Getting Started

Connect your Azure and Microsoft 365 tenant and run your first PAA assessment.

Getting started with PAA takes minutes. You connect your environment with read-only access, validate the connection, and run your first scan. There is nothing to deploy into your tenant.

Before you begin

You will need:

  • An Azure tenant with one or more subscriptions, and/or a Microsoft 365 tenant — PAA can assess either or both.
  • Someone with permission to create app registrations and grant admin consent (Global Administrator or Application Administrator), and Owner or User Access Administrator on the subscriptions you want assessed.

PAA connects with least-privilege, read-only access authenticated by a self-rotating certificate. The only credential you ever paste is a short-lived bootstrap secret, which PAA replaces with a certificate on first connect and then discards.

Step 1 — Create the service principals

PAA needs one Azure service principal and one Microsoft 365 (Graph) app registration. You have two options:

  • Automated (recommended) — run the onboarding script provided with your account. It creates both principals, assigns the correct read-only roles (Reader, Security Reader, and Cost Management Reader on each subscription), grants the required Microsoft Graph permissions, and writes the credentials to a local file ready to paste in. See the script’s README for usage.
  • Manual — create the principals yourself and grant the permissions listed in Permissions overview, with the per-surface detail in Azure permissions and Microsoft 365 permissions.

Step 2 — Connect PAA

  1. In PAA, go to Settings > Integrations.
  2. Under Azure, paste the client ID, client secret, tenant ID, and subscription IDs.
  3. Under Microsoft 365, paste the client ID, client secret, and tenant ID.
  4. Click Validate next to each connection. On first validation PAA provisions a self-rotating certificate for the principal and stops using the bootstrap secret.

If admin consent could not be granted automatically during setup, PAA will tell you which permissions still need consent and link you to the portal.

Step 3 — Optional connections

  • Power BI / Microsoft Fabric checks — grant the Microsoft 365 app Tenant.Read.All in the Power BI admin portal (these checks are skipped if it is absent).
  • Log Analytics — add a workspace ID to include log-based signals.
  • Defender CSPM — connect a dedicated principal for deeper Defender for Cloud posture data.

Step 4 — Run your first assessment

From the assessments page, start a scan against your connected Azure subscriptions and/or Microsoft 365 tenant. The first run establishes your baseline; subsequent runs (manual or scheduled) track how your posture changes and resolve findings automatically once they are fixed.

Step 5 — Review what PAA found

  • Findings — issues by severity, mapped to Well-Architected pillars and the compliance frameworks they affect.
  • Compliance — per-framework coverage on the Coverage tab, with evidence reuse across frameworks.
  • Exceptions — accept or waive a risk through the approver-gated, time-limited Control Exception Register.
  • Reports — export branded PDF and PowerPoint deliverables, or an AI executive summary.

Next steps

  • Set up scheduled scans so assessments run automatically.
  • Review the FAQ for common questions, or contact us if you would like a walkthrough.