Azure Cloud Support

Released: April 12, 2026

Controlinfra reaches full feature parity on Azure with AWS — 49 of 49 tracked items shipped.

New

Azure Resource Graph discovery. One-call inventory across all subscriptions in scope; returns a uniform shape (sku, kind, properties, identity, resourceGroup, tags) so per-service handlers aren't needed for every azurerm_* resource type.
Multi-subscription support. Configure multiple subscription IDs per org; scans fan out per subscription, results merge before drift evaluation.
NSG auto-revert. Newly-opened Network Security Group rules to * / Internet / 0.0.0.0/0 sources are automatically reverted — patched in place if other valid sources remain, deleted if it was the only source.
Activity Log attribution. Drift Watch events on Azure resources carry actor resolved from Activity Log: principal, console (portal) vs API method, source IP, timestamp.
Azure Monitor webhook alerts for guardrails — completes cross-cloud parity with AWS CloudWatch + GCP Cloud Monitoring.
OIDC federation for Azure. Workload Identity Federation lets self-hosted runners authenticate to Azure without long-lived secrets.

Runner state scan. Terraform state files in Azure Storage are discovered and parsed alongside S3 / GCS state.
Provider validation. Bulk-create and template-run paths now validate that azurerm_* resource types are correctly tagged with provider: 'azure'.
Drift Watch UI adds multi-cloud filter chips so users can scope by provider.
Demo data includes Azure resources for new-user onboarding.

Validation config persistence under Azure flow.
Provider-agnostic error messages instead of "AWS"-prefixed strings when the failure happened on Azure.