Setting up Azure Account

Depending on the type, you can configure Tanzu CloudHealth to populate complete cost and usage information for your Microsoft Azure account.

Enterprise Agreement Azure Account

  1. Register Tanzu CloudHealth App with Service Principal
  2. Assign an Enrollment Reader Role to the Service Principal
  3. Add Reader Role for Subscriptions
  4. Connect Service Principal in Tanzu CloudHealth
  5. Get Commitment Start Date and Commitment Amount
  6. Connect Enrollment in Tanzu CloudHealth
  7. Assign Reader Role to Azure Reservation Orders
  8. Assign Reader Role to Azure Savings Plan
  9. Configure Application Permission for Azure AD User Collection (optional)

For detailed instructions, refer to the Configuring an Enterprise Agreement Azure Account section below.

Pay-as-you-go Azure Account

  1. Register Tanzu CloudHealth with Service Principal
  2. Add Reader role for Subscriptions
  3. Connect Service Principal
  4. Assign a Reader Role to Azure Reservation Orders
  5. Configure Application Permission for Azure AD User Collection

For detailed instructions, refer to the Configuring a Pay-as-you-go Azure Account section below.

Microsoft Customer Agreement

  1. Register Tanzu CloudHealth with Service Principal
  2. Add Reader Role for Subscriptions
  3. Add Service Principal as the Billing Account Reader
  4. Connect Service Principal
  5. Assign a Reader Role to Azure Reservation Orders
  6. Configure Application Permission for Azure AD User Collection

For detailed instructions, refer to the Configuring Microsoft Customer Agreement section below.

Roles and Permissions for Azure

Assigning the required Azure IAM permissions to your custom role is essential to

  • Implement actions from the policy- From the left menu, go to Setup > Governance > Policy. When creating or updating a policy, select the required policy action from the dropdown.
  • Implement bulk actions on assets- From the left menu, go to Assets > Azure, and select the required asset. On the asset report page, select the resources. From the Bulk Actions dropdown, select the required action for the selected resources.
  • Implement custom action on an asset- From the left menu, go to Assets > Azure, and select the required asset. On the asset report page, move the horizontal scroll bar to the right end to view the Actions column. Select the required action from the Actions dropdown.

You can use an existing custom role and add permissions to it, or if you want, you can create a new custom role. For steps on how to create a custom role, see Azure custom roles.

You must have Owner or User Access Administrator access to create or assign roles.

Required Azure IAM Permissions

For Azure Managed Disks

Field Description
Required IAM Permissions Microsoft.Compute/disks/delete - Delete a managed disk.
Tanzu CloudHealth reports associated with the resource Azure Disk Assets report
Collection Frequency Every 15 min

For Azure Snapshots

Field Description
Required IAM Permissions Microsoft.Compute/snapshots/delete - Delete a snapshot.
Microsoft.Compute/snapshots/write - Take Snapshot of your Azure Disk.
Tanzu CloudHealth reports associated with the resource Azure Snapshot Assets report
Collection Frequency Every 15 min

Note When you create a snapshot, you automatically create a snapshot name off the disk name. The format of new Snapshot name would be - disk_name-snapshot-UUID.

For Azure IP Addresses

Field Description
Required IAM Permissions Microsoft.Network/publicIPAddresses/delete - Delete a public IP address
Tanzu CloudHealth reports associated with the resource Azure IP Address Assets report
Collection Frequency Every 15 min

Configuring an Enterprise Agreement Azure Account

Complete the following steps to configure your Enterprise Agreement (EA) Azure account with VMware Tanzu CloudHealth.

Step 1 - Register Tanzu CloudHealth App with Service Principal

Prerequisite: You must have global administrator privileges to register an App. While the connection between Tanzu CloudHealth and Azure is read-only, a global administrator must register the App to ensure that there are no errors.

  1. In the Azure Portal, select Azure Active Directory from the left menu.
  2. From the left menu, select App Registrations tile and then click New App Registration.
  3. Fill out the following fields in the form and then click Create:
    • Name: Enter the name of the service principal
    • Supported Account Types: Select Accounts in this organizational directory only.
    • Redirect URI: Select Web from the dropdown and enter https://apps.cloudhealthtech.com

  4. Open the Application Registration you just created.

    • Copy the Display Name into the text document.
    • Copy the Application ID into the text document. Due to a rare issue in the Azure Portal, creating a new app registration might fail to create a new service principal as expected. If this occurs, click the Create Service Principal link in App Registrations > Overview.

    Azure Service Principal bug

  5. Go to Certificates & Secrets in the left menu. Click New Client Secret.

    • Add a key description. Make sure there are no spaces.
    • Select a duration. It is recommended that you set the expiration to at least one year.
  6. Click Save. A value is generated.
  7. Copy the key description and value into the text document.
  8. Close the App Registration blade and return to the Active Directory menu.
  9. Under the Manage header, select Properties.
  10. Locate the directory ID. Select the Copy icon to copy the ID and then paste it into the text document.
  11. Repeat steps 1-10 for each directory you manage.

Checkpoint: At this point, you have this information in the text document.

  • Display Name
  • Application ID
  • Key Description
  • Key Value
  • Directory ID/Tenant ID

Step 2 - Assign an Enrollment Reader Role to the Service Principal

You can only create or update this billing role using the API.

  1. Use your account credentials as an Enterprise Admin to sign in to the tenant with the enrollment access that you want to assign.
  2. Provide the following parameters as a part of the API request. For help locating these values, see Find your SPN and tenant ID.
    • Object ID
    • Azure Tenant ID
    • BillingAccountID
    • Role definition (already pre-filled with correct role ID).

Example:

{
  "properties": {
    "principalId": "REPLACE WITH OBJECT ID",
    "principalTenantId": "REPLACE WITH TENANT ID",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/REPLACE WITH BillingAccountID/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
  }
}
  1. Locate the enrollment ID of your active EA and the billing account name.
    • The enrollment ID can be found in the EA and Azure portal.
    • The billing account name is the same as the billingAccountID that you used in the API parameters.
  2. Generate the GUID billingRoleAssignmentName. Generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID. Note down the GUID for later use.
  3. Use the Role Assignments - Put - REST API (Azure Billing) command to update the role assignments.
  4. Repeat the previous steps for other Service Principles.

Mapping Multiple Enrollments to the Same Service Principal

If you have multiple enrollments mapped to the same service principles, you will need to run the Role Assignments - Put - REST API (Azure Billing) command for each enrollment.

  1. Open the Role Assignments - Put REST API article, and click Try it.
  2. Sign in to the tenant as an Enterprise Admin with the enrollment access.

  3. Provide the following parameters as a part of the API request.

    • Object ID
    • Azure Tenant ID
    • Enrollment Id
    • Role definition (already pre-filled with correct role ID)

    For help on locating these values, see Find your SPN and tenant ID.

    Example:

    {
“properties”: {
“principalId”: “SPN ID OR OBJECT ID”,
“principalTenantId”: “ADtenant ID OR Azure Tenant ID”,
“roleDefinitionId”: “/providers/Microsoft.Billing/billingAccounts/EnrollmentID/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e”
}
}
    • Change the EnrollmentID parameter in the request Body.
    • Generate a new GUID using the New-Guid PowerShell command.

  4. Click Run.

  5. Repeat the previous steps for each enrollment.

Configuring GovCloud Subscriptions

When configuring the Service Principals with the enrollmentReader permission, change the API endpoint URL in the Role Assignments - Put API from https://management.azure.com to https://management.usgovcloudapi.net to grant the SPN the new permission.

Step 3 - Add Reader Role for Subscriptions

For help assigning roles in Azure, see Assign Azure Roles using the Azure Portal.

When assigning the role, make the following selections:

  • Role: Reader
  • Members: Select the Service Principal created in Step 1.

Repeat this step for each subscription.

Add Permissions to Access Key Vault (Optional)

With the additional get and list permissions, Tanzu CloudHealth gets access to keys and secrets for each key vault under each subscription. Providing this access offers the following benefits:

  • Visibility: Get all keys & secret details under each key vault in Asset reports.
  • Policies: Create policies on keys and secrets and get notified if any key/secret doesn’t have an expiry date set.
  • Perspectives: Since Key Vault Keys & Secrets are taggable assets, you can create perspective groups based on tags.

Use the following steps to grant additional permissions to the service principal:

  1. Log in to the Azure Portal, and click the Cloud Shell icon on the top navigation bar.
  2. Enter the following PowerShell script for every active Service Principal that you have added in Tanzu CloudHealth. 
    $subs = Get-AzureRmSubscription
$client_id = 'Application id of service principal'
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId
$key_vaults = Get-AzureRmKeyVault
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } }

Get the Application id of the service principal from Tanzu CloudHealth. Go to Setup > Accounts > Azure Service Principal.

