This section describes the prerequisites that you must perform before you configure an Azure instance with the KM.
Before configuring a policy to start monitoring your Azure environment, perform the following in your Azure portal. The values that you copy to a text file are required to configure an infrastructure policy to monitor your Azure portal.
The following video (3:23) provides the steps that you must perform before configuring a policy to monitor your Azure environment.
From Azure portal menu, click Azure Active Directory.
From the Tenant information tile, copy the Tenant ID value.
Create an application
Create an application through which KM gets access to your Azure environment for monitoring. After creating the application, create a secret key for it. Copy the Application ID and Secret Key of the application that you created and save it to a text file.
After creating the application, assign the following API Permissions to the application: Azure Service Management: Access Azure Service Management as organization users.
Go to App registrations > New registration.
In the Name field, enter a name of the application.
For example, BMCApplication.
In the Supported account types field, ensure that Accounts in this organizational directory only option is selected.
In the Redirect URI field, select Web and enter the redirect URL. For example, https://BMCApplication.
Click Register.
On the application details page that is shown, copy value of the Application (client) ID field.
Select your client application and click API permissions > Add a permission. Add the following permissions:
API / Permission name
Type
Description
Azure Service Management
Delegated
To access Azure Service Management as organization users
Azure storage (user_impersonation)
Delegated
To access Azure storage
Microsoft Graph (User.Read)
Delegated
To sign in and read user profile
To configure certificate, perform one of the following action:
Add new client secret
Go to Certificates & Secrets > Client secrets > New client secret.
In the Description field, enter a key description.
In the Expires field, select the duration of the key and click Add.
In the Client secrets section, copy the value of the client secret that you added.
Select the file you want to upload. It must be one of the following file types: .cer, .pem, .crt.
Select Add. Copy the value of the certificate thumbprint.
Assign a role to the username with which you want the KM to connect to your Azure environment
Go to Home > Subscription.
Click the subscription that you want to monitor.
Click Access Control (IAM) > Add > Add Role Assignment.
From the Role list, select MonitoringReader.
In the Assign access to the list, ensure that the User, group, or service principal is selected.
In the Select list, select the application that you created and click Save.
Click Access Control (IAM) > Add > Add Role Assignment.
From the Role list, select Reader.
In the Assign access to the list, ensure that the User, group, or service principal is selected.
In the Select list, select the application that you created and click Save.
To add permission for the Storage Account Contributor role, click Add > Add role assignment. You need to assign this permission only if you want to monitor virtual machines and storage account services.
From the Role list, select Storage Account Contributor.
In the Assign access to list, ensure that User, group, or service principal is selected.
In the Select list, select the application that you created and click Save.
