What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I obtain credentials and create custom roles for the Microsoft Azure sensors?

Votes:

3

I want to set up Microsoft Azure sensors. For these sensors to work, I have to define credentials for Microsoft Azure in my PRTG installation and create Azure custom roles with the required permissions.

Where do I find these credentials? How do I create the custom roles I need and where do I find the required permissions?

azure azure-ad credentials custom-role microsoft permissions prtg

Created on Sep 25, 2020 6:11:47 AM by Maike Guba [Paessler Support] (2,404) 2 1

Last change on Jun 9, 2023 8:43:48 AM by Yasodhara Das [Paessler Support]



5 Replies

Accepted Answer

Votes:

2

This article applies as of PRTG 22

Credentials for Microsoft Entra ID related to the Microsoft Azure sensors

Before you can set up Microsoft Azure sensors, you need to define credentials for Microsoft Azure in settings that are higher in the object hierarchy, for example, in the settings of the parent device.

The credentials you need are the Tenant ID, the Client ID, the Client Secret, and the Subscription ID. You obtain all of these credentials in the Microsoft Azure Portal or in the Microsoft Entra admin center.

Log in to the Microsoft Azure Portal or the Microsoft Entra admin center and follow the next steps:

  • Step 1: Get the client ID and the tenant ID
  • Step 2: Get the client secret
  • Step 3: Get the subscription ID

Step 1: Get the client ID and the tenant ID

You can use either the Azure Portal or the Microsoft Entra admin portal. The only difference is how you navigate to App registrations:

Using the Azure Portal: Open Microsoft Entra ID in the Microsoft Azure Portal and go to the App registrations tab.

Using the Microsoft Entra admin center: Go to the App registrations tab under Applications.

  1. Click New registration to open the Register an application dialog.
    App Registrations Tab
    Click to enlarge. .
    • Enter a display name, for example, Microsoft Azure PRTG.
    • Leave all other settings as they are.
    • Enter the redirect URI where the authorization server sends you after the registration and authorization of the app. This is required for most authentication scenarios and can be specific for your setup. Note that there are specific rules for the redirect URI.
      Enter https://login.windows.net if you have no specific redirect URI.
  2. Click Register to register the new application. The Overview tab of the newly registered application opens.
    New application
    Click to enlarge.
    • Copy the Application (client) ID and the Directory (tenant) ID. These are the client ID and the tenant ID that you need to enter in PRTG.

Step 2: Get the client secret

Take the following steps to create an application password, also known as client secret.

  1. Go to the Certificates & secrets tab.
    Certificates & secrets
    Click to enlarge.
  2. Click New client secret to open the Add a client secret dialog.
    New secret
    Click to enlarge.
    • Enter a Description, for example, Microsoft 365 Client Secret.
    • Select a period after which the client secret expires.
    • Click Add to create and display the new client secret for your application.
      Secret display
      Click to enlarge.
  3. Copy the client secret to enter it in PRTG.
    Note: Make sure that you directly copy the client secret after you created it. If you leave the page, the client secret is not shown anymore. You have to create a new client secret.

Step 3: Get the subscription ID

Take the following steps to find your Azure subscription ID.

  1. Navigate to Subscriptions in the Microsoft Azure Portal.
    Navigate
    Click to enlarge.
  2. Find the Subscription ID for your subscription here:
    Find ID
    Click to enlarge.

Roles and permissions for the Microsoft Azure sensors

The Microsoft Azure sensors need sufficient rights to query the respective data. You need to create Azure custom roles with the required permissions in the Azure Management Portal and assign these roles to your newly created application.

Prerequisites

Before you can create a custom role, you need to create a .json file that includes the required permissions for the sensor that you want to add. You can find the JSON for each Microsoft Azure sensor at the end of this article. Save the .json file to your system.

