> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Keyless authentication for Azure

> Learn how to implement keyless authentication for Azure.

To enable keyless authentication in Azure, you need to configure your Azure virtual machine with a managed identity and create an authorization policy in Endor Labs.

Complete the following tasks to set up keyless authentication in Azure.

1. [Enable Azure Managed Identity for the virtual machine in the Azure Portal.](#enable-azure-managed-identity)
2. [Configure the Azure virtual machine.](#configure-the-azure-virtual-machine)
3. [Create an authorization policy in Endor Labs.](#create-an-authorization-policy-in-endor-labs)

## Enable Azure managed identity

You must enable Azure Managed Identity for your virtual machine from the Azure portal. For more information, refer to [Azure managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities?pivots=qs-configure-portal-windows-vm).

## Configure the Azure virtual machine

You need to configure the Azure virtual machine with endorctl and configure endorctl to use Azure Managed Identify.

### Verify the connection to the Azure virtual machine instance

Log in to your Azure virtual machine and run the following command.

```sh theme={null}
curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
```

The command returns the metadata details of the virtual machine instance in the raw json format.

### Download endorctl on the virtual machine instance

Download and install the latest version of endorctl in your virtual machine. See [endorctl](/developers-api/cli/install-and-configure) for the installation options available for endorctl.

The following example shows how you can download the endorctl binary directly.

```bash theme={null}

## Download the latest CLI for Windows AMD64
curl -O https://api.endorlabs.com/download/latest/endorctl_windows_amd64.exe
## Check the expected checksum of the binary file
curl https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe
## Verify the expected checksum and the actual checksum of the binary match
certutil -hashfile .\endorctl_windows_amd64.exe SHA256
## Rename the binary file
ren endorctl_windows_amd64.exe endorctl.exe

```

### Set the environment variable

Set the environment variable `ENDOR_AZURE_CREDENTIALS_MANAGED_IDENTITY_ENABLE` to true in your virtual machine instance.

```sh theme={null}
export ENDOR_AZURE_CREDENTIALS_MANAGED_IDENTITY_ENABLE=true
```

Run the following command to check the status of the environment variable.

```sh theme={null}
echo $ENDOR_AZURE_CREDENTIALS_MANAGED_IDENTITY_ENABLE
```

If the variable is set, then the command returns `true`.

## Create an authorization policy in Endor Labs

Create an authorization policy for Azure in the Endor Labs user interface. See [set up authorization policy](/platform-administration/rbac/authorization-policies#set-up-authorization-policies) for more information on creation an authorization policy.

Choose the following parameters when you create the authorization policy.

* Select **Azure** as the **Identity Provider**.
* Select **Code Scanner** in **Permissions**.
* Enter values for the following claims:
  * Tenant ID: Identifies your Azure organization.
  * App ID: Identifies the application requesting access.
  * Object ID: Unique ID assigned to the virtual machine.
  * Subscriptions (optional): Azure subscriptions linked to the identity.
* Select **Add permission rule** to define granular permissions by specifying the resource kinds and allowed methods.

<img src="https://mintcdn.com/endorlabs-b4795f4f/Uc3T4mPoaFbRUPbf/images/setup-deployment/ci-cd/azure-auth-policy.webp?fit=max&auto=format&n=Uc3T4mPoaFbRUPbf&q=85&s=4d520bf1f90aa167abf3db00918c8f7f" alt="Azure authorization policy in Endor Labs" style={{width: '80%'}} width="928" height="1210" data-path="images/setup-deployment/ci-cd/azure-auth-policy.webp" />

### Test keyless authentication

Once the authorization policy is set up, you can test keyless authentication using endorctl.

For example, run the following command to fetch the number of projects in a namespace with keyless authentication set up.

```sh theme={null}
endorctl api list -r Project -n demo --enable-azure-managed-identity --count
```

The following example shows the response for the preceding command when keyless authentication is successful.

```json theme={null}
{
  "count_response": {
    "count": 3
  }
}
```

You’ve set up and configured keyless authentication. Now you can run a test scan to ensure you can successfully scan projects using keyless authentication with Azure.