A Cloud Engineer in your pocket

Three agents. One conversation. Your entire Azure estate — monitored, secured, and codified.

Ask in plain English. The right specialist answers with a plan. You approve it — and the agent deploys using your own Azure credentials. Production-ready Bicep, security audits, and monitoring strategies — nothing touches your infrastructure until you say so.

Join the Waitlist →

⚡ Fast 🧠 Smart 🎯 Exacting 🔒 Secure

Azure Agent Trio — Session ● Connected

I need to set up monitoring for my production web apps — they keep going down and nobody notices

Routing to Azure Monitor Architect...

📊 Monitor Architect

✓ Authenticated via Azure session (tenant: contoso.com)

✓ Found 3 App Services in production resource group

✓ Analyzing response times, error rates, CPU, memory...

Here's my recommended monitoring strategy:

1. Response Time — dynamic threshold, p95 baseline 240ms
2. HTTP 5xx Spike — sustained > 2% for 5 min
3. CPU Pressure — sustained > 80% for 10 min
4. Health Probes — 3 consecutive non-200

📎 4 files saved to your session:

├── monitoring-strategy.md

├── alert-rules.bicep

├── action-group.bicep

└── deploy-monitoring.sh

How It Works

Talk to your infrastructure. It talks back.

A single chat interface with three specialist agents behind it. You describe what you need — the right expert responds with a plan. You approve it, and the agent executes using your Azure credentials. Only what you approve gets deployed.

Ask

Describe what you need in plain English — in the web chat or CLI

→

Route

The platform identifies the right specialist agent automatically

→

Analyze

The specialist connects to your Azure tenancy, researches best practices, and builds a plan

→

Approve & Deploy

Review the plan, approve what you want — the agent deploys using your auth context. Only what you approve, nothing more.

Export my entire prod resource group to Bicep

→

🏗️ Resource Builder — discovers 47 resources, maps dependencies, generates modular Bicep project, saves to session storage

Are any of my storage accounts publicly accessible?

→

🛡️ Security Architect — scans storage accounts, finds 2 with public blob access, generates remediation Bicep with rollback plan

My database is slow on Mondays — set up alerting

→

📊 Monitor Architect — analyzes DTU patterns, detects weekly spike, creates time-aware dynamic threshold alerts

Specialist Agents

Three experts. Zero context-switching.

Each agent is a deep specialist — trained on Microsoft's documentation, Azure Well-Architected Framework, and real-world infrastructure patterns.

🏗️

Azure Resource Builder

Infrastructure-as-Code Specialist

Create any Azure resource with an interactive wizard — VMs, AKS, Cosmos DB, Functions, and 40+ resource types
Export entire resource groups to modular, production-ready Bicep templates with dependency mapping
Generate Azure Landing Zones — hub-spoke, identity, governance — from a single conversation
What-if analysis, cost estimation, drift detection, and deployment previews

Try asking

Create a web app with SQL backend Export my prod RG to Bicep What would this cost? Show architecture diagram

40+ resource types · Bicep, ARM, Terraform export

📊

Azure Monitor Architect

Infrastructure Monitoring Specialist

Discover and inventory all Azure resources across subscriptions in seconds
Context-aware analysis — knows 90% CPU is catastrophic for web servers but normal for batch jobs
Generate intelligent alert rules that reduce alert fatigue by 70–90% through smart thresholds
Export monitoring configurations as Bicep templates — saved to your session, ready to deploy

Try asking

Set up monitoring for prod Why so many false alerts? Which resources have no monitoring? Alert my top 10 riskiest

First alert in < 10 min · 0% → 60%+ coverage in one session

🛡️

Azure Security Architect

Cloud Security & Compliance Specialist

Full security posture: identity, network, data, workloads, threats, governance, secrets — 8 domains
MITRE ATT&CK mapped attack path analysis with blast radius estimation
Compliance gap analysis — SOC 2, ISO 27001, NIST CSF, PCI DSS, HIPAA, and regional frameworks
Microsoft Defender integration — Secure Score, threat alerts, remediation with rollback plans

Try asking

Full security audit Am I SOC 2 compliant? Show attack paths Harden my storage accounts

Secure Score +10–20 pts/session · 8 security domains · 7 compliance frameworks

Session Storage

Real files. Not just chat responses.

Every agent generates deployable artifacts — Bicep templates, monitoring configs, security remediations, architecture diagrams — and saves them to cloud storage connected to your session.

📁 prod-monitoring-audit Feb 25, 2026

📊 monitoring/

alert-rules.bicep

12 KB✓ Validated

action-groups.bicep

3 KB✓ Validated

diagnostic-settings.bicep

8 KB✓ Validated

monitoring-strategy.md

5 KB

🛡️ security/

security-assessment.md

18 KB

remediation-plan.bicep

14 KB✓ Validated

nsg-hardening.bicep

6 KB✓ Validated

🏗️ infrastructure/

main.bicep

2 KB✓ Validated

appService.bicep

4 KB✓ Validated

sqlServer.bicep

6 KB✓ Validated

✓ Bicep Validated

Every generated template passes bicep linter before it reaches your session. No syntax errors, no missing parameters.

