To add an Azure subscription, you need permission to create service clients and assign roles.
Step 1
Skip to Step 5 if you came to this guide from the Connect Your Azure subscription
page.
Navigate to the ‘Account Manager’ tab.
Your Account Manager menu will look like the picture below if you don't have any accounts. Click on the 'Add new account' button.
If you already have some accounts, your Account Manager menu will appear as shown below. Click on the ‘Add environment’ button.
Step 2
Click on the ‘Azure (service principal)’ button.
Step 3
Select Single Subscription.
Step 4
You'll see the ‘Connect your Azure subscription’ page.
Step 5
In the first field, Account Name, you can either enter a specific name or leave it as the default ‘Azure,’ but it should not exceed 32 characters.
Step 6
Next, select the Access Type (the selected type will have a white point on a blue background):
Read-only: You can only view your resources and possible actions, without using the main functionality.
Read/write: You can use all the offered functions, such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.
For this manual, we use Read/Write mode
Step 7
Then, select the Connection (the selected connection will have a white point on a blue background):
Automation: A shell script will automatically create a JSON key file.
Manual: You will need to create a new Service Principal manually and provide connection metadata.
Now, choose the Manual connection.
Step 8
Log in to the Microsoft Azure Portal.
Step 9
Go to Azure Active Directory. Copy the Tenant ID from the Basic information block on the Overview page.
Step 10
Select App registrations in the side menu on the Azure Active Directory page and create a new registration.
Keep the default account type and URL settings and click on the “Register” button. Copy the Application (client) Id as the Client ID from the application overview page.
Copy the Application (client) Id as the Client ID from the application overview page.
Step 11
On the app registration page, select Certificates & secrets in the side menu, then select the Client Secrets tab. Create a new secret with an arbitrary name (e.g., Uniskai Access Key) and at least a 180-day period.
Copy secret Value as Client Secret.
Copy secret Value as Client Secret.
Step 12
Create a role to allow API access. For read-write mode, perform these steps to create a role:
Go to the Management groups service, select the target subscription or management group
Choose Access control (IAM) in the side menu
Click on the plus button: Add → Add custom role
Give the name of the custom role (e.g., Uniskai Role). Note that it must be unique within your directory (tenant).
5. Go to the JSON tab and click on Edit in the top-right area; replace the permissions block with the following content:
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/start/action",
"Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/scale/action",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.DBforPostgreSQL/flexibleServers/start/action",
"Microsoft.DBforPostgreSQL/flexibleServers/stop/action",
"Microsoft.DBforMySQL/flexibleServers/start/action",
"Microsoft.DBforMySQL/flexibleServers/stop/action",
"Microsoft.DBforMySQL/servers/start/action",
"Microsoft.DBforMySQL/servers/stop/action",
"Microsoft.DBforMariaDB/servers/start/action",
"Microsoft.DBforMariaDB/servers/stop/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/images/delete",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/tags/write",
"Microsoft.Web/serverfarms/delete",
"Microsoft.Web/serverfarms/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
6. Move on to the Review + create tab and click on Create.
Step 13
Assign role to the newly created client in the target subscription:
Go to the Subscriptions service, select the target subscription
Choose Access control (IAM) in the side menu
Click on the plus button: Add → Add role assignment
4. Select the role (the role created in the previous step) and click Next.
5. Choose to assign access to the User, group, or service principal. Search for the created client name and click Next → Review & Assign.
Step 14
Go to the Access control (IAM) section on the target subscription page and select the Role assignments tab. Search for the client assignment from step 8 and click on the client name.
Copy the Object ID from the client information page as the Principal ID.
Step 15
After you have completed steps 1-11, you should set up the export of your cost and usage data. You can do this by following the manual on the website, which contains all the necessary information, in the instructions it looks like this:
This is how the manual will appear:
To configure Cost Exports, log in to the Microsoft Azure Portal. Use this link to log in.
Configure cost data export:
Search and select Cost Exports to access cost data export settings.
Choose the main billing account scope for export by clicking the Scope button. You can also select only the subscription being connected to configure export.
Click on the Add button to open the Cost Explorer creation page.
Give a unique name to the cost export instance (e.g., billing-account-1-actual-costs)
Use default parameters for Metric (Actual cost), Export type (Daily export of month-to-date costs), and Start date (today).
Enable File Partitioning.
Configure storage account to store cost report files. You can select an existing storage account in the subscription being connected to Uniskai or create a new one by providing a unique name and location (ideally, close to Germany West Central).
Set any name for the container (e.g., cost-exports) and for the directory (e.g., actual) and click Create.
Launch cost export by clicking on the Run Now button.
Configure cost data storage account:
Go to the storage account configured as the reports' storage in the previous step. You can easily find it in the cost exports table.
Add a tag with the name uniskai-resource-usage and value billing-export.
Go to Access Control (IAM) and click on Add role assignment.
Select Storage Blob Data Reader role and click Next.
Select User, group, or service principal and choose Uniskai service principal (by default, Uniskai <subscription-id>-…).
Review and assign the role.
Optionally, allow access to credit and reservation transactions by assigning the Billing Reader role to the Uniskai service principal.
Go to the Billing access control page and click on the Add button.
Select Billing account reader
Search for the Uniskai app and click Add.
Review and assign the role.
Step 16
Go to the Uniskai page and check that all the required fields are filled in:
Check all the information and click the ‘Connect subscription’ button. The account was successfully connected; you can see the connected account on the Account Manager page: