Configuring Storage for CloudMonitor to schedule Exports (For CSP Customers Only)

This scribe is only for CSP customers which install Cloudmonitor in different tenants.

Step 1

In Azure Portal, navigate to the Storage accounts - Microsoft Azure and click “Create”.

Step 1 screenshot

Step 2

Select a Resource Group in which to create the new Storage Account. We recommend setting up a new Resource Group.

If you are a NonCSP Customer, the chosen Subscription MUST be in the same Subscription as the CloudMonitor Engine.

If you are a CSP Customer, your Customer may choose any Subscription, the new Storage Account MUST be created in their tenancy.

Step 2 screenshot

Step 3

Name the Storage Account in accordance with your existing organisational tagging standards and naming conventions.

Step 3 screenshot

Step 4

To avoid paying egress fees select the same region that contains the CloudMonitor engine.

Step 4 screenshot

Step 5

Choose LRS for storage redundancy, then click “Advanced”.

Step 5 screenshot

Step 6

Make sure Hierarchical Namespace is unticked. then click “Review” and “Create”.

Step 6 screenshot

Step 7

You will receive a notification for when the Storage Account has been successfully deployed. Click “Go to resource” in preparation for the next section.

Step 7 screenshot

Step 8

Navigate to Subscriptions - Microsoft Azure and select the same Subscription the Storage Account will be located in.

Step 8 screenshot

Step 9

Click “Resource providers”.

Step 9 screenshot

Step 10

Filter by and select “Microsoft.CostManagementExports” and then click “Register”.

Step 10 screenshot

Step 11

You will receive a notification for successfully registering the Resource Provider.

Step 11 screenshot

Step 12

Navigate to the Storage Account Resource we just created.

Step 12 screenshot

Step 13

Navigate to Access Control (IAM) and click “Add > Add role assignment”.

Step 13 screenshot

Step 14

Under the Role tab, select “Storage Account Contributor” as the Role.

Step 14 screenshot

Step 15

Switch to the Members tab, and click “Select members”.

Step 15 screenshot

Step 16

Search and select your CloudMonitor Service Principal name.

Step 16 screenshot

Step 17

Switch to the Review + assign tab and “Review + assign”.

Step 17 screenshot

Step 18

You will receive a notification for successfully assigning the “Storage Account Contributor” role.

Step 18 screenshot

Step 19

Navigate to the Storage Account and Click “Configuration”

Step 19 screenshot

Step 20

Expand the drop down of “Permitted Scope for Copy Operation” and Click “From any storage account”

Step 20 screenshot

Step 21

Click “Save”.

Step 21 screenshot

Step 22

On the same Storage Account Resource, click “Shared access signature”.

Step 22 screenshot

Step 23

To ensure secure and minimal access configure the SAS with the following settings:

Under Allowed Services, check ‘Blob’ to restrict access to Blob storage only.
For Allowed Resource Types, select ‘Service’, ‘Container’ and ‘Object’ to permit operations at the service, container and blob level.
Choose Allowed Permissions ‘Read’, ‘Write’, ‘Delete’, ‘List’, and ‘Create’ to exclusively manage blob content within the container.
Do not enable any other services or permissions not specified here.

Apply these settings to provide CloudMonitor with the necessary permissions to manage blobs without overextending access rights.

Step 23 screenshot

Step 24

When setting the SAS expiration, it’s advised to choose a date two years from today to ensure continued access without frequent renewal.

Step 24 screenshot

Step 25

Click “Generate SAS and connection string”

Step 25 screenshot

Step 26

Find the Blob Service SAS URL located at the bottom of the page. Copy this URL and store it securely.
Also, copy the URL of this webpage. It contains the Storage Account Resource ID.
Finally, email the copied information to support@cloudmonitor.ai and confirm that you have completed this Helpdesk Article.

Step 26 screenshot