Log in to the Microsoft Azure Portal under https://portal.azure.com and follow

  • Step 1: Create a custom role
  • Step 2: Assign a role

Step 1: Create a custom role

  1. Navigate to Subscriptions in the Microsoft Azure Portal.
  2. Select the subscription for which you want to create the custom role.
  3. Go to the Access control (IAM) tab.
    Access control
    Click to enlarge.
  4. Select the Roles tab.
  5. Click Add and select Add custom role from the dropdown menu.
    Custom role
    Click to enlarge.

    The Create a custom role dialog opens.

    Role basics
    Click to enlarge.
    • Enter a Custom role name to identify the role, for example, PRTG Microsoft Azure SQL Database Sensor.
    • Optionally, enter a Description.
    • For Baseline permissions, select Start from JSON and browse for the JSON file that you created earlier.
    • Click Next.
    • On the Assignable scopes tab, you can see the ID of the subscription for which you want to add a custom role. If you want to add the custom roles to other subscriptions, too, click Add assignable scopes and follow the steps there.
      Assignable scopes
      Click to enlarge.
    • Click Next.
    • On the JSON tab, you can see the custom role in JSON format that you uploaded.
      Dialog JSON
      Click to enlarge.
    • Click Review + create to review your settings.
    • After review, click Create to create the custom role.

Step 2: Assign a role

After you created a custom role, this role needs to be assigned to your newly created application. Take the following steps:

  1. Back on the Access control (IAM) tab, select Role assignments.
    Role assignments
    Click to enlarge.
  2. Click Add and select Add role assignment from the dropdown menu.
    Add role
    Click to enlarge.

    The Add role assignment dialog opens.

    Assignment dialog
    Click to enlarge.
    • Select the Role that you created earlier.
    • Leave the Assign access to setting as it is.
    • Under Select, choose the new application that you created and registered earlier (see section Step 1: Get the client ID and the tenant ID), for example, Microsoft Azure PRTG.
    • Click Save.

      You have successfully created and assigned a custom role.
      Successful
      Click to enlarge.

JSON for custom roles for the Microsoft Azure sensors

Microsoft Azure Virtual Machine sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Virtual Machine sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Virtual Machine Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Virtual Machine sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure Subscription Cost sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Subscription Cost sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Subscription Cost Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Subscription Cost sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Consumption/*/read",
                    "Microsoft.Consumption/*/action",
                    "Microsoft.CostManagement/query/read",
                    "Microsoft.Billing/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure SQL Database sensor

Here you can find the JSON with the required permissions for the Microsoft Azure SQL Database sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure SQL Database Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure SQL Database sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Sql/servers/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure Storage Account sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Storage Account sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Storage Account Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Storage Account sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Insights/Metrics/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Created on Oct 9, 2020 6:01:49 AM by Maike Guba [Paessler Support] (2,404) 2 1

Last change on Nov 15, 2023 10:20:09 AM by Jacqueline Conforti [Paessler Support]



Votes:

0

Hey Guys,

in my Company we have the Microsoft 365 Business Premium license for our Users. Through this license we also have the Azure AD Premium P1 License (the Azure AD Premium P1 is not a standalone license in our case, its linked to the M365 license).

I've already managed to create an registered Application and gather Tenant ID, Client ID and Client Secret. But now it fails with the Subscription ID. If i navigate to our Subscriptions in the Azure Portal it says that I dont have any....

What can I do?

Created on Sep 10, 2021 8:31:04 AM



Votes:

0

Hi,

In that case you'll need to contact Microsoft and open a ticket with them to see why your subscription is not showing up. Do you have anything if you go to portal.azure.com and then type Subscriptions in the search bar?

Regards,

Miguel Aikens

Created on Sep 10, 2021 11:27:15 PM by Miguel Aikens [Paessler Technical Support]



Votes:

0

Hi, For PRTG on premise and Azure to have a connection, which ports must be enabled in the local firewall?

Created on Jul 21, 2022 2:47:28 PM



Votes:

0

Hello Julio,

Thanks for contacting us.

All requests should be using HTTPS.

Hope this helps.

Regards,

Miguel Aikens

Created on Jul 22, 2022 5:49:18 PM by Miguel Aikens [Paessler Technical Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.