No agents to install. No infrastructure to manage. Connect your Azure environment and get your first infrastructure compliance scan in under 5 minutes.
Guardia AI scans your Azure resource plane โ ML workspaces, Cognitive Services accounts, Container registries, RBAC assignments, diagnostic settings, and policy assignments. It needs a read-only service principal with the four roles below. It cannot modify, delete, or deploy anything in your environment.
Go to portal.azure.com โ Microsoft Entra ID โ App registrations โ New registration. Name it guardia-ai-reader and save. Copy the Application (client) ID and Directory (tenant) ID. Then go to Certificates & secrets โ New client secret and copy the value.
Next, for each Azure subscription you want to scan: go to the subscription โ Access control (IAM) โ Add role assignment and assign these four roles to guardia-ai-reader:
| Role | Why Guardia AI needs it |
|---|---|
| Reader | Read Azure resources โ ML workspaces, Cognitive Services, Container registries, etc. |
| Security Reader | Read Microsoft Defender for Cloud findings and recommendations |
| Monitoring Reader | Read diagnostic settings and audit logs on resources |
| Resource Policy Reader | Read Azure Policy assignments governing your infrastructure |
Open Cloud Shell in the Azure Portal (the >_ icon) and run:
az ad sp create-for-rbac \ --name "guardia-ai-reader" \ --role "Reader" \ --scopes /subscriptions/<YOUR_SUB_ID> \ --sdk-auth
Then add the remaining three roles manually via the Portal or CLI. Save the JSON output โ you'll need clientId, clientSecret, tenantId, and subscriptionId.
After purchasing on Azure Marketplace, you were redirected to our landing page at app.trustguardia.com/landing. Fill in the form with the values from Step 1:
On success, you receive your Guardia AI API key โ it looks like gai-xxxxxxxxxxxx. Save it somewhere secure. It authenticates all API calls and portal access.
Guardia AI scans your Azure resource plane against the selected regulatory frameworks โ checking for missing governance tags, insecure configurations, RBAC over-permissions, missing diagnostic logging, and more. Each finding maps to a specific control and includes a plain-language explanation and (on Enterprise) IaC remediation script.
curl -X POST https://app.trustguardia.com/scan \
-H "X-API-Key: gai-YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"frameworks": ["iso42001", "sr11_7", "eu_ai_act"],
"subscription_ids": ["YOUR_AZURE_SUBSCRIPTION_ID"]
}'
๐ See the full control reference โ all 100+ controls mapped to articles and severity levels โ
On Professional and Enterprise plans, Guardia AI automatically re-scans your Azure subscriptions on a recurring schedule. Every scan produces a full compliance report and checks for posture drift. If your score drops more than 5 points or new critical findings appear, you receive an immediate Drift Alert by email from support@trustguardia.com.
| Plan | Auto-Governance Cadence |
|---|---|
| Free Trial / Starter | Manual on-demand only |
| Professional | Bi-weekly automated scans |
| Enterprise | Daily automated scans |
Configure it in the portal under the Governance tab โ select your subscriptions, set a notification email, and save. Guardia handles the rest.
Every infrastructure scan report is AES-256-GCM encrypted at rest before it is written to the database โ on every plan, including Free Trial. Guardia uses a Platform-Managed Key (PMK) stored in our Azure Key Vault by default. No plaintext report data is ever stored.
| Plan | Encryption | Key Control |
|---|---|---|
| Free Trial | ๐ AES-256-GCM (PMK) | Guardia-managed key |
| Starter | ๐ AES-256-GCM (PMK) | Guardia-managed key |
| Professional | ๐ AES-256-GCM (PMK or CMK) | Your Azure Key Vault (optional) |
| Enterprise | ๐ AES-256-GCM (PMK or CMK) | Your Azure Key Vault (optional) |
On Professional and Enterprise plans you can upgrade to Customer-Managed Keys (CMK / BYOK) โ store your AES-256 encryption secret in your own Azure Key Vault. Guardia reads the secret at scan time to encrypt reports and at read time to decrypt them. If you revoke SP access, Guardia cannot read new reports โ giving you full sovereignty over your data.
Enabling CMK: Go to My Portal โ Security & Encryption โ Customer-Managed Keys, paste your Key Vault URL and secret name, then click Enable CMK. Guardia tests connectivity before saving โ the request is rejected if the vault is unreachable. On success, you receive a confirmation email and the key version fingerprint is stored for silent-rotation detection.
Key rotation: When you rotate your secret in Azure Key Vault, Guardia automatically detects the new version during its daily health check and updates the stored fingerprint. You will receive a rotation-detected email as an audit record. For immediate confirmation, use the Refresh Key Version button in the portal or call PATCH /tenant/cmk/rotate-verify. Old key versions must remain active in Key Vault until all reports referencing them have been re-encrypted or archived.
Switching back to PMK: Clicking Remove CMK triggers a two-step confirmation โ a link is emailed to the account owner and expires in 30 minutes. The switch only completes when that link is clicked. Historical CMK-encrypted reports remain bound to your Key Vault key; do not delete or disable that secret.
Key version fingerprinting: Guardia stores the exact Azure Key Vault secret version ID when CMK is configured. This detects silent key replacement โ if you recreate a Key Vault with the same name but new key material, the fingerprint mismatch triggers a warning and blocks scanning until the new key is explicitly verified.
All automated governance reports, drift alerts, and scan summaries are emailed from support@trustguardia.com. Add this address to your allowlist to ensure delivery.