The script accesses current key vaults and grant permission to the service principal to retrieve and display key vault keys and secrets.

For a newly-added key vault, you need to separately grant permission to the service principal to retrieve and display keys. You can either run the above PowerShell script or manually add the service principal using following steps:

  1. In the Azure Portal, go to the newly added key vault.
  2. From the Settings menu, navigate to Access Policies, and click Add Access Policy.
  3. Select get, list permissions from the__ Key permissions__ and Secret permissions dropdown.
  4. Select Service principal.
  5. Click Add.

Step 4 - Connect Service Principal in Tanzu CloudHealth

Connect the Service Principal that you configured in the Azure portal to Tanzu CloudHealth.

  1. Log in to the Tanzu CloudHealth platform. Navigate to select Setup > Accounts > Azure Service Principal. Then click New Service Principal.
  2. Select Global Azure from the Account Type dropdown.
  3. Copy the information from the text document into corresponding fields in the setup form. Make sure there are no spaces.
  4. Optionally, select the Security Asset Collection dropdown if you want to disable asset collection on certain assets for security reasons. Tanzu CloudHealth recommends enabling asset collection for all assets and does not store sensitive data. Disabled assets are marked as inactive in Tanzu CloudHealth and cannot be used in policies.
  5. Click Save Service Principal.

Step 5 - Get Commitment Start Date and Commitment Amount

Get the date when you Enterprise Agreement starts and how much money you have committed to the agreement.

  1. Log in to the Azure portal.
  2. Navigate to Cost Management + Billing, and select your Enterprise Agreement billing account.
  3. From the left pane, select Credits + Commitments, then select the Microsoft Azure Consumption Commitment (MACC) tab.
  4. Copy the commitment Start Date and Commitment Amount into a text document.

Step 6 - Connect Enrollment in Tanzu CloudHealth

  1. Navigate to Setup > Accounts > Azure Enrollment.
  2. Click Add Enrollment.
  3. Enter the Enrollment ID and give your enrollment a friendly name (e.g., Company EA).
  4. Select the required Service Principal from the dropdown.
  5. In the Commitment section, select the Commitment Term.
  6. Optionally, provide Commitment Amount and Commitment Start Date.
  7. Click Save Enrollment.

Note - The API Access Key is not required to connect the enrollment.

Step 7 - Assign a Reader Role to Azure Reservation Orders

Assign a reader role to Azure reservation orders to enable Azure data in Tanzu CloudHealth reports. To allow Tanzu CloudHealth reader-only access to your reservations, you must assign a reader role to all your reservation orders. Failure to do so will prevent your Azure reports from working correctly.

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to Tanzu CloudHealth. Go to Assets > Azure and select Reservation Orders from the Other section.
  4. For the first reservation order in the table, select the Azure Portal icon to open that reservation order in the Azure Portal.
  5. Go to Access Control (IAM) and click Add.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the reservation order and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each reservation order.

Step 8 - Assign a Reader Role to Azure Savings Plans

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to the Tanzu CloudHealth platform. Go to Assets > Azure and select Savings Plans from the Other section.
  4. In the Savings Plan table, click the Go to Azure Portal icon to open the savings plan in the Azure portal.
  5. From the left pane, go to Access Control (IAM) and click Add role assignment.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the savings plan and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each Savings Plan.

Step 9 - Configure Application Permission for Azure AD User Collection (Optional)

Tanzu CloudHealth supports Azure AD User collection through Azure Service Principal. To collect the Azure AD objects, you need to add an additional Graph API permission to the Service Principal.

  1. Log in to the Azure Portal, go to Azure Active Directory > App Registrations, and select the Tanzu CloudHealth app.
  2. Click API permissions > Add a permission.
  3. Select Microsoft Graph and click Application permissions.
  4. Under Select Permissions, expand Users, and select User.Read.All permission.

  5. Click Add Permissions.

    Grant Admin Consent

Once you add the required permissions, click Grant admin consent for Default Directory to allow an admin to grant admin consent to the configured permissions.

Admin Consent Granted

Configuring a Pay-as-you-go Azure Account

Complete the following steps to configure your Pay-As-You-Go (PAYG) Azure account with Tanzu CloudHealth .

Step 1 - Register Tanzu CloudHealth App with Service Principal

Create a Tanzu CloudHealth App in the Azure portal and register it with a Service Principal Repeat this process for each directory you manage.

Prerequisite You must have global administrator privileges to register an App. While the connection between Tanzu CloudHealth and Azure is read-only, a global administrator must register the App to ensure that there are no errors.

  1. Open a text editor (such as NotePad or TextEdit) so that you can store specific parameters of the service principal that you need to provide in Tanzu CloudHealth.
  2. Log in to the Azure Portal.
  3. From the left menu, select Azure Active Directory. If a menu entry for Azure Active Directory does not exist, search for it.
  4. Select the App Registrations tile and then click New Registration from the top of the page.
  5. Fill out the following fields in the form and then click Create:
    • Name: Enter the name of the service principal
    • Supported Account Types: Select Accounts in this organizational directory only.
    • Redirect URI: Select Web from the dropdown and enter https://apps.cloudhealthtech.com Due to a a rare issue in the Azure Portal, creating a new app registration might fail to create a new service principal as expected. If this occurs, click the Create Service Principal link in App Registrations > Overview.
  6. Open the Application Registration you just created.
    • Copy the Display Name into the text document.
    • Copy the Application ID into the text document.
  7. Go to Certificates & Secrets in the left menu. Click New Client Secret.
    • Add a key description. Make sure there are no spaces.
    • Select a duration. It is recommended that you set the expiration to at least one year.
  8. Click Save. A value is generated.
  9. Copy the key description and value into the text document.
  10. Close the App Registration blade and return to the Active Directory menu.
  11. Under the Manage header, select Properties.
  12. Locate the directory ID. Select the Copy icon to copy the ID and then paste it into the text document.

Checkpoint: At this point, you have this information in the text document.

  • Display Name
  • Application ID
  • Key Description
  • Key Value
  • Directory ID/Tenant ID

Step 2 - Add Reader Role for Subscriptions

Assign a Reader role for subscriptions that are managed in the directory.

For help assigning roles in Azure, see Assign Azure Roles using the Azure Portal.

When assigning the role, make the following selections:

  • Role: Reader
  • Members: Select the Service Principal created in Step 1.

Note - Repeat this step for each subscription.

Add Permissions to Access Key Vault (Optional)

With the additional get and list permissions, Tanzu CloudHealth gets access to keys and secrets for each key vault under each subscription. Providing this access offers the following benefits:

  • Visibility: Get all keys & secret details under each key vault in Asset reports.
  • Policies: Create policies on keys and secrets and get notified if any key/secret doesn’t have an expiry date set.
  • Perspectives: Since Key Vault Keys & Secrets are taggable assets, you can create perspective groups based on tags.

Use the following steps to grant additional permissions to the service principal:

  1. Log in to the Azure Portal, and click the Cloud Shell icon on the top navigation bar.
  2. Enter the following PowerShell script for every active Service Principal that you have added in Tanzu CloudHealth. 
    $subs = Get-AzureRmSubscription
$client_id = 'Application id of service principal'
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId
$key_vaults = Get-AzureRmKeyVault
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } }

Get the Application id of the service principal from Tanzu CloudHealth. Go to Setup > Accounts > Azure Service Principal.

The script accesses current key vaults and grant permission to the service principal to retrieve and display key vault keys and secrets.

For a newly-added key vault, you need to separately grant permission to the service principal to retrieve and display keys. You can either run the above PowerShell script or manually add the service principal using following steps:

  1. In the Azure Portal, go to the newly added key vault.
  2. From the Settings menu, navigate to Access Policies, and click Add Access Policy.
  3. Select get, list permissions from the__ Key permissions__ and Secret permissions dropdown.
  4. Select Service principal.
  5. Click Add.

Step 3 - Connect Service Principal in Tanzu CloudHealth

Connect the Service Principal that you configured in the Azure portal to Tanzu CloudHealth.

  1. In the Tanzu CloudHealth platform, navigate to select Setup > Accounts > Azure Service Principal. Then click New Service Principal.
  2. Select Global Azure from the Account Type dropdown.
  3. Copy the information from the text document into corresponding fields in the setup form. Make sure there are no spaces.
  4. Optionally, select the Security Asset Collection dropdown if you want to disable asset collection on certain assets for security reasons. Tanzu CloudHealth recommends enabling asset collection for all assets and does not store sensitive data.

    Disabled assets are marked as inactive in Tanzu CloudHealth and cannot be used in policies.

  5. Click Save Service Principal.

Step 4 - Assign a Reader Role to Azure Reservation Orders

Assign a reader role to Azure reservation orders to enable Azure data in Tanzu CloudHealth reports. To allow Tanzu CloudHealth reader-only access to your reservations, you must assign a reader role to all your reservation orders. Failure to do so will prevent your Azure reports from working correctly.

