Cloud Ctrl

# Setting up Azure Account Connections

Learn how to set up your credentials in Azure AD, so you can sync your Azure data to via an Azure Cloud Account connection.

# 1. Register an Application in Microsoft Entra ID

Microsoft Entra ID Applications are identities that you create and control within your own Microsoft Entra tenant and can be granted privileges on the resources that you specify. These applications have their own login credentials and are intended to be used in code, such as in Cloud Ctrl.

Cloud Ctrl uses the Microsoft Entra ID Applications to connect to the Azure Resource Manager and gather metadata and metrics from your subscriptions.

For all these steps, Microsoft have published documentation covering the process in the Azure Portal. View the Microsoft Documentation (opens new window)

# Collect the Tenant ID

  1. Log in to the Azure Management Portal (opens new window) using tenant admin credentials.
  2. From the search bar at the top of the screen, type 'Entra' and select Microsoft Entra ID.
  3. Select Properties from the list.
  4. From the properties screen, copy the Directory ID. This is your Tenant ID.

# Register a New Application

  1. Navigate to the Manage section of Microsoft Entra ID, then click App Registrations > New Registration.
    1. Enter a Name for your application.
    2. For Support Account Types, leave the default.
    3. For User Redirect URI, leave the default.
    4. Click on Register.
  2. Copy the Application ID after successful registration. This is your Client ID.
  3. Generate the client secret
    1. Go to Manage > Certificates & secrets
    2. Under Client Secrets, click New client secret.
    3. Add a Description for the secret and select an expiration period.
    4. Click on Add.
    5. Copy down the Client Secret Value that is generated as this cannot be displayed again. (==Important!==)

TIP

For the name, we suggest using “Cloud Ctrl” so it can easily be identified later when viewing through the portal.

There are two options when it comes to applying role authorisation to the application.

# 2. Create a role assignment against the Management Group

Go to the management groups blade in Azure portal which you can find here (opens new window). Select the top level management group that you want to grant access to. Try to select the highest level management group you can so you don't have to do this over and over again.

After selecting the management group, go to the Access control (IAM) menu item and hit add.

Within this view configure a role assignment, with the following details:

  1. Role: Reader (opens new window)
  2. Members: Your app registration from earlier.

When you supply the credentials for this app registration later it will enable our application the ability to read information about the environment.

# 3. Create a role assignment for Savings Plans

Next up you'll need to create a role assignment against the entire Microsoft.Capacity namespace granting Savings Plan Reader to the app registration you've created.

To do that, head to the Savings Plan page which you can find here (opens new window) and hit the "Role Assignments" button up the top above the table.

Then follow the same steps as before when assigning a role, but instead the configuration should be:

  1. Role: Savings Plan Reader
  2. Members: Your app registration from earlier.

You will need to do this once per tenant unfortunately as there is no equivalent permission at a management group level!

# 4. Create a role assignment for Reservations

Next up you'll need to create a role assignment against the entire Microsoft.Capacity namespace granting Reservations Reader to the app registration you've created.

To do that, head to the Reservations page which you can find here (opens new window) and hit the "Role Assignments" button up the top above the table.

Then follow the same steps as before when assigning a role, but instead the configuration should be:

  1. Role: Reservations Reader
  2. Members: Your app registration from earlier.

You will need to do this once per tenant unfortunately as there is no equivalent permission at a management group level!

# 5. Create a new Cloud Account in Cloud Ctrl

To start importing usage data for Microsoft Azure, you need to create an Azure Cloud Account.

  • To add a new cloud account go to Settings > Cloud Accounts > Create
  • The New Cloud Account window will appear, select Azure Account

Add Azure Cloud Account Screenshot

You will be prompted for a name for the Cloud Account as well as the Tenant Id, Application / Client Id and the Application / Client Secret you got from the ARM Connection.

The name is an internal name used within the platform for you to be able to identify this connection among multiple connections, e.g. Azure MSDN, Azure PAYG, etc.

Once you submit we get to work loading your data, initially as we load you account history it may take upto 24hrs for your usage in the portal to be loaded completely.

Amazon Web Services