Our application needs Reader permissions to be able to analyze users' usage and supply recommendations to optimize user costs. In this article, we explain how to configure user subscriptions to provide the permissions we need. Note that you need admin rights to the EA to perform the steps described.
Steps required on the Azure portal
- Go to the Azure Portal: https://portal.azure.com/
- Access the Azure Active Directory service.
- In the top bar, click the + icon and select App registration.
- In the Name field, add the app name (we recommend using Cost-App). In addition, in the Supported account types section, make sure you select the Accounts in this organizational directory only option.
- Click Register to create the app. After registering your new app, save the Directory ID and Application ID.
- Next, you need to create a client secret for your app. Go to Certificates & secrets and then click New client secret to create a new secret code.
- Enter a description for this secret code, and in the Expires section, select 18 months. Then click Add.
- In the next step, you need to copy the Value of the secret key (you won't be able to see this code again).
- Navigate to Subscriptions.
- Click Access control (IAM) and select Add role assignment.
- In the Add a role assignment dialog, click Role to add a new role.
- In the Role field, add Monitoring Reader and click Next.
- Click the Members tab, then +Select Members and on the right side select the application name added in Step 4 (Cost-App).
- Repeat the previous two steps for adding the role of Storage Blob Data Reader (if you're using billing export integration).