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to Tanzu CloudHealth. Go to Assets > Azure and select Reservation Orders from the Other section.
  4. For the first reservation order in the table, select the Azure Portal icon to open that reservation order in the Azure Portal.
  5. Go to Access Control (IAM) and click Add.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the reservation order and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each reservation order.

Step 5 - Assign a Reader Role to Azure Savings Plans

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to the Tanzu CloudHealth platform. Go to Assets > Azure and select Savings Plans from the Other section.
  4. In the Savings Plan table, click the Go to Azure Portal icon to open the savings plan in the Azure portal.
  5. From the left pane, go to Access Control (IAM) and click Add role assignment.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the savings plan and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each Savings Plan.

Step 6 - Configure Application Permission for Azure AD User Collection (Optional)

Tanzu CloudHealth supports Azure AD User collection through Azure Service Principal. To collect the Azure AD objects, you need to add an additional Graph API permission to the Service Principal.

  1. Log in to the Azure Portal, go to Azure Active Directory > App Registrations, and select the Tanzu CloudHealth app.
  2. Click API permissions > Add a permission.
  3. Select Microsoft Graph and click Application permissions.
  4. Under Select Permissions, expand Users, and select User.Read.All permission.
  5. Click Add Permissions.

Once you add the required permissions, click Grant admin consent for Default Directory to allow an admin to grant admin consent to the configured permissions.

Configuring Microsoft Customer Agreement

Complete the following steps to configure Microsoft Customer Agreement with the Tanzu CloudHealth Platform.

Step 1 - Register Tanzu CloudHealth App with Service Principal

Create a Tanzu CloudHealth App in the Azure portal and register it with a Service Principal

Repeat this process for each directory you manage.

Prerequisite
You must have global administrator privileges to register an App. While the connection between Tanzu CloudHealth and Azure is read-only, a global administrator must register the App to ensure that there are no errors.

  1. Open a text editor (such as NotePad or TextEdit) so that you can store specific parameters of the service principal that you need to provide in the Tanzu CloudHealth platform.
  2. Log in to the Azure Portal.
  3. From the left menu, select Azure Active Directory.

    If a menu entry for Azure Active Directory does not exist, search for it.

  4. Select the App Registrations tile and then click New Registration from the top of the page.
  5. Fill out the following fields in the form and then click Create:
    • Name: Enter the name of the service principal
    • Supported Account Types: Select Accounts in this organizational directory only.
    • Redirect URI: Select Web from the dropdown and enter https://apps.cloudhealthtech.com

    Due to a a rare issue in the Azure Portal, creating a new app registration might fail to create a new service principal as expected. If this occurs, click the Create Service Principal link in App Registrations > Overview.

  6. Open the Application Registration you just created.
    • Copy the Display Name into the text document.
    • Copy the Application ID into the text document.
  7. Go to Certificates & Secrets in the left menu. Click New Client Secret.
    • Add a key description. Make sure there are no spaces.
    • Select a duration. It is recommended that you set the expiration to at least one year.
  8. Click Save. A value is generated.
  9. Copy the key description and value into the text document.
  10. Close the App Registration blade and return to the Active Directory menu.
  11. Under the Manage header, select Properties.
  12. Locate the directory ID. Select the Copy icon to copy the ID and then paste it into the text document.

Checkpoint: At this point, you have this information in the text document.

  • Display Name
  • Application ID
  • Key Description
  • Key Value
  • Directory ID/Tenant ID

Step 2 - Add Reader Role for Subscriptions

Assign a Reader role for subscriptions that are managed in the directory.

For help assigning roles in Azure, see Assign Azure Roles using the Azure Portal.

When assigning the role, make the following selections:

  • Role: Reader
  • Members: Select the Service Principal created in Step 1.

Repeat this step for each subscription.

Add Permissions to Access Key Vault (Optional)

With the additional get and list permissions, Tanzu CloudHealth gets access to keys and secrets for each key vault under each subscription. Providing this access offers the following benefits:

  • Visibility: Get all keys & secret details under each key vault in Asset reports.
  • Policies: Create policies on keys and secrets and get notified if any key/secret doesn’t have an expiry date set.
  • Perspectives: Since Key Vault Keys & Secrets are taggable assets, you can create perspective groups based on tags.

