To use the Microsoft Azure Connector securely, follow our recommendations in Security best practices for Microsoft Azure Connector.

Setup steps

1. Create a Microsoft Azure connection

To create a Microsoft Azure connection to authenticate with Azure in Dynatrace

  1. Go to Settings and select Connections > Microsoft Azure.
  2. Select Add Connection. A modal containing the form for creating the connection will open inside the Set up connection tab.

2. Select the connection consumer

The Microsoft Azure Connector lets you create connections for two types consumers:

  • Workflows for automation Workflows consumes the connection in the context of workflow actions.

  • OpenPipeline for log forwarding OpenPipeline allows log forwarding via IAM cross-account role-based authentication.

    Select one of the options.

3. Enter the connection details

Provide the connection details:

  1. In Name, enter a unique name that identifies the connection. The Connection ID, Directory (tenant) ID, and Application (client) ID fields are present, but their values are not yet visible. They become visible after the connection is generated.

  2. Select Create.

    A Connection ID is created. The Connection ID is visible in the Set up connection tab within the Connection ID text field. You'll need the Connection ID to configure the federated credentials for an app registration.

  3. Copy the Connection ID and use it in the trust policy as shown in Configure Federated Identity.

4. Microsoft Azure: Create a new app registration

  1. Go to the Microsoft Azure Portal.
  2. Search for App registrations.
  3. Select the New registration option.
  4. In the Name field, enter a unique name that identifies the app registration. You'll use this name later for your connection.
  5. In the Supported account types field, choose Single tenant.
  6. Select Register.

5. Microsoft Azure: Configure Federated Identity

  1. Inside the Microsoft Azure Portal, go to Certificates & secrets for the created app registration.
  2. Go to the Federated credentials tab.
  3. Select Add credential.
  4. In Federated credential scenario, choose Other issuer.
  5. In the Configure your account section:
    1. In the Issuer field, enter https://token.dynatrace.com.
    2. In the Type, choose Explicit subject identifier option.
  6. In Value, enter dt:connection-id/<Connection ID>, where <Connection ID> is the Connection ID from the Enter the connection details step.
  7. In the Credentials details section:
    1. In the Name field, enter a unique name that identifies the federated identity.
    2. In the Description field, enter a description.
    3. In Audience, depending on the consumer you chose in the Select the connection consumer step, enter one of the following:
      • <tenant-domain>/app-id/dynatrace.microsoft.azure.connector
      • <tenant-domain>/svc-id/com.dynatrace.openpipeline For example, for tenant abc12345 and consumer Workflows for automation Workflows, the audience would be abc12345.apps.dynatrace.com/app-id/dynatrace.microsoft.azure.connector.

6. Dynatrace: Add a new host pattern in External requests

In Dynatrace, you can add a new host pattern in External requests.

External requests enable outbound network connections from your Dynatrace environment to external services. They allow you to control access to public endpoints from the AppEngine with app functions and functions in Dashboards, Notebooks, and Automations.

  1. Go to Settings Settings > General > External requests.

  2. Select New host pattern.

  3. Add the domain names.

  4. Select Add.

This way you can granularly control the web services your functions can connect to.

You need to add the management.azure.com domain name. Optionally, you could add *.blob.core.windows.net to the allowed host patterns if the Storage actions are used.

For more information, see Add a host to the allowlist.

7. Grant permissions to Workflows

Workflows require some permissions to run actions on your behalf.

To fine-tune permissions granted to Workflows:

  1. Go to Workflows and select Settings > Authorization settings.

  2. Select the following permissions besides the general Workflows permission.

    • hyperscaler-authentication:azure:authenticate
    • settings:objects:read

    For more on general Workflows user permissions, see User permissions for workflows.

Related tags
Software Delivery