Setting up Azure Account Connections

Learn how to set up your credentials in Azure AD, so you can sync your Azure data to via an Azure Cloud Account connection.

• 1. Register an Application in Microsoft Entra ID
  • Collect the Tenant ID
  • Register a New Application
  • OPTION 1: Assignment of READER role to the application
  • OPTION 2: Assign custom role using Powershell
• 2. Assigning permissions for Reserved Instance information
  • Assign the Reservations Reader role at the tenant level
• 3. Create a new Cloud Account in Cloud Ctrl

1. Register an Application in Microsoft Entra ID

Microsoft Entra ID Applications are identities that you create and control within your own Microsoft Entra ID tenant and can be granted privileges on the resources that you specify. These applications have their own login credentials and are intended to be used in code, such as in Cloud Ctrl.

Cloud Ctrl uses the Microsoft Entra ID Applications to connect to the Azure Resource Manager and gather metadata and metrics from your subscriptions.

For all these steps, Microsoft have published documentation covering the process in the Azure Portal. View the Microsoft Documentation (opens new window)

Collect the Tenant ID

1. Log in to the Azure Management Portal (opens new window) using tenant admin credentials.
2. From the search bar at the top of the screen, type 'Entra' and select Microsoft Entra ID.
3. Select Properties from the list.
4. From the properties screen, copy the Directory ID. This is your Tenant ID.

Register a New Application

1. Navigate to the Manage section of Microsoft Entra ID, then click App Registrations > New Registration.
   1. Enter a Name for your application.
   2. For Support Account Types, leave the default.
   3. For User Redirect URI, leave the default.
   4. Click on Register.
2. Copy the Application ID after successful registration. This is your Client ID.
3. Generate the client secret
   1. Go to Manage > Certificates & secrets
   2. Under Client Secrets, click New client secret.
   3. Add a Description for the secret and select an expiration period.
   4. Click on Add.
   5. Copy down the Client Secret Value that is generated as this cannot be displayed again. (==Important!==)

TIP

For the name, we suggest using “Cloud Ctrl” so it can easily be identified later when viewing through the portal.

There are two options when it comes to applying role authorisation to the application.

OPTION 1: Assignment of READER role to the application

You can assign the built in READER role to the application for each subscription you want to connect to Cloud Ctrl. This option is the simpliest to perform when there are only a few subscriptions. If however, you have many subscriptions to assign, option 2 may be more suitable. Option 2 also limits the READER permissions to just those needed by Cloud Ctrl.

Follow the Microsoft documentation (opens new window) to assign the standard READER role or a custom role to each subscription.

OPTION 2: Assign custom role using Powershell

Learn how to use PowerShell in Azure's Cloud Portal to assign a custom role to a registered application for all Subscriptions in Azure.

Information

The custom role contains explicit read only permissions required by the application.

Details of the custom role can be viewed in the role template here (opens new window).

Pre-requisites

• An Admin account in Azure with access to the PowerShell portal.
• An existing Microsoft Entra ID Application in Azure.
• At least one active Azure subscription.

Run the Script in Powershell

1. Log in to your Azure portal. In the top navigation bar, click Cloud Shell.
2. In the Cloud Shell window, select PowerShell.
3. Download the role assigment script from here (opens new window).
4. Upload the script file to the Azure Cloud Shell

5. From the Cloud Shell prompt enter the ./ and the uploaded file name to execute the script.

./assign-role-to-application.ps1

6. The script will then promt you for some information:

   • The Name you gave to the Microsoft Entra ID application (created in an earlier step) that you want to assign the role to.
   • The Azure location / region where the role template will store deployment data, this has little impact on the execution, we recommend choosing a region where you have resources already deployed.
     • some example options are: (australiaeast, centralus, southeastasia, japaneast, canadacentral, uksouth)
   • The Role Name for the new custom role; use something that can easily identify the roles pupose i.e. Cloud Ctrl Read Only

7. The script will then execute and assign the new role to the Application principle in all subscriptions visible to the current powershell user. If you experience any errors during execution please contact our support team.

2. Assigning permissions for Reserved Instance information

To collect information about reserved instances, for the inventory and prorating cost informtaion you will need to grant some additional permissions to the Microsoft Entra ID application, this time at a tenant level.

When you buy an Azure reservation, access is restricted to the user who bought it (e.g. user-adm@IT.on.microsoft.com) and the account administrator.'

Assign the Reservations Reader role at the tenant level

Assigning the reservation reader role at the tenant level automatically grants read access to all reservations in the Microsoft Entra ID tenant (directory). When you grant access at the tenant level, you do not need to grant access to new reservations as they are acquired, nor do you need to provide access to each subscription individually.

Using the Powershell script below you can add a Reservations reader role to the Microsoft Entra ID Application service principal you have created for your Azure ARM Connection.

This can be run in the Azure Portal using the Cloud Shell (opens new window)

#Import required resources
Import-Module Az.Accounts
Import-Module Az.Resources

# Connect to Microsoft Entra ID
Connect-AzAccount -Tenant <Tenant ID> -UseDeviceAuthentication

# Get the Service Principal ID for your Microsoft Entra ID App Registration
$ServicePrincipalId = (Get-AzADServicePrincipal -DisplayName <AD Application Registration Display Name> -First 1).Id

# Assign the Reservation Reader role to the Application Service Principal
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId $ServicePrincipalId -RoleDefinitionName "Reservations Reader"

Refer to the Microsoft Official Azure documentation (opens new window) for details.

3. Create a new Cloud Account in Cloud Ctrl

To start importing usage data for Microsoft Azure, you need to create an Azure Cloud Account.

• To add a new cloud account go to Settings > Cloud Accounts > Create
• The New Cloud Account window will appear, select Azure Account

You will be prompted for a name for the Cloud Account as well as the Tenant Id, Application / Client Id and the Application / Client Secret you got from the ARM Connection.

The name is an internal name used within the platform for you to be able to identify this connection among multiple connections, e.g. Azure MSDN, Azure PAYG, etc.

Once you submit we get to work loading your data, initially as we load you account history it may take upto 24hrs for your usage in the portal to be loaded completely.