Azure plugin

Monitor your Azure environment, VMs, Functions, Cost and more.

Click the following link for additional content such as blogs, videos, use cases, and more:

Azure

Adding a data source

To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.

Before you start

Prerequisites

  1. You will need the Application Administrator role assigned to your user (or another role such as Global Administrator that gives the correct access) in order to carry out these steps.
  2. Choose your authentication method:
  3. Configure permissions for data streams
    Many Azure data streams will only show data if your app registration has the required permissions to the data.
  4. Register Azure providers
    For data streams to show data the subscriptions monitored by the plugin must have their providers registered.

Configuring an app registration in Azure (explicit application credentials)

Configuring an app registration and entering explicit application credentialsis highly recommended, as this option gives greater granular control over which permissions the data source uses. To enforce a "least privilege" approach you can configure an application in Azure with only the Reader role assigned and that is restricted to certain areas of your tenant.

  1. In the Azure portal, navigate to App registrations and do one of the following:
    • If you don't have an app registration for SquaredUp, create a new one using the default options (no redirect URL is needed).
      1. Click New registration.
      2. Name:
        Enter a name for the app, for example, SquaredUp.
      3. Click Register.
    • If you already have an app registration configured for SquaredUp, select it from the list.
      Azure App registrations page
  2. Make a note of the Application (client) ID and the Directory (tenant) ID.
    Azure credentials to note
  3. Click Add a certificate or secret to open Certificates and secrets, then do the following:
    1. On the Client secrets tab, click New client secret.
    2. Enter a Description for the secret. For example, SquaredUp plugin.
    3. Select when the secret Expires.
    4. Click Add to create the secret and add it to the list.
    5. Make a note of the Value. For more information see Microsoft: Use the portal to create an Microsoft Entra application and service principal that can access resources.
      Client secret for app registration
  4. Navigate to the Subscription or Resource Group that you want to integrate and view in SquaredUp, and make a note of the ID.
    1. In Access control (IAM) click Add > Add role assignments and choose the Reader role.
    2. Search for the name of the app registration you created, select it and click Review + assign.
    3. Repeat these steps to integrate multiple subscriptions and resources groups.

Sign-in button

This authentication method is not ideal from a "least privilege" perspective, but can be useful when experimenting with the plugin in non-production environments.

For production environments, using App registration to authenticate with explicit application credentials is recommended.

Configuring permissions for data streams

In order to use many of the Azure data streams you must assign permissions via the app registration you created / edited when configuring explicit application details.

Do the following in the Azure portal, depending on which data streams you want access to:

  1. To use the Cost data streams:
    1. In Access control (IAM) click Add > Add role assignments and choose the Cost Management reader role.
    2. Search for the name of the app registration you created, select it and click Review + assign.
  2. To use the Billings data streams:
    1. Open Cost management + Billing and select the right scope from Billing scopes.
    2. In Access control (IAM) click Add and choose the Billing account reader role.

      If you don't see billing account reader or you cannot assign it to your application then see the Enterprise agreementoption when selecting a Billing Account Type, as this advises how to assign permissions via the Azure API.

    3. Search for the name of the app registration you created, select it and click Add.
  3. To use all the Savings plans and/or Reservations data streams:
    1. Open Savings plans or Reservations and select the plan you want.
    2. In Access control (IAM) click Add and choose the Billing account reader or Enrollment reader role.

      If you don't see billing account reader or you cannot assign it to your application then see the Enterprise agreementoption when selecting a Billing Account Type, as this advises how to assign permissions via the Azure API.

    3. Search for the name of the app registration you created, select it and click Select, then Review + assign.
  4. To use the Entra Application Health and Entra Application Credentials data streams you must configure your app registration to access to your Microsoft Graph APIs:
    1. Navigate to API permissions > Add a permission.
    2. Select Microsoft Graph from the Microsoft APIs section.
    3. Select Application permissions.
    4. Add one of the following permissions:
      • Directory.Read.All
      • Application.Read.All
    5. Click Add permissions.
    6. Admin consent is required for these permissions to become active. Click Grant admin consent for <your organization> .

Configuring the data source

  1. Display name:
    Enter a name for your data source. This helps you to identify this data source in the list of your data sources.

  2. Agent group :
    Select the Agent Group that contains the agent(s) you want to use.

  3. Authentication:
    • App registration (Explicit application credentials):
      This is the recommended authentication method, allowing you to assign granular permissions when configuring explicit application credentials. You must enter the following for the app registration you configured in Azure:
      • Directory (tenant) ID
      • Application (client) ID
      • Client secret
    • Sign-in button :
      Allows the Azure data source instance to access Azure from the perspective of a given user account, with limited granular control over the permissions the data source runs with.

      After clicking the Sign in with Microsoft button you can choose to login as either an administrator or a non-administrator of the target tenant (see Microsoft: Manage consent to applications and evaluate consent requests).

      As an administrator you can either consent for just yourself or for everyone in the organization by clicking 'Consent of behalf of your organization', see User and admin consent in Microsoft Entra ID

      The Azure data source will then use this administrator's credentials. With this in mind you may choose to Restrict access to this data source.

