This article applies as of PRTG 20

I want to set up Microsoft Azure sensors. For these sensors to work, I have to define credentials for Microsoft Azure in my PRTG installation and create Azure custom roles with the required permissions.

Where do I find these credentials? How do I create the custom roles I need and where do I find the required permissions?

Credentials for Azure AD related to the Microsoft Azure sensors

Before you can set up Microsoft Azure sensors, you need to define credentials for Microsoft Azure in settings that are higher in the object hierarchy, for example, in the settings of the parent device.

The credentials you need are the Tenant ID, the Client ID, the Client Secret, and the Subscription ID. You obtain all of these credentials in your Microsoft Azure Portal.

Log in to the Microsoft Azure Portal under https://portal.azure.com and follow

• Step 1: Get the client ID and the tenant ID
• Step 2: Get the client secret
• Step 3: Get the subscription ID

Step 1: Get the client ID and the tenant ID

Take the following steps to register your application with Azure AD to be assigned a client ID.

1. Go to the App registrations tab.
   
2. Click New registration to open the Register an application dialog.
   
   • Enter a display name, for example, Microsoft Azure PRTG.
   • Leave all other settings as they are.
   • Enter the redirect URI where the authorization server sends you after the registration and authorization of the app. This is required for most authentication scenarios and can be specific for your setup. Note that there are specific rules for the redirect URI.
     Enter https://login.windows.net if you have no specific redirect URI.
   • Click Register to register the new application. The Overview tab of the newly registered application opens.
     
   • Copy the Application (client) ID and the Directory (tenant) ID. These are the client ID and the tenant ID that you need to enter in PRTG.

Step 2: Get the client secret

Take the following steps to create an application password, also known as client secret.

1. Go to the Certificates & secrets tab.
   
2. Click New client secret to open the Add a client secret dialog.
   Click to enlarge.
   • Enter a Description, for example, Microsoft 365 Client Secret.
   • Select a period after which the client secret expires.
   • Click Add to create and display the new client secret for your application.
     
3. Copy the client secret to enter it in PRTG.
   Note: Make sure that you directly copy the client secret after you created it. If you leave the page, the client secret is not shown anymore. You have to create a new client secret.

Step 3: Get the subscription ID

Take the following steps to find your Azure subscription ID.

1. Navigate to Subscriptions in the Microsoft Azure Portal.
   
2. Find the Subscription ID for your subscription here:
   

Roles and permissions for the Microsoft Azure sensors

The Microsoft Azure sensors need sufficient rights to query the respective data. You need to create Azure custom roles with the required permissions in the Azure Management Portal and assign these roles to your newly created application.

Prerequisites

Before you can create a custom role, you need to create a JSON file that includes the required permissions for the sensor that you want to add. You can find the JSON for each Microsoft Azure sensor at the end of this article. Save the JSON file to your system.

Log in to the Microsoft Azure Portal under https://portal.azure.com and follow

• Step 1: Create a custom role
• Step 2: Assign a role

Step 1: Create a custom role

1. Navigate to Subscriptions in the Microsoft Azure Portal.
2. Select the subscription for which you want to create the custom role.
3. Go to the Access control (IAM) tab.
   
4. Select the Roles tab.
5. Click Add and select Add custom role from the dropdown menu.
   
   
   The Create a custom role dialog opens.
   
   Click to enlarge.
   • Enter a meaningful Custom role name, for example, PRTG Microsoft Azure SQL Database Sensor.
   • Optionally, enter a Description.
   • For Baseline permissions, select Start from JSON and browse for the JSON file that you created earlier.
   • Click Next.
   • On the Assignable scopes tab, you can see the ID of the subscription for which you want to add a custom role. If you want to add the custom roles to other subscriptions, too, click Add assignable scopes and follow the steps there.
     
   • Click Next.
   • On the JSON tab, you can see the custom role in JSON format that you uploaded.
     
   • Click Review + create to review your settings.
   • After review, click Create to create the custom role.

Step 2: Assign a role

After you created a custom role, this role needs to be assigned to your newly created application. Take the following steps:

1. Back on the Access control (IAM) tab, select Role assignments.
   
2. Click Add and select Add role assignment from the dropdown menu.
   
   
   The Add role assignment dialog opens.
   
   
   • Select the Role that you created earlier.
   • Leave the Assign access to setting as it is.
   • Under Select, choose the new application that you created and registered earlier (see section Step 1: Get the client ID and the tenant ID), for example, Microsoft Azure PRTG.
   • Click Save.
     
     You have successfully created and assigned a custom role.
     

JSON for custom roles for the Microsoft Azure sensors

Microsoft Azure Virtual Machine sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Virtual Machine sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Virtual Machine Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Virtual Machine sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Microsoft Azure Subscription Cost sensor

Here you can find the JSON with the required permissions for the Microsoft Azure Subscription Cost sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Subscription Cost Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Subscription Cost sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Consumption/*/read",
                    "Microsoft.Consumption/*/action",
                    "Microsoft.CostManagement/query/read",
                    "Microsoft.Billing/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Microsoft Azure SQL Database sensor (stable release n/n)

Here you can find the JSON with the required permissions for the Microsoft Azure SQL Database sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure SQL