Step 3: Configure your Service Principal to Monitor Subscriptions | Scribe

    Step 3: Configure your Service Principal to Monitor Subscriptions

    • Isagani Esteron |
    • 13 steps |
    • 35 seconds
      information ordinal icon
      At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that, go back and do Step 2 first.
      alert ordinal icon
      There are 5 important points to note about Security with CloudMonitor: 1. YOU choose which Subscriptions you would like CloudMonitor to monitor. 2. If you have Management Groups set up then this is much easier to use instead of individual Subscriptions. 3. CloudMonitor has READ-ONLY access and cannot update anything. 4. CloudMonitor cannot read the data inside of Azure services like keys or database contents. 5. You need to have the OWNER Role to be able to follow these steps.
      1
      For each Azure Subscription that you want to monitor, add the CloudMonitor Service Principal that you selected during installation as the READER role at the Subscription scope. Start by selecting the Azure Subscription in the Azure portal:
      information ordinal icon
      In this walkthrough we will use the Subscription "IE - MPN" as an example.
      2
      Click on "Access control (IAM)" inside of the Subscription.
      3
      Click "+ Add" to add a new Role/Scope.
      alert ordinal icon
      Note: If the “+ Add” button is greyed out then your logged in user does not have the OWNER Role and will be unable to proceed. Contact your IT department to find out who can do this step for you.
      4
      Choose "Add role assignment"
      5
      Select the "Reader" role. This only allows CloudMonitor to read service-plane meta data and costs, but not the contents inside of services such as database data and key vault keys.
      6
      Click "Next"
      7
      Choose "User, group, or service principal" and click "Select members"
      8
      Type in the name of your Service Principal and select it from the drop down list. You can also search by the App Id (Client Id) of your service principal to ensure you have the right one.
      information ordinal icon
      Note: In our walkthroughs we use the Service Principal named "CloudMonitor-SP”.
      9
      Click "Select"
      10
      Click "Next".
      11
      Review the details and click "Review + assign"
      alert ordinal icon
      Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources. You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions.
      12
      The CloudMonitor Engine now has the access it needs to monitor this Subscription. Repeat this step for as many Subscriptions as you wish, or consider using a Management Group to allow all new Subscriptions to be monitored automatically.
      information ordinal icon
      Next Step: Create a Support Ticket on our Helpdesk and we'll configure your deployment and process the cost metadata. Once we have run our health checks on historic costs we'll supply you with the credentials to connect Power BI to the Engine that you have just installed. Click here to raise a ticket: [https://go.cloudmonitor.ai/helpdesk](https://go.cloudmonitor.ai/helpdesk)
      13
      Once you have your Credentials, please move on to Step 4. [https://helpdesk.cloudmonitor.ai/support/solutions/articles/51000304758-step-4-connect-the-powerbi-reporting-to-the-analytics-engine%E2%80%8B](https://helpdesk.cloudmonitor.ai/support/solutions/articles/51000304758-step-4-connect-the-powerbi-reporting-to-the-analytics-engine%E2%80%8B)