Skip to main content
All CollectionsAdding an account to Uniskai
Adding Azure account with Entire tenant using Manual connection
Adding Azure account with Entire tenant using Manual connection

Learn how to add an Azure account with a manual connection

Updated this week

You need permission to create service clients and assign roles to add an Azure subscription.

Step 1

Go to the "Account Manager" tab, pinned at the bottom of the left menu.

Your Account Manager menu will look like the picture below if you don't have any accounts. Click the ‘Add environment’ button.

If you already have some accounts, your Account Manager menu will display differently. Click the ‘Add environment’ button.

Choose Azure cloud service.

Select Entire tenant

Step 2

You will be directed to the ‘Connect your Azure tenant’ page.

Step 3

In the first field, enter an Account name. You can use a specific name (up to 32 characters) or leave it as the default ‘AZURE.’

Step 4

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/write: You will get full visibility of your cloud environment and optimization insights

  • Read-only: You will be able to actively save money and fix all issues

Step 5

Select the Connection type (The selected type will be marked with a white dot on a blue background):

  • Automatic: JSON key file will be automatically created by shell script

  • Manual: You will need to create a new Service Principal manually and provide connection metadata

Step 6

Refer to our manual:

Click the ‘Read manual’ button in the ‘Azure project connection’ pop-up.

This is how the manual appears:

At this moment, we've picked the Manual connection. Otherwise, follow the manual steps.

Step 7

Step 8

Go to Azure Active Directory. Copy the Tenant ID from the Basic information block on the Overview page.

Step 9

Select App registrations in the side menu on the Azure Active Directory page and create a new registration.

Keep the default account type and URL settings and click on the “Register” button. Copy the Application (client) Id as the Client ID from the application overview page.

Copy the Application (client) Id as the Client ID from the application overview page.

Step 10

On the app registration page, select Certificates & secrets in the side menu, then select the Client secrets tab. Create a new secret with an arbitrary name (e.g., Uniskai Access Key) and at least 180 day period.

Copy secret Value as Client Secret.

Copy secret Value as Client Secret.

Step 11

Create a role to allow API access. For read-only mode, you can use the predefined Reader role and proceed to the next step (role assignment). For read-write mode, perform these steps to create a role:

  1. Go to the Management groups service, select the target subscription or management group

  2. Choose Access control (IAM) in the side menu

  3. Click on the plus button: Add → Add custom role

  4. Give the name of the custom role (e.g., Uniskai Role). Note that it must be unique within your directory (tenant).

5. Go to the JSON tab and click on Edit in the top-right area; replace the permissions block with the following content:

"permissions": [ 
{
"actions": [
"*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/start/action",
"Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/scale/action",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.DBforPostgreSQL/flexibleServers/start/action",
"Microsoft.DBforPostgreSQL/flexibleServers/stop/action",
"Microsoft.DBforMySQL/flexibleServers/start/action",
"Microsoft.DBforMySQL/flexibleServers/stop/action",
"Microsoft.DBforMySQL/servers/start/action",
"Microsoft.DBforMySQL/servers/stop/action",
"Microsoft.DBforMariaDB/servers/start/action",
"Microsoft.DBforMariaDB/servers/stop/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/images/delete",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/tags/write",
"Microsoft.Web/serverfarms/delete",
"Microsoft.Web/serverfarms/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]

6. Move on to the Review + create tab and click on Create.

Step 12

Assign role to the newly created client in the target subscription:

  1. Go to the Subscriptions service, select the target subscription

  2. Choose Access control (IAM) in the side menu

  3. Click on the plus button: Add → Add role assignment

4. Select the role (Reader or the role created in the previous step) and click Next

5. Choose to assign access to the User, group, or service principal. Search for the created client name and click Next → Review & Assign

Step 13

Go to the Access control (IAM) section on the target subscription page and select the Role assignments tab. Search for the client assignment from step 8 and click on the client name.

Copy the Object ID from the client information page as Principal ID.

Step 14

After you have completed steps 1-13, you should set up the export of your cost and usage data. You can do this by following the manual on the website, which contain all the necessary information, in the instructions it looks like this:

This is how the manual will appear:

To configure Cost Exports, log in to the Microsoft Azure Portal. Use this link to log in.

Configure cost data export:

  1. Search and select Cost Exports to access cost data export settings.

  2. Choose the main billing account scope for export by clicking the Scope button. You can also choose only the subscription being connected to configure export.

  3. Click on Add button to open the cost explorer creation page.

  4. Give a unique name to the cost export instance (e.g., billing-account-1-actual-costs)

  5. Use default parameters for Metric (Actual cost), Export type (Daily export of month-to-date costs), and Start date (today).

  6. Enable File Partitioning.

  7. Configure storage account to store cost report files. You can select an existing storage account in the subscription being connected to Uniskai or create a new one by providing a unique name and location (ideally, close to Germany West Central).

  8. Set any name for the container (e.g., cost-exports) and for the directory (e.g., actual) and click Create.

  9. Launch cost export by clicking on the Run Now button.

Configure cost data storage account:

  1. Go to the storage account configured as the reports storage in the previous step. You can easily find it in the cost exports table.

  2. Add a tag with the name uniskai-resource-usage and value billing-export.

  3. Go to Access Control (IAM) and click on Add role assignment.

  4. Select Storage Blob Data Reader role and click Next.

  5. Select User, group, or service principal and choose Uniskai service principal (by default, Uniskai <subscription-id>-…).

  6. Review and assign the role.

Optionally, allow access to credit and reservation transactions by assigning the Billing Reader role to the Uniskai service principal.

  1. Go to Billing access control page and click on the Add button.

  2. Select Billing account reader

  3. Search for Uniskai app and click Add.

  4. Review and assign the role.

Step 17

Go to the Uniskai page and check that all the required fields are filled in:

Check all the information and click the ‘Connect subscription’ button. The account was successfully connected; you can see the connected account on the Account Manager page:

Did this answer your question?