      At the Approval required prompt you must enter justification for requesting access and request approval. In SquaredUp you will see an 'access_denied - (cancel)' message until an administrator approves your request.

      An administrator of the target tenant can respond to the consent request in the Azure portal > Enterprise applications > Admin consent requests see Microsoft: Review admin consent requests.

      After consent has been granted the non-administrator must return to the Azure data source configuration and click the Sign-in with Microsoft button again. This time after signing in the message Logged in as <username> will be shown.

      The Azure data source will then use this non-administrator's credentials.

  4. Subscription IDs:
    Do the following depending on your chosen Authentication method:
    • Sign-in button: By default (when no Subscription ID is specified), objects are indexed from all the subscription IDs you have access to. Optionally, enter specific Subscription IDs to import so that only those specified objects are indexed.
    • App registration: Enter the Subscription IDs to import. At least one Subscription ID or one Management group ID is needed, but you do not need to enter both a Subscription and a Management group.
  5. Management Group IDs:
    Do the following depending on your Authentication method:
    • Sign-in button: By default (when no Management Group ID is specified), objects are indexed from all the Management Group IDs you have access to. Optionally, enter specific Management Group IDs to import so that only those specified objects are indexed.
    • App registration: Enter the Management Group IDs to import. At least one Subscription ID or one Management group ID is needed, but you do not need to enter both a Subscription and a Management group.
  6. Billing Account Type:
    Select the billing account type of your Azure instance. Choose from:
    • Microsoft Customer Agreement/Microsoft Partner Agreement/Microsoft Online Services Program: The default option. This is automated and requires no further configuration beyond granting permission to read the billing account.
    • Enterprise Agreement: This option requires you to specify a Billing Account ID and one or more Enrollment Account IDs.

      When using an Enterprise Agreement, you must use the Azure REST API to assign Enrollment Reader to an Azure Service Principal (SPN) OR use the Sign-in button authentication button and authenticate with an account that has been granted Enrollment Reader.

      As there is no user interface to assign this role to an SPN, it must be performed via the API, as described here. You can easily make requests to the Azure API using the Azure CLI.
  7. Import Entra Applications:
    Select to import your Entra enterprise applications and app registrations. This gives you access to the the Entra Application Health and Entra Application Credentials data streams but requires additional permissions. See step 4 of configuring permissions for data streams.

  8. Restrict access to this data source:
    Optionally, enable this toggle if you only want certain users/groups to have access to the data source, or those with the permission to link it to new workspaces. See data source access control for more information.

  9. Click Test and add to validate the data source configuration. SquaredUp will now attempt to connect to SquaredUp using the provided authentication method.

    • Testing passed – a success message will be displayed and then the configuration will be saved.
    • Testing passed with warnings – warnings will be listed and potential fixes suggested. You can still use the data source with warnings. Select Save with warnings if you believe that you can still use the data source as required with the warnings listed. Alternatively, address the issues listed and then select Rerun tests to validate the data source configuration again. If the validation now passes, click Save.
    • Testing Failed – errors will be listed and potential fixes suggested. You cannot use the data source with errors. You are able to select Save with errors if you believe that a system outside of SquaredUp is causing the error that you need to fix. Alternatively, address the issues listed and then select Rerun tests to validate the data source configuration again. If the validation now passes, click Save.

    You can edit data source configurations at any time from Settings > Data Sources.

Registering Azure providers

For your data streams to load correctly you must ensure that the subscriptions monitored by the Azure plugin have their providers registered. If a call is made to a subscription which does not have a required provider registered, it will return a 409 Conflict error.

Refer to the Azure documentation for detailed information on registering providers in Azure.

The Azure plugin makes calls to the following providers:

  • providers/Microsoft.Billing
  • providers/Microsoft.BillingBenefits
  • providers/Microsoft.Capacity
  • providers/Microsoft.Consumption
  • providers/Microsoft.CostManagement
  • providers/Microsoft.Insights
  • providers/microsoft.management
  • providers/Microsoft.OperationalInsights
  • providers/Microsoft.ResourceGraph
  • providers/Microsoft.ResourceHealth
  • providers/microsoft.securityinsights

Testing and troubleshooting

When the data source is added or edited, SquaredUp validates your selected authentication method to ensure that you have access.

Any errors or warnings will point you towards what needs changing. If you need any assistance please contact our support team in-app or via SquaredUp Support

Error
What to do
Failed to acquire access token, check app registration.
In Azure check the Directory (tenant) ID, Application (client) ID, and Client secret.
At least one subscription or management group must be configured.
Enter a Management Group ID, or a Subscription ID.
The following subscriptions are not recognized...
At least one Subscription ID or one Management group ID is needed, but you do not need to enter both a Subscription and a Management group. Try removing the Subscription ID, having just one Management Group ID, scroll down and click Rerun tests.
The following management groups are not recognized...
At least one Subscription ID or one Management group ID is needed, but you do not need to enter both a Subscription and a Management group. Try having just one or the other, scroll down and click Rerun tests.
Successfully queried for billing accounts, but received no values. To access billing information, make sure you have at least one billing account with billing reader permissions.
You will not be able to view billing information, but other data streams should show data. If you want to view billing information check that the app registration has the Billing account reader role.