↻ Session Persistence

Your session storage persists across conversations. Come back tomorrow — your artifacts are still there.

↗ Export Anywhere

Download as zip, push to a Git repo, or generate a deployment script that runs everything in order with proper dependency sequencing.

Knowledge Base

Built on Microsoft's own foundations

📖

Microsoft Learn Integration

Every recommendation is researched in real-time against Microsoft's official documentation. Azure Well-Architected Framework, CIS Benchmarks, Microsoft Cloud Security Benchmarks — not hallucinated, sourced.

⚙️

Bicep & ARM Native

Infrastructure output is genuine Azure Bicep — the same language Microsoft uses internally. Templates follow Azure naming conventions, include security baselines by default, and pass bicep linter validation.

🔎

Azure Resource Graph

Cross-subscription queries at the speed of Azure's own resource index. The agents don't crawl your resources one-by-one — they query the Resource Graph for instant, complete discovery across your entire estate.

Security Architecture

Security isn't a feature. It's the architecture.

Your credentials never touch our agents. Authentication flows through Microsoft's own identity stack — the same stack that protects Azure itself.

🌐 Web Chat Path

Browser → Azure AD Login → OAuth Token → Azure MCP → Agent
(your tenant) (session-scoped) (your resources)

⌨️ CLI / Terminal Path

az login → Existing Session → Azure MCP → Agent
(or Managed Identity) (your resources)

🔑 No stored credentials

Agents authenticate via Azure MCP server or your existing az login — no API keys, no secrets in config files, no tokens stored on our side

⏱️ Session-scoped access

Each chat session gets a scoped OAuth token. When the session ends, the token is revoked

👁️ You approve, it deploys

Agents propose a plan with what-if preview. You approve exactly what you want. The agent deploys using your auth context — only approved changes, nothing else.

↩️ Rollback plans included

Every remediation comes with undo steps documented before you approve

🧠 Context-aware risk scoring

Not checkbox compliance — understands a public blob might be intentional for static websites

🛡️ Defense in depth

8 security domains: identity, network, data, workloads, threats, governance, infrastructure, secrets

📋 Compliance-ready

SOC 2, ISO 27001, NIST CSF, PCI DSS, HIPAA, NZ ISM, Australian Essential Eight

🔒 Secure by default

Generated templates ship with encryption, TLS 1.2+, private endpoints, and diagnostics enabled

📁 Artifacts in your storage

Generated Bicep files are saved to session-connected cloud storage under your control — not ours

✓ Linted before delivery

Every template passes Bicep linter validation before it reaches your session. No broken IaC, ever.

Get Started

Two ways in. Same specialist agents.

Sign in with Azure AD

Your tenancy is connected automatically via OAuth. No API keys, no config files.

Ask anything about your Azure infrastructure

You: "I want to audit my production subscription for security gaps and set up monitoring for anything critical"

🛡️ Security Architect: Scanning your subscription...

✓ Found 312 resources across 47 resource groups

✓ Identified 23 security findings (5 critical, 8 high, 10 medium)

📎 Saved: security-assessment.md, remediation.bicep

📊 Monitor Architect: Analyzing unmonitored critical resources...

✓ Found 14 resources with no alerting

✓ Generated monitoring for top 10 by risk score

📎 Saved: alert-rules.bicep, diagnostic-settings.bicep

Review, download, or deploy

All artifacts are in your session storage. Nothing touches your infrastructure without your approval.

Prerequisites: An Azure account with Azure AD credentials. That's it.

# 1. Install the Azure Agents MCP server
npm install -g azure-agent-trio

# 2. Add to your Claude Code config
claude mcp add azure-agents -- npx azure-agent-trio

# 3. Authenticate (uses your existing az login)
> connect
✓ Authenticated via Azure MCP (tenant: contoso.com)

# 4. Run a quick-wins audit across all three agents
> quick-wins
📊 Monitoring: 10 alert rules generated for critical resources
🛡️ Security: 5 high-severity findings with remediation plans
🏗️ Builder: 3 Bicep modules exported for uncodified resources

# 5. Review and apply (nothing happens without your approval)
> apply-monitoring
Preview: 10 metric alerts will be created... [Approve? y/n]

Prerequisites: Node.js 18+, Azure CLI installed (az login completed), and Claude Code. The Azure MCP server or Azure CLI handles all authentication.

Architecture

Under the hood

Interface

🌐 Web Chat UI

Interface

⌨️ CLI / Terminal

↓ ↓

Intelligence

🧠 Intelligent Agent Router

Understands intent → routes to specialist

↓ ↓ ↓

Agent

🏗️ Resource Builder

Agent

📊 Monitor Architect

Agent

🛡️ Security Architect

↓ ↓ ↓

Auth + APIs

Azure MCP

Research

MS Learn MCP

Output

Session Storage

↓

Your Infrastructure

Azure Tenancy

Resource Graph · Monitor · ARM · Defender · Sentinel · Entra ID