Azure (Public)


Morpheus offers a complete Integration with Microsoft Azure including the following:

  • Virtual Machine Sync, Create, Delete, Manage, RBAC, Tenant Permissions, Policies

  • Resource Group Sync, Create, Delete, RBAC, Tenant Permissions

  • Network Sync, Create, Delete, RBAC, Tenant Permissions

  • Subnet Sync, Create, Delete, RBAC, Tenant Permissions

  • Security Group Sync, Create, Delete, Tenant Permissions

  • Security Group Rule Sync, Create, Delete, Tenant Permissions

  • ARM Blueprints, Spec Templates, Deployment Logs Sync, Git/GitHub Integration

  • MSSQL Service Sync, Create, Delete, Manage, RBAC, Tenant Permissions

  • AKS Sync, Sync, Create, Delete, Manage, RBAC, Tenant Permissions

  • Backup Create, Delete, Manage, RBAC, Policies

  • Storage Sync, Create, Delete, Manage, Browse, RBAC, Tenant Permissions, Policies

  • Marketplace Sync

  • Private Image Sync & Upload

  • Azure Marketplace Custom Library Item Support

  • Remote Console (SSH & RDP)

  • Lifecycle Management

  • Availability Set Support

  • Scale Set Sync, Create, Assign, Manage, Delete

  • Azure Load Balancer Create, Assign, Manage, Delete, RBAC, Tenant Permissions

  • Docker (VM) Cluster Sync, Create, Delete, Manage, RBAC, Tenant Permissions

  • Kubernetes (VM) Cluster Sync, Create, Delete, Manage, RBAC, Tenant Permissions

  • Service Plan Sync, Tenant Permissions, RBAC

  • Pricing Sync RBAC, Tenant Permissions, Markup

  • Costing Sync, Reporting, Invoicing

  • Reservations Sync, Guidance Recommendations

  • Azure Stack Support

  • Tag Bi-Directional Sync, Creation, Deletion Policy Enforcement

  • Cost Estimator

  • Azure US Gov Support

  • Azure China Support

  • Azure Germany Support

  • CSP Account Support


Morpheus Azure Integration requires Owner or Contributor access to subscription via App Registration. Adding an Azure Cloud or Clouds to Morpheus will require the following:

  • Azure Subscription ID

  • Directory (tenant) ID

  • Application (client) ID

  • Application (client) Secret

  • Application (client) must be Owner or Contributor of Subscription

CSP Accounts require the additional following input:

  • CSP Directory (tenant) ID

  • CSP Application (client) ID

  • CSP Application (client) SECRET (Web App Key)

The Morpheus appliance requires outbound HTTPS (443) access to the Azure endpoints. Depending on the type of cloud you choose when adding Azure, ensure the proper endpoints are allowed:

Global Azure Cloud
US Gov Cloud
Germany Cloud
China Cloud

Credentials & Permissions

Morpheus authenticates with Azure via an App Registration with an Owner or Contributor Role on a Subscription. Use the steps below to create and collect the required credentials and assign the required permissions to integrate Azure with Morpheus.


Using an App Registration (service principal) that has selective resource permissions and is not an Owner or Contributor of the Subscription is not supported and will cause failures/issues. Please confirm the App Registration you use to integrate Azure with Morpheus has Owner or Contributor permissions on the specified Subscription before contacting support.

Create an App Registration

If you do not have an existing Azure Active Directory App Registration, or you wish to use an new one for Morpheus, you will need to create one.


If you can’t find sections of the Azure portal discussed in this integration guide, such as App Registrations or Subscriptions, you may be able to find them under the “Favorites” section within the main hamburger menu, at the “All Resources” page from within the main hamburger menu, or by using the global search bar.

  1. Log into the Azure web console

  2. Select “App Registrations”, you may have to go to the “All Services” page to find it

  3. Click “+ New registration”

  4. Next, give app a name, specify which accounts may access this API, specify Web for the Redirect URI type and enter any url for the Sign-on URL:

  5. Click Register and your new App Registration will be created.

Now that we have (or already had) our App Registration, we will gather the credentials required for the Morpheus Azure integration.

Copy Directory (tenant) and Application (client) IDs

The App Registration Directory (tenant) and Application (client) ID are required for the Morpheus Azure integration. Both can be found in the overview section of the App Registration.

