Configure your Service Principal to Monitor Subscriptions

Danger

This is Part 1 of the Step 3. Configure Permissions step. At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that, go back and do Step 1 first.

Tip

There are 5 important points to note about Security with CloudMonitor:

1. YOU choose which Subscriptions you would like CloudMonitor to monitor.
2. If you have Management Groups set up then this is much easier to use instead of individual Subscriptions.
3. CloudMonitor has READ-ONLY access and cannot update anything.
4. CloudMonitor cannot read the data inside of Azure services like keys or database contents.
5. You need to have the OWNER Role to be able to follow these steps.

Step 1

For each Azure Subscription that you want to monitor, add the CloudMonitor Service Principal that you selected during installation as the READER role at the Subscription scope. Start by selecting the Azure Subscription in the Azure portal:

Tip

In this walkthrough we will use the Subscription “IE - MPN” as an example.

Step 2

Click on “Access control (IAM)” inside of the Subscription.

Step 3

Click ”+ Add” to add a new Role/Scope.

Tip

Note: If the “+ Add” button is greyed out then your logged in user does not have the OWNER Role and will be unable to proceed. Contact your IT department to find out who can do this step for you.

Step 4

Choose “Add role assignment”

Step 5

Select the “Reader” role. This only allows CloudMonitor to read service-plane metadata and costs, but not the contents inside of services such as database data and key vault keys.

Step 6

Click “Next”

Step 7

Choose “User, group, or service principal” and click “Select members”

Step 8

Type in the name of your Service Principal and select it from the drop down list. You can also search by the App Id (Client Id) of your service principal to ensure you have the right one.

Tip

Note: In our walkthroughs we use the Service Principal named “CloudMonitor-SP”.

Step 9

Click “Select”

Step 10

Click “Next”.

Step 11

Review the details and click “Review + assign”

Tip

Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources. You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions.

Step 12

The CloudMonitor Engine now has the access it needs to monitor this Subscription. Repeat this step for as many Subscriptions as you wish, or consider using a Management Group to allow all new Subscriptions to be monitored automatically.

Tip

CloudMonitor requires certain Read permissions in order to monitor the status of your resources.
If you elect not to grant these permissions, CloudMonitor will not be able to provide warnings on various critical issues, such as expired Service Principal secrets.

Step 13

Navigate toAzure Active Directory > App Registrations, and click your CloudMonitor Service Principal by name or ClientId under the “All applications” tab.

Step 14

On the side menu, under Manage, click “API permissions” and then click “Add a permission”.

Step 15

In the modal window that opens, click “Microsoft Graph”.

Step 16

Click “Application permissions” and search for [[Application.Read.All]] in the select permissions input field. Then add the read permission by clicking “Add permissions” below.

Step 17

Repeat the last step for the same Service Principal, adding these read permissions:
• [[AuditLog.Read.All]]
• [[Directory.Read.All]]

Step 18

Click “Grant admin consent for …”. This action requires a user with Admin rights.

Danger

Next Step: Configure Permissions Part 2: Allow CloudMonitor to access and view Billing Information : CloudMonitor Helpdesk