Prerequisites for configuring Azure instance

This section describes the prerequisites that you must perform before you configure an Azure instance with the KM.

Before configuring a policy to start monitoring your Azure environment, perform the following in your Azure portal. The values that you copy to a text file are required to configure an infrastructure policy to monitor your Azure portal.

Action

Details

Copy Tenant ID to a text file

  1. From Azure portal menu, click Azure Active Directory.
  2. From the Tenant information tile, copy the Tenant ID value.

Create an application

Create an application through which KM gets access to your Azure environment for monitoring. After creating the application, create a secret key for it. Copy the Application ID and Secret Key of the application that you created and save it to a text file.

After creating the application, assign the following API Permissions to the application:

  • Azure Service Management: Access Azure Service Management as organization users
  • Azure Active Directory Graph: Sign in and read user profile
  1. Go to App registrations > New registration.
  2. In the Name field, enter a name of the application.
    1. For example, BMCApplication.
  3. In the Supported account types field, ensure that Accounts in this organizational directory only option is selected.
  4. In the Redirect URI field, select Web and enter the redirect URL.
    For example, https://BMCApplication.
  5. Click Register.
  6. On the application details page that is shown, copy value of the Application (client) ID field.
  7. Go to Certificates & Secrets > Client secrets > New client secret.
  8. In the Description field, enter a key description.
  9. In the Expires field, select the duration of the key and click Add.
  10. In the Client secret section, copy the value of the client secret that you added.
  11. To assign API permissions
    1. Go to API permissions > Add a permission > Azure Service Management.
    2. Click Delegated permissions and select the Access Azure Service Management as organization users permission.
    3. Click Add permissions.
    4. Click Add a permission > Azure Active Directory Graph.
    5. Click Delegated permissions and select the Sign in and read user profile permission.
    6. Click Add permissions.

Assign a role to the username with which you want the KM to connect to your Azure environment

  1. Go to Home > Subscription.
  2. Click the subscription that you want to monitor.
  3. Click Access Control (IAM) > Add > Add Role Assignment.
  4. From the Role list, select Reader.
  5. In the Assign access to list, ensure that User, group, or service principal is selected.
  6. In the Select list, select the application that you created and click Save.
  7. To add permission for the Storage Account Contributor role, click Add > Add role assignment.
    You need to assign this permission only if you want to monitor virtual machines and storage account services.
  8. From the Role list, select Storage Account Contributor.
  9. In the Assign access to list, ensure that User, group, or service principal is selected.
  10. In the Select list, select the application that you created and click Save.




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*