  1. Go to the Overview section of your App Registration

  2. Copy the Directory (tenant) ID

  3. Store/Paste for use as the Tenant ID when Adding your Azure cloud in Morpheus

  4. Copy the Application (client) ID

  5. Store/Paste for use as the Client ID when Adding your Azure cloud in Morpheus

Generate a Client Secret

While still in your App Registration:

  1. Select Certificates & secrets in the Manage Section

  2. Select + New client secret

  3. The “Add a client secret” modal will come up

  4. Add a description to help identify the secret in the future

  5. Select a duration

  6. Select Add

  7. Copy the newly generated Client Secret Value. It is important to copy the Client Secret Value now as it will not be displayed/available


    Copy the key value before continuing as it will not be displayed/available again.

  8. Store/Paste for use as the Client Secret when Adding your Azure cloud in Morpheus

You now have 3 of the 4 credentials required for Morpheus Azure cloud integration. The last credential required is the Azure Subscription ID.

Subscription ID

To get the Azure Subscription ID:

  1. Navigate to the main Subscriptions section. One way is to search for “Subscriptions” and select Subscriptions in the search results

  2. In the main “Subscriptions” section, copy the Subscription ID

  3. Store/Paste for use as the Subscription ID when Adding your Azure cloud in Morpheus

Make App Registration owner or contributor of Subscription

The App Registration created/used needs to be an owner of the Azure Subscription used for the Morpheus cloud integration. If lesser permissions are given or permissions are assigned at individual resource levels, Morpheus will not be able to properly inventory/sync, create and/or remove resources.

  1. In the main Subscriptions section, click on the name of the Subscription

  2. With the Subscription detail open, select “Access Control (IAM)”

  3. Click “+ ADD” and then click “Add role assignment” from the pop-out menu

  4. Click on the tab for “Privileged administrator roles”

  5. Select Owner or Contributor and click “Next”

  6. Add Members to the Role Assignment by clicking “+ Select members”

  7. Select the App Registration from the search results and click Select

  8. Click “Review + Assign”

Add an Azure Cloud Integration

To add a new Azure Cloud integration into Morpheus using the credentials created/collected from the previous section, perform the following:

  1. In Morpheus, navigate to Infrastructure > Clouds and select + ADD

  2. Select “AZURE (PUBLIC)” from the Cloud Types list and click NEXT

  3. Populate the Following

    Cloud Configuration


    Name of the Cloud in Morpheus


    Unique code used for api/cli, automation and policies.


    Description field for adding notes on the cloud, such as location.


    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.


    If Visibility is set to Private, select the Tenant the Cloud resources will assigned to.


    When disabled, automatic Cloud sync is paused and the Cloud will not be selectable for provisioning.


    When enabled, Morpheus will maintain the expected power state of managed VMs. Morpheus will power on any managed VMs in the Cloud that have been shut down for unknown reasons (not powered off by Morpheus) to ensure availability of services.


    When “AUTOMATICALLY POWER ON VMS” is enabled, the power state of managed VMs should be maintained in Morpheus. This setting is not applicable to discovered/unmanaged resources.


    • Global (Azure Cloud)

    • US Gov (Azure US Government)

    • German (Azure German Cloud)

    • China (Azure China Cloud)


    The target Azure Subscription ID obtained from the previous section


    The Directory (tenant) ID obtained from the previous section


    If available, select a pre-stored Client ID and Client Secret set. Alternatively, select “Local Credentials” to enter the Client ID and Client Secret without storing them for later access. “client id and secret” under the “New Credentials” heading can also be selected so your Client ID and Client Secret will stored for later use in either the Morpheus credential store or in an integrated third party secret store


    The Application (client) ID obtained from the previous section


    The Application (client) Secret obtained from the previous section


    Once valid credentials are populate above and Morpheus is able to successfully authenticate with Azure, the available locations/regions will populate.


    Scope the Cloud to either “All” regions or a selected Azure region

    • Select “All” to scope the Cloud to all available Resource Groups in the specified location/region.

    • Select a single Resource Group to limit Morpheus resource creation, selection and discovery to just this Resource Group.


    Check to enable discovery/inventory of existing VM’s in the scoped Region and Resource Group(s)


    Standard, EA or CSP


    For CSP Accounts, also enter CSP TENANT ID, CSP CLIENT ID and CSP CLIENT SECRET in the Advanced Options section. In order to enable cost sync for CSP accounts, the “CSP CUSTOMER” checkbox must be marked and “COSTING” should be set to “Costing” rather than “Costing and Reservations”.

    For the CSP Client Secret, enter the Web App Key rather than the Native App Key. This should be accessed from the Microsoft Partner Center rather than the Azure web console. If this is not, Plans may sync but Price Sets and Prices would not.


    Advanced Options


    Specify a default domain for instances provisioned to this Cloud.


    Only affects Docker Provisioning. Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.


