Cloud Ctrl

# Enhanced data connection

To collect additional information about you Azure consumption and costs Cloud Ctrl requires a additional permissions to access the Azure Resource Managment (ARM) APIs. To provide this access securley you will need to create and configure a an Microsoft Entra ID Applications and grant it permissions to your Azure tenant.

Microsoft Entra ID Applications are identities that you create and control within your own Microsoft Entra ID tenant and can be granted privileges on the resources that you specify. These applications have their own login credentials and are intended to be used in code, such as in Cloud Ctrl.

# Creating the Microsoft Entra ID Application

TIP

If you have already created an Microsoft Entra ID application for collecting usage data, you may just need to update the roles assigned to the application.

The steps to set this up can be found in the following article:

Connect to Azure Resource Manager

# Assiging permissions for Recommendations

If you have already granted read to the subscription, there is nothing more you need to do.

If you created a cutom role explained in the above link, you will need to add the following:

Microsoft.Insights/MetricDefinitions/Read
Microsoft.Insights/Metrics/Read
1
2

# Assigning permissions for Reserved Instance information

To collect information about reserved instances for the inventory and pro rata cost information, you will need to grant some more permissions to the Microsoft Entra ID application, this time at a tenant level.

When you buy an Azure reservation, access is restricted to the user who bought it (e.g. user-adm@IT.on.microsoft.com) and the account administrator.'

# Assign the Reservations Reader role at the tenant level

Assigning the reservation reader role at the tenant level, automatically grants read access to all reservations in the Microsoft Entra ID tenant (directory). When you grant access at the tenant level, you do not need to grant access to new reservations as they are acquired, nor do you need to provide access to each subscription individually.

Using the Powershell script below, you can add a Reservations reader role to the Microsoft Entra ID Application service principal you have created for your Azure ARM Connection.

This can be run in the Azure Portal using the Cloud Shell (opens new window)

#Import required resources
Import-Module Az.Accounts
Import-Module Az.Resources

# Connect to Microsoft Entra ID
Connect-AzAccount -Tenant <Tenant ID> -UseDeviceAuthentication

# Get the Service Principal ID for you Microsoft Entra ID App Registration
$ServicePrincipalId = (Get-AzADServicePrincipal -DisplayName <AD Application Registration Display Name> -First 1).Id

# Assign the Reservation Reader role to the Application Service Principal
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId $ServicePrincipalId -RoleDefinitionName "Reservations Reader"
1
2
3
4
5
6
7
8
9
10
11
12

Refer to the Microsoft Official Azure documentation (opens new window) for details.