Skip to main content
All CollectionsAdding an account to Uniskai
Adding Azure account with Read-only access with an Entire tenant using Manual connection
Adding Azure account with Read-only access with an Entire tenant using Manual connection

Learn how to add Azure Entire tenant read-only account using Manual connection

Updated over 2 months ago

You need permission to create service clients and assign roles to add an Azure subscription.

Step 1

Skip to Step 3 if you came to this guide from the Connect your Azure subscription

page.

Go to the "Account Manager" tab, pinned at the bottom of the left menu.

Your Account Manager menu will look like the picture below if you don't have any accounts. Click the ‘Add environment’ button.

If you already have some accounts, your Account Manager menu will display differently. Click the ‘Add environment’ button.

Choose Azure cloud service.

Select Entire tenant.

Step 2

You will be directed to the ‘Connect your Azure tenant’ page.

Step 3

In the first field, enter an Account name. You can use a specific name (up to 32 characters) or leave it as the default ‘AZURE.’

Step 4

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/write: You will get full visibility of your cloud environment and optimization insights

  • Read-only: You will be able to actively save money and fix all issues

For this manual, we use Read-only mode

Step 5

Select the Connection type (The selected type will be marked with a white dot on a blue background):

  • Automatic: JSON key file will be automatically created by shell script

  • Manual: You will need to create a new Service Principal manually and provide connection metadata

Now, select the Manual connection.

Step 6

Step 7

Go to Azure Active Directory. Copy the Tenant ID from the Basic information block on the Overview page.

Step 8

Select App registrations in the side menu on the Azure Active Directory page and create a new registration.

Keep the default account type and URL settings and click on the “Register” button. Copy the Application (client) Id as the Client ID from the application overview page.

Copy the Application (client) Id as the Client ID from the application overview page.

Step 9

On the app registration page, select Certificates & secrets in the side menu, then select the Client Secrets tab. Create a new secret with an arbitrary name (e.g., Uniskai Access Key) and at least a 180-day period.

Copy secret Value as Client Secret.

Copy secret Value as Client Secret.

Step 10

Create a role to allow API access. For read-only mode, you can use the predefined Reader role and proceed to the next step (role assignment).

Step 11

Assign role to the newly created client in the target subscription:

  1. Go to the Subscriptions service, select the target subscription

  2. Choose Access control (IAM) in the side menu

  3. Click on the plus button: Add → Add role assignment

4. Select the role Reader and click Next.

5. Choose to assign access to the User, group, or service principal. Search for the created client name and click Next → Review & Assign.

Step 12

Go to the Access control (IAM) section on the target subscription page and select the Role assignments tab. Search for the client assignment from step 8 and click on the client name.

Copy the Object ID from the client information page as the Principal ID.

Step 13

After you have completed steps 1-13, you should set up the export of your cost and usage data. You can do this by following the manual on the website, which contains all the necessary information, in the instructions it looks like this:

This is how the manual will appear:

To configure Cost Exports, log in to the Microsoft Azure Portal. Use this link to log in.

Configure cost data export:

  1. Search and select Cost Exports to access cost data export settings.

  2. Choose the main billing account scope for export by clicking the Scope button. You can also select only the subscription being connected to configure export.

  3. Click on the Add button to open the Cost Explorer creation page.

  4. Give a unique name to the cost export instance (e.g., billing-account-1-actual-costs)

  5. Use default parameters for Metric (Actual cost), Export type (Daily export of month-to-date costs), and Start date (today).

  6. Enable File Partitioning.

  7. Configure storage account to store cost report files. You can select an existing storage account in the subscription being connected to Uniskai or create a new one by providing a unique name and location (ideally, close to Germany West Central).

  8. Set any name for the container (e.g., cost-exports) and for the directory (e.g., actual) and click Create.

  9. Launch cost export by clicking on the Run Now button.

Configure cost data storage account:

  1. Go to the storage account configured as the reports' storage in the previous step. You can easily find it in the cost exports table.

  2. Add a tag with the name uniskai-resource-usage and value billing-export.

  3. Go to Access Control (IAM) and click on Add role assignment.

  4. Select Storage Blob Data Reader role and click Next.

  5. Select User, group, or service principal and choose Uniskai service principal (by default, Uniskai <subscription-id>-…).

  6. Review and assign the role.

Optionally, allow access to credit and reservation transactions by assigning the Billing Reader role to the Uniskai service principal.

  1. Go to the Billing access control page and click on the Add button.

  2. Select Billing account reader

  3. Search for the Uniskai app and click Add.

  4. Review and assign the role.

Step 14

Go to the Uniskai page and check that all the required fields are filled in:

Check all the information and click the ‘Connect subscription’ button. The account was successfully connected; you can see the connected account on the Account Manager page:

Did this answer your question?