Configure your Service Principal to Monitor Subscriptions | Scribe

    Configure your Service Principal to Monitor Subscriptions

    • Andrew |
    • 0 step |
    • 52 seconds
      This is Part 1 of the Step 3. Configure Permissions step. At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that, go back and do Step 1 first.
      There are 5 important points to note about Security with CloudMonitor: 1. YOU choose which Subscriptions you would like CloudMonitor to monitor. 2. If you have Management Groups set up then this is much easier to use instead of individual Subscriptions. 3. CloudMonitor has READ-ONLY access and cannot update anything. 4. CloudMonitor cannot read the data inside of Azure services like keys or database contents. 5. You need to have the OWNER Role to be able to follow these steps.
      For each Azure Subscription that you want to monitor, add the CloudMonitor Service Principal that you selected during installation as the READER role at the Subscription scope. Start by selecting the Azure Subscription in the Azure portal:
      In this walkthrough we will use the Subscription "IE - MPN" as an example.
      Click on "Access control (IAM)" inside of the Subscription.
      Click "**\+ Add**" to add a new Role/Scope.
      Note: If the “+ Add” button is greyed out then your logged in user does not have the OWNER Role and will be unable to proceed. Contact your IT department to find out who can do this step for you.
      Choose **"Add role assignment"**
      Select the **"Reader"** role. This only allows CloudMonitor to read service-plane metadata and costs, but not the contents inside of services such as database data and key vault keys.
      Click **"Next"**
      Choose **"User, group, or service principal"** and click **"Select members"**
      Type in the name of your **Service Principal** and select it from the drop down list. You can also search by the App Id (Client Id) of your service principal to ensure you have the right one.
      Note: In our walkthroughs we use the Service Principal named "CloudMonitor-SP”.
      Click **"Select"**
      Click **"Next"**.
      Review the details and click **"Review + assign"**
      Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources. You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions.
      The CloudMonitor Engine now has the access it needs to monitor this Subscription. Repeat this step for as many Subscriptions as you wish, or consider using a Management Group to allow all new Subscriptions to be monitored automatically.
      CloudMonitor requires certain Read permissions in order to monitor the status of your resources. \ If you elect not to grant these permissions, CloudMonitor will not be able to provide warnings on various critical issues, such as expired Service Principal secrets.
      Navigate to[Azure Active Directory > App Registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps), and click your CloudMonitor Service Principal by name or ClientId under the "All applications" tab.

      Want to make guides like this in seconds? Yes, it's really that fast.

      This Scribe is in tip-top shape!Leave feedback if there are any issues with this Scribe