1. Kion Success Center
  2. Accessing Cloud Accounts
  3. Cloud Access Roles

Accessing Azure Subscriptions/Resource Groups with a Cloud Access Role in Kion

Follow

Last updated

If you have been assigned a Cloud Access Role in Kion that provides access to an Microsoft Azure subscription or resource group, you must link your Azure (Microsoft Entra ID) account to your Kion user account before you can federate into Azure.

This is a one-time setup per Azure tenant. After linking, you can access Azure from Kion using your assigned Cloud Access Roles.

Prerequisites

  • You can successfully log in to Kion
  • You have been assigned at least one Cloud Access Role for Azure
  • You have valid credentials in the Microsoft Entra ID tenant associated with the subscription or resource group

Tip: Your organization may use different identity providers to authenticate into Kion (e.g., Entra ID, Okta, Active Directory). The Azure linking step only applies when you access Azure through Kion.

Step 1: Log in to Kion

  1. Log in to Kion using your organization’s configured identity provider.

Step 2: Start Cloud Access to Azure

The first time you attempt to use an Azure Cloud Access Role, Kion will prompt you to link your Azure account.

  1. In Kion, locate a Cloud Access dropdown. These are available in multiple locations, such as:
    • An Account record
    • The Quick Cloud Access dashboard card
    • A Project
    • Any page where Cloud Access Roles are available
  2. Open the Cloud Access dropdown.
  3. Select the Azure subscription or resource group you want to access.
  4. Select the Cloud Access Role you want to use.

Note: If this is your first time accessing Azure through Kion for the selected tenant, you will be prompted to link your Azure (Entra ID) account.

Step 3: Link your Azure (Entra ID) account

  1. In the dialog that appears, click Link to Azure User Account.
  2. You will be redirected to Microsoft Entra ID to authenticate.

Important: You must sign in to the correct Entra ID tenant that the selected Azure subscription or resource group belongs to.

 

Step 4: Authenticate in Entra ID

  1. Sign in using the Entra ID credentials for the tenant associated with the subscription or resource group.
  2. Complete any required MFA or conditional access prompts.
  3. After a successful sign-in, you will be redirected back to Kion.

You should see a confirmation message indicating your account has been successfully linked.

 

Step 5: Federate into Azure

Once your account is linked:

  1. Open the Cloud Access dropdown again.
  2. Select the same subscription or resource group and the desired Cloud Access Role.
  3. Kion will federate you into the Azure Portal with the permissions defined by that role.

View and manage linked Azure accounts

You can view or manage your linked Azure accounts at any time:

  1. In Kion, click your initials in the top-right corner.
  2. Select My User Settings.
  3. Open Linked Azure Accounts.

From here, you can:

  • View which Entra ID accounts are linked to which Azure tenants
  • Unlink Azure accounts if needed

Troubleshooting

User is prompted to link again

  • Linking is required once per Azure tenant. If you access resources across multiple tenants, you may need to link more than one account.
  • Verify you authenticated to the correct tenant during the linking flow.

Access fails after linking

  • Confirm you selected the intended Cloud Access Role.
  • Confirm the role grants access to the expected subscription/resource group.
  • Sign out and sign back in to Kion and retry Cloud Access.

I have multiple Azure tenants

  • You can link multiple Entra ID accounts and view them under My User Settings > Linked Azure Accounts.

Tip: If you are unsure which tenant to use, check with your administrator or cloud team. The tenant you sign into must match the tenant that owns the subscription/resource group you selected in Kion.

 

Related to