Use the following steps to grant additional permissions to the service principal:

  1. Log in to the Azure Portal, and click the Cloud Shell icon on the top navigation bar.
  2. Enter the following PowerShell script for every active Service Principal that you have added in the Tanzu CloudHealth platform. 
    $subs = Get-AzureRmSubscription
$client_id = 'Application id of service principal'
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId
$key_vaults = Get-AzureRmKeyVault
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } }

Note - Get the Application id of the service principal from the Tanzu CloudHealth platform. Go to Setup > Accounts > Azure Service Principal.

The script accesses current key vaults and grant permission to the service principal to retrieve and display key vault keys and secrets.

For a newly-added key vault, you need to separately grant permission to the service principal to retrieve and display keys. You can either run the above PowerShell script or manually add the service principal using following steps:

  1. In the Azure Portal, go to the newly added key vault.
  2. From the Settings menu, navigate to Access Policies, and click Add Access Policy.
  3. Select get, list permissions from the__ Key permissions__ and Secret permissions dropdown.
  4. Select Service principal.
  5. Click Add.

Step 3 - Add Service Principal as the Billing Account Reader

Assign the service principal as the billing account reader for the billing account.

Note - Repeat these steps for each billing account. To switch your scope to a different billing account, see Switch Billing Scope in the Azure Portal.

  1. Log in to the Azure Portal.
  2. From the left navigation, click All services, scroll down to General section, and click Cost Management + Billing. Or, type Cost Management + Billing in the search bar and press Enter.
  3. On the Cost Management page, from the left menu, select Access Control (IAM).
  4. Select +Add to add a new permission.
  5. Fill out the Add Permission form as follows and click Save:
    • Select Billing Account Reader from the Role dropdown.
    • Enter the name of the service principal in the Select field.

Step 4 - Connect Service Principal in Tanzu CloudHealth

Connect the Service Principal that you configured in the Azure portal to the Tanzu CloudHealth Platform.

  1. Log in to the Tanzu CloudHealth platform. From the left menu, select Setup > Accounts > Azure Service Principal. Then click New Service Principal.
  2. Select Global Azure from the Account Type dropdown.
  3. Copy the information from the text document into corresponding fields in the setup form. Make sure there are no spaces.
  4. Optionally, select the Security Asset Collection dropdown if you want to disable asset collection on certain assets for security reasons. Tanzu CloudHealth recommends enabling asset collection for all assets and does not store sensitive data.

    Disabled assets are marked as inactive in Tanzu CloudHealth and cannot be used in policies.

  5. Click Save Service Principal.

Step 5 - Assign a Reader Role to Azure Savings Plans

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to the Tanzu CloudHealth platform. Go to Assets > Azure and select Savings Plans from the Other section.
  4. In the Savings Plan table, click the Go to Azure Portal icon to open the savings plan in the Azure portal.
  5. From the left pane, go to Access Control (IAM) and click Add role assignment.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the savings plan and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each Savings Plan.

Step 6 - Assign a Reader Role to Azure Reservation Orders

To allow Tanzu CloudHealth reader-only access to your reservations, you must assign a reader role to all your reservation orders. Failure to do so will prevent your Azure reports from working correctly.

  1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.
  2. Copy the display name of the application you registered for Tanzu CloudHealth and paste it in a Text file (such as NotePad or TextEdit).
  3. Log in to the Tanzu CloudHealth Platform. Go to Assets > Azure and select Reservation Orders from the Other section.
  4. For the first reservation order in the table, select the Azure Portal icon to open that reservation order in the Azure Portal.
  5. Go to Access Control (IAM) and click Add.
  6. Fill out the fields as follows:
    • Select Reader from the Role dropdown menu.
    • In the Select field, copy and paste the service principal display name from step 2 that is associated with the reservation order and select the user returned by the search.
  7. Click Save.
  8. Repeat steps 4-7 for each reservation order.

Step 7 - Configure Application Permission for Azure AD User Collection (Optional)

The Tanzu CloudHealth platform supports Azure AD User collection through Azure Service Principal. To collect the Azure AD objects, you need to add an additional Graph API permission to the Service Principal.

  1. Log in to the Azure Portal, go to Azure Active Directory > App Registrations, and select the app.
  2. Click API permissions > Add a permission.
  3. Select Microsoft Graph and click Application permissions.
  4. Under Select Permissions, expand Users, and select User.Read.All permission.
  5. Click Add Permissions.

Once you add the required permissions, click Grant admin consent for Default Directory to allow an admin to grant admin consent to the configured permissions.

check-circle-line exclamation-circle-line close-line
Scroll to top icon