Next steps

Getting started with Azure dashboards

The installed dashboards are a great place to start, you can also edit or clone tiles to add to your own dashboards.

See Getting started with Azure dashboards and Getting started with Azure cost dashboards

Data streams

You can use these data streams to create new tiles to show data, or if there are preconfigured dashboards installed you can copy or edit those.

Data streams standardize data from all the different shapes and formats your tools use into a straightforward tabular format.

While creating a tile you can tweak data streams by grouping or aggregating specific columns.

Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.

Data streams can be either global or scoped:

  • Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
  • A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").

See Data Streams for more information.

The following data streams are installed with this plugin.

To help improve efficiency and reduce API calls for Azure cost data streams, a 24-hour cache is maintained since cost data doesn’t typically change within the same day.

Alerts

Get a list of alerts for an item or set of items

Parameters
Availability

Get the availability status of an item or set of items

Availability History

Get the availability history of an item or set of items

Parameters
Average CPU Percentage

Average CPU percentage

Budget

Get the current state of a budget or list of budgets

Budget Overview

Get the current state of any budget applied to the scope

Cost

Group cost by dimension and/or filter by resource type

Parameters
Cost (By Tag)

Group cost by tag

Parameters
Cost (Invoice Details)

Invoice style cost

Parameters
Cost (Location)

Location cost by day

Parameters
Cost (Service)

Service cost

Parameters
Cost Alerts

Lists all cost management alerts triggered within a subscription or resource group.

Cost with forecast

Actual and forecast cost by day

Cost with forecast (accumulated)

Accumulated actual and forecast cost by day

Data Explorer KQL Query

Connect to an Azure Data Explorer cluster and database to retrieve data using a custom KQL query

Parameters
DataFactory Integration Runtime Health

Gets Integration Runtime health

DataFactory Integration Runtime Metrics

Gets Integration Runtime Metrics. Only available for Self Hosted Integration RunTimes.

Entra Application Credentials

Lists all credentials associated with one or more Entra Applications

Entra Application Health

Gets the health state of Entra Applications based on credential expiry

Guest VM Metrics

Guest-level metrics require the Azure Diagnostics agent to be enabled on the VM

Parameters
Invoice History

Gets a historical invoice summary

Invoice Payment History

Gets a historical summary of invoice payments

IO Bytes Read

IO bytes read

IO Bytes Written

IO bytes written

IO Requests Count

IO requests count

Log Analytics KQL Query

Runs a KQL query on Log Analytics workspaces

Parameters
Log Analytics KQL Query (object-aware)

Runs a KQL log query, using a specific scope and optional mustache replacement

Parameters
Metrics

Retrieves any metric from Azure Monitor, using a specific scope

Parameters
Overall Web Test Availability
Policy Assignment Compliance

Get the compliance state of each Azure Policy Assignment scoped to subscriptions or resource groups

Reservation Cost Details

Gets cost details for a Reservation from its underlying Reservation Order

Reservation Normalized Hours History

Gets a historical summary of utilization in normalized hours. Utilization data may be delayed by up to 24 hours. The data displayed for the last day may be inaccurate.

Reservation Percent Utilization History

Gets a historical summary of reservation percentage utilization. Utilization data may be delayed by up to 24 hours. The data displayed for the last day may be inaccurate.

Reservation Recommendations

Get Reservation Recommendations for the scope

Parameters
Reservation Transactions

Gets Reservation transactions for a billing scope

Resource Compliance

Get the compliance state of Azure Resources

Parameters
Resource Graph KQL Query

Runs a KQL query on the Azure Resource Graph

Parameters
Resource Graph KQL Query (object-aware)

Runs a KQL resource graph query, using a specific scope and optional mustache replacement

Parameters
Savings Plan Percent Utilization History

Gets a historical summary of savings plan percentage utilization. Utilization data may be delayed by up to 24 hours. The data displayed for the last day may be inaccurate.

Savings Plan Recommendations

Get Savings Plan Recommendations for the scope

Parameters
Sentinel Alerts

Get a list of Microsoft Sentinel alerts

Sentinel Incidents

Get a list of Microsoft Sentinel incidents

Service Health Advisories

Retrieves active Azure service health advisories using Azure Resource Graph

Storage Space Reserved

Storage space reserved

Storage Space Used

Storage space used

Subscription Charges

Get the state of charges on a subscription or list of subscriptions

Subscription Charges Overview

Get the state of charges on any subscription in scope

Time Since Last Web Test Outage
Top Longest Web Test Outages
Total Web Test Down Time

Total web test down time

Total Web Test Outages
Transactions

Gets transactions for a billing scope

Utilization Summary

Gets the current utilization summary of the item.

Virtual Core Count

Virtual core count

Web Test Overview

Was this article helpful?

Have more questions or facing an issue?
Submit a ticket