    Alternate Appliance url for scenarios when the default Appliance URL (configured in admin > settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.


    Configures the time zone on provisioned VM’s if necessary.


    Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.


    Unmanaged or select a Network Integration (NSX, ACI etc)


    On or Off. Enable to managed Host and VM firewall/IP Table rules (linux only)


    Security Server setting is for Security Service Integrations such as ACI


    Select Internal (Morpheus) or an existing Trust Provider Integration


    Single Disk, LVM or Clustered


    Select a backup provider. Depending on the Cloud type and any currently-configured backup plugins you may select Internal Backups (Morpheus) or another configured backup solution


    Sets the default Replication Provider for the Cloud. Select an existing Replication Provider Integration


    Enable Guidance recommendations on cloud resources.


    Enable for Morpheus to sync Costing data from the Cloud provider, when available. For on-prem Clouds, enabling costing activates a costing service designed to mirror the live costing experience of public clouds, including invoicing with line items and real-time cost data (Operations > Costing > Invoices). If your organization utilizes reserved instances and you want to pull in related pricing data, some Cloud integrations include the option to select Costing and Reservations. If this is not relevant, select Costing to save money on additional calls to the Cloud provider’s costing API.


    Records for instances provisioned in this cloud will be added to selected DNS integration.


    Services for instances provisioned in this cloud will be added to selected Service Registry integration.


    Select a Chef, Ansible or Puppet integration to be used with this Cloud.


    Select CMDB Integration to automatically update selected CMDB.


    When checked, any automatically discovered (unmanaged) servers onboarded into Morpheus from this Cloud will also have CMDB records created for them.


    Select an existing Change Management Integration to set on the Cloud. ex: Cherwell

    • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.

    • Cloud Init / Unattend (when available): (DEFAULT) Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image. Morpheus will also add Agent installation to Windows unattend.xml data when performing Guest Customizations or utilizing syspreped images.


    Set a proxy for outbound communication from the Morpheus Appliance to the Cloud endpoints. Proxies can be added in the Infrastructure > Networks > Proxies tab.


    Enable to have Agent Installation on by default for all provisioning into this Cloud. Disable for Agent Installation to be off by default for all provisioning into this Cloud.


    When integrating a Cloud, it will appear by default throughout the UI with its standard logo (VMware logo for VMware Clouds, etc.). If desired, you may upload a custom logo that should appear instead. This might be useful for MSPs which might not want to reveal the Cloud type underlying its services. A dark mode version of the logo may also be uploaded if the standard logo doesn’t look right against the Morpheus dark mode theme. Checking USE DEFAULT CLOUD LOGOS allows the user to return to the standard logo for the Cloud type without deleting the custom uploaded logo.


    Inventory options allow you to set a default active or inactive state for certain discovered resources. The list of available resources to configure will vary based on the Cloud type and its supported resources. By default, all possible resources for the Cloud type will be discovered in an active state. Uncheck the box for some or all resources to discover them in an inactive state. The list of potential resources that may appear include:

    • Service Plans

    • Resource Pools

    • Networks

    • Security Groups

    • Datastores

    • Folders

    Provisioning Command


    Set a proxy for inbound communication from Instances to the Morpheus Appliance. Proxies can be added in the Infrastructure > Networks > Proxies tab.

    Bypass Proxy for Appliance URL

    Enable to bypass proxy settings (if added) for Morpheus Agent communication to the Appliance URL.


    Include a list of IP addresses or name servers to exclude from proxy traversal


    Add cloud-init user data. Morpheus 4.1.0 and earlier assumes bash syntax. Morpheus 4.1.1 and later supports all User Data formats. Refer to for more information.


    Standard, CSP, or Azure Plan

    Example configurations but choose what is applicable to the tenant:

    Example Azure Costing Configurations

    Account Type

    Azure Costing Mode


    Standard (Pay as you go)


    EA (Enterprise Agreement)


    CSP (Cloud Solution Provider)


    CSP Tenant, ID, Client ID, and Client Secret required

    CSP (Cloud Solution Provider)

    Azure Plan (Microsoft Customer Agreement)

    CSP Tenant, ID, Client ID, and Client Secret required on the primary cloud

  4. Once done configuring the Cloud, select NEXT. NOTE all specified values except the Subscription ID can be changes after the Cloud is created.

  5. Next select an existing Group to add the Azure Cloud to, or create a new Group, then select NEXT

  6. Review the configuration and then select COMPLETE


Your new Azure Cloud integration will be created and begin to sync.


The initial sync of an Azure Cloud can take some time due to Marketplace data sync.