Setting up an Azure service principal for workload monitoring

Task overview

The following tasks apply to global Azure and Azure Government.

Register Turbonomic with Microsoft Entra ID (formerly known as Azure Active Directory).
Create a client secret key.
Configure API permissions.
Enable access to the subscriptions that Turbonomic will manage.

Registering Turbonomic with Microsoft Entra ID (formerly known as Azure Active Directory)

Registration automatically creates a service principal that serves as Turbonomic's identity in the Microsoft Entra tenant.

Sign in to the Azure portal with an administrator or co-administrator account. This level of access is only required for setting up the service principal, and not for regular Turbonomic operations.
- For global Azure
  
  https://portal.azure.com
- For Azure Government
  
  https://portal.azure.us
Browse to Microsoft Entra ID > App registrations and select New registration.

Configure the following settings:

Setting	Instructions
Name	Specify your preferred name, such as Turbonomic.
Supported account types	Select Accounts in this organizational directory only.

Select Register.

Microsoft Entra ID creates the app registration for the service principal.
Record the Application (client) ID and Directory (tenant) ID. You will need this information later when you add an Azure target in the Turbonomic user interface.

Creating a client secret

Browse to Microsoft Entra ID > App registrations and then select the app registration for the service principal that you created for Turbonomic.
In the navigation menu, select Certificates & secrets.
Select Client secrets and then select New client secret.
Configure the following settings:

Setting Instructions
Description Specify a meaningful description.
Expires Choose Never.
Select Add.
Record the client secret value. You will need this information later when you add an Azure service principal target in the Turbonomic user interface.

Important:
The client secret value only displays once. It will no longer be available after you leave the page.

Setting	Instructions
Description	Specify a meaningful description.
Expires	Choose `Never`.

Configuring API permissions

Browse to Microsoft Entra ID > App registrations and then select the app registration for the service principal that you created for Turbonomic.
In the navigation menu, select API permissions.
Click Add a permission and select Azure Service Management.
Select Delegated permissions and user_impersonation, and then click Add permissions.

Enabling access to subscriptions using Azure roles

Assign roles to the service principal to enable access to subscriptions.

Tip:

To speed up the process of connecting Turbonomic to Azure, enable access at a high scope level (such as at the management group level). This automatically propagates permissions to lower levels of scope, such as subscriptions and resource groups.

You can assign the service principal either a custom role or built-in roles. If you have strict requirements for the service principal, assign a custom role.

Custom role

When you create a custom role, you specify the permissions that Turbonomic needs to monitor workloads in the subscription. You can also specify permissions to execute actions from Turbonomic.
Built-in roles

Built-in roles include default permissions that are sufficient for Turbonomic operations, but are more permissive than a custom role.
- The Reader role is required to monitor workloads.
- The Owner or Contributor role is needed to execute actions from Turbonomic. The Contributor role is the least privileged role for action execution.

To assign a custom role, see the next section. To assign built-in roles, skip to Assigning Built-in Roles.

Assigning a custom role

This task assumes that when you assign a custom role to the service principal, you will upload a JSON file that specifies the required permissions. You can manually configure the permissions by following the wizard for creating custom roles, but complete instructions for running that wizard are not described in this task.

Create a JSON file that specifies the required permissions.
- For permissions to monitor workloads, copy the JSON content found here.
- For permissions to monitor workloads and execute actions, copy the JSON content found here.
Update the JSON file with the following information:
- <RoleName> – Specify your preferred name for the custom role.
- <Subscription_ID> – Specify the ID of the subscription that Turbonomic will manage.
Important:
For Azure Government, remove the Microsoft.Synapse/SKUs/read permission from the JSON file. This permission is not required for Azure Government.
Browse to Subscriptions.
Select a subscription that Turbonomic will manage.
In the navigation bar, select Access control (IAM).
Choose Add > Add custom role.
In the Basics tab:
1. In the Baseline permissions field, select Start from JSON.
2. In the File field, upload the JSON file that you created in a previous step.
Azure notifies you if the JSON is valid.
Choose Review + create.

Assigning built-in roles

Browse to Subscriptions.
Select a subscription that Turbonomic will manage.
In the navigation bar, select Access control (IAM).
Choose Add > Add role assignment.
In the Add role assignment page:
1. Choose the Role tab.
2. In the search bar, type Reader as your search keyword.
3. Choose Reader from the list of built-in roles that display.
  
  To execute actions from Turbonomic, choose Owner or Contributor.
  
  Choose Next.
4. In the Members tab, choose + Select members.
5. Search for the service principal that you set up for Turbonomic.
6. Add the service principal to the list of members. Optionally, specify a description for this role assignment and then choose Next.
7. In the Review + Assign tab, review your settings and then choose Review + assign.

Next step

Add an Azure Service Principal target in Turbonomic. For details, see this topic.