What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I obtain credentials and create custom roles for the Microsoft Azure sensors?

Votes:

1

Your Vote:

Up

Down

I want to set up Microsoft Azure sensors. For these sensors to work, I have to define credentials for Microsoft Azure in my PRTG installation and create Azure custom roles with the required permissions.

Where do I find these credentials? How do I create the custom roles I need and where do I find the required permissions?

azure azure-ad credentials custom-role microsoft permissions prtg

Created on Sep 25, 2020 6:11:47 AM by  Maike Guba [Paessler Support]

Last change on Oct 20, 2020 10:45:12 AM by  Maike Guba [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies as of PRTG 20

Credentials for Azure AD related to the Microsoft Azure sensors

Before you can set up Microsoft Azure sensors, you need to define credentials for Microsoft Azure in settings that are higher in the object hierarchy, for example, in the settings of the parent device.

The credentials you need are the Tenant ID, the Client ID, the Client Secret, and the Subscription ID. You obtain all of these credentials in your Microsoft Azure Portal.

Log in to the Microsoft Azure Portal under https://portal.azure.com and follow

  • Step 1: Get the client ID and the tenant ID
  • Step 2: Get the client secret
  • Step 3: Get the subscription ID

Step 1: Get the client ID and the tenant ID

Take the following steps to register your application with Azure AD to be assigned a client ID.

  1. Go to the App registrations tab.
    App Registrations Tab
    Click to enlarge.
  2. Click New registration to open the Register an application dialog.
    Register Application Dialog
    Click to enlarge.
    • Enter a display name, for example, Microsoft Azure PRTG.
    • Leave all other settings as they are.
    • Enter the redirect URI where the authorization server sends you after the registration and authorization of the app. This is required for most authentication scenarios and can be specific for your setup. Note that there are specific rules for the redirect URI.
      Enter https://login.windows.net if you have no specific redirect URI.
    • Click Register to register the new application. The Overview tab of the newly registered application opens.
      New Application Overview Tab
      Click to enlarge.
    • Copy the Application (client) ID and the Directory (tenant) ID. These are the client ID and the tenant ID that you need to enter in PRTG.

Step 2: Get the client secret

Take the following steps to create an application password, also known as client secret.

  1. Go to the Certificates & secrets tab.
    Certificates & Secrets Tab
    Click to enlarge.
  2. Click New client secret to open the Add a client secret dialog.
    New Client Secret Dialog
    Click to enlarge.
    • Enter a Description, for example, Microsoft 365 Client Secret.
    • Select a period after which the client secret expires.
    • Click Add to create and display the new client secret for your application.
      New Client Secret Display
      Click to enlarge.
  3. Copy the client secret to enter it in PRTG.
    Note: Make sure that you directly copy the client secret after you created it. If you leave the page, the client secret is not shown anymore. You have to create a new client secret.

Step 3: Get the subscription ID

Take the following steps to find your Azure subscription ID.

  1. Navigate to Subscriptions in the Microsoft Azure Portal.
    Navigate to Subscriptions
    Click to enlarge.
  2. Find the Subscription ID for your subscription here:
    Find Subscription ID
    Click to enlarge.

Roles and permissions for the Microsoft Azure sensors

The Microsoft Azure sensors need sufficient rights to query the respective data. You need to create Azure custom roles with the required permissions in the Azure Management Portal and assign these roles to your newly created application.

Prerequisites

Before you can create a custom role, you need to create a JSON file that includes the required permissions for the sensor that you want to add. You can find the JSON for each Microsoft Azure sensor at the end of this article. Save the JSON file to your system.

Log in to the Microsoft Azure Portal under https://portal.azure.com and follow

  • Step 1: Create a custom role
  • Step 2: Assign a role

Step 1: Create a custom role

  1. Navigate to Subscriptions in the Microsoft Azure Portal.
  2. Select the subscription for which you want to create the custom role.
  3. Go to the Access control (IAM) tab.
    Access Control Tab
    Click to enlarge.
  4. Select the Roles tab.
  5. Click Add and select Add custom role from the dropdown menu.
    Add Custom Role Menu
    Click to enlarge.

    The Create a custom role dialog opens.

    Add Custom Role Dialog Basics
    Click to enlarge.
    • Enter a meaningful Custom role name, for example, PRTG Microsoft Azure SQL Database Sensor.
    • Optionally, enter a Description.
    • For Baseline permissions, select Start from JSON and browse for the JSON file that you created earlier.
    • Click Next.
    • On the Assignable scopes tab, you can see the ID of the subscription for which you want to add a custom role. If you want to add the custom roles to other subscriptions, too, click Add assignable scopes and follow the steps there.
      Add Custom Role Dialog Assignable Scopes
      Click to enlarge.
    • Click Next.
    • On the JSON tab, you can see the custom role in JSON format that you uploaded.
      Add Custom Role Dialog JSON
      Click to enlarge.
    • Click Review + create to review your settings.
    • After review, click Create to create the custom role.

Step 2: Assign a role

After you created a custom role, this role needs to be assigned to your newly created application. Take the following steps:

  1. Back on the Access control (IAM) tab, select Role assignments.
    Role Assignments Tab
    Click to enlarge.
  2. Click Add and select Add role assignment from the dropdown menu.
    Add Role Assignment Menu
    Click to enlarge.

    The Add role assignment dialog opens.

    Add Role Assignment Dialog
    Click to enlarge.
    • Select the Role that you created earlier.
    • Leave the Assign access to setting as it is.
    • Under Select, choose the new application that you created and registered earlier (see section Step 1: Get the client ID and the tenant ID), for example, Microsoft Azure PRTG.
    • Click Save.

      You have successfully created and assigned a custom role.
      Successfully Assigned Role
      Click to enlarge.

JSON for custom roles for the Microsoft Azure sensors

Microsoft Azure Virtual Machine sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Virtual Machine sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Virtual Machine Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Virtual Machine sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure Subscription Cost sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Subscription Cost sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Subscription Cost Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Subscription Cost sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Consumption/*/read",
                    "Microsoft.Consumption/*/action",
                    "Microsoft.CostManagement/query/read",
                    "Microsoft.Billing/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure SQL Database sensor (stable release n/n)

Here you can find the JSON with the required permissions for the Microsoft Azure SQL Database sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure SQL Database Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure SQL Database sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Sql/servers/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Microsoft Azure Storage Account sensor (stable release n/n)

Here you can find the JSON with the required permissions for the Microsoft Azure Storage Account sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Storage Account Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Storage Account sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Insights/Metrics/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Created on Oct 9, 2020 6:01:49 AM by  Maike Guba [Paessler Support]

Last change on Feb 8, 2021 7:05:08 AM by  Maike Guba [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.