There are 3 important points to note about Security with CloudMonitor:
- You choose which Subscriptions you would like CloudMonitor to monitor
- CloudMonitor has READ-ONLY access and cannot update anything
- This flexible model is enforced with standard Azure RBAC IAM controls.
Note: For each Azure Subscription that you want to monitor, add the CloudMonitor ServicePrincipal that you selected during install as the READER role at the Subscription scope.
At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that, you can follow this guide in creating a Service Principal and Client Secret.
You will also need to be logged in as someone with the Owner Role at the Subscription level for each Subscription that you want to monitor. This is because only an Owner can assign permissions.
Instructions in Configuring your Service Principal to Monitor Subscriptions
Step 1: Find the Azure Subscription that you want to monitor
Find the Azure Subscription that you want to monitor in CloudMonitor. You can do this from the Subscriptions list in the Azure Portal, for example:
Step 2: Click on “Access Control (IAM)”
Go into the Subscription and click on “Access Control (IAM)” in the left menu, then click on “+ Add” to add a new Role to the Subscription scope.
Note: If the “+ Add” button is greyed out then your logged in user does not have the Owner access and will be unable to proceed. Contact your IT department to find out who can do this step for you.
Step 3: Select “Add role assignment” and select the “Reader” Role
Step 4: Type in the name of your Service Principal
Type in the name of your Service Principal (In our walkthroughs we always call it “CloudMonitor-SP”. This will allow you to click on the matching Service Principal
Step 5: Save your settings
Click on “Save” to save the assignment
You have completed this step and granted CloudMonitor the access it needs. It will now be able to perform analytics on your cost data. Repeat this step for as many Subscriptions as you wish.
Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources. You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions.
What’s the Next Thing to do?
Now, you’re done installing the Power BI App, the CloudMonitor Analytics engine, and configuring your Service Principal to monitor the subscriptions you want.
You’re down to the final step, which is to connect Power BI to the CloudMonitor Analytics Engine.
Step 4: Connect the PowerBI Reporting to the Analytics Engine
Related Articles
Instructions for Installing CloudMonitor
Step 1: Download the CloudMonitor App into Power BI
Step 2: Download the CloudMonitor Analytics Engine in Azure
Step 3: Configure your Service Principal to Monitor Subscriptions
Step 4: Connect the PowerBI Reporting to the Analytics Engine
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We apprciate your effort and will try to fix the article