Step 3: Configure your Service Principal to Monitor Subscriptions

Modified on Sun, 17 Jul 2022 at 10:29 PM

There are 3 important points to note about Security with CloudMonitor: 


  • You choose which Subscriptions you would like CloudMonitor to monitor
  • CloudMonitor has READ-ONLY access and cannot update anything
  • This flexible model is enforced with standard Azure RBAC IAM controls.


Note: For each Azure Subscription that you want to monitor, add the CloudMonitor ServicePrincipal that you selected during install as the READER role at the Subscription scope. 


At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that, you can follow this guide in creating a Service Principal and Client Secret.


You will also need to be logged in as someone with the Owner Role at the Subscription level for each Subscription that you want to monitor. This is because only an Owner can assign permissions. 

Instructions in Configuring your Service Principal to Monitor Subscriptions

Step 1: Find the Azure Subscription that you want to monitor


Find the Azure Subscription that you want to monitor in CloudMonitor. You can do this from the Subscriptions list in the Azure Portal, for example: 


Step 2: Click on “Access Control (IAM)”


Go into the Subscription and click on “Access Control (IAM)” in the left menu, then click on “+ Add” to add a new Role to the Subscription scope. 



Note: If the “+ Add” button is greyed out then your logged in user does not have the Owner access and will be unable to proceed. Contact your IT department to find out who can do this step for you.

Step 3: Select “Add role assignment” and select the “Reader” Role


Step 4: Type in the name of your Service Principal


Type in the name of your Service Principal (In our walkthroughs we always call it “CloudMonitor-SP”. This will allow you to click on the matching Service Principal 

Step 5: Save your settings


Click on “Save” to save the assignment 


You have completed this step and granted CloudMonitor the access it needs. It will now be able to perform analytics on your cost data. Repeat this step for as many Subscriptions as you wish. 


Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources. You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions. 

What’s the Next Thing to do?


Now, you’re done installing the Power BI App, the CloudMonitor Analytics engine, and configuring your Service Principal to monitor the subscriptions you want. 


You’re down to the final step, which is to connect Power BI to the CloudMonitor Analytics Engine. 


Step 4: Connect the PowerBI Reporting to the Analytics Engine 

Related Articles


Instructions for Installing CloudMonitor

Step 1: Download the CloudMonitor App into Power BI

Step 2: Download the CloudMonitor Analytics Engine in Azure

Step 3: Configure your Service Principal to Monitor Subscriptions

Step 4: Connect the PowerBI Reporting to the Analytics Engine


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us how can we improve this article!

Select atleast one of the reasons

Feedback sent

We apprciate your effort and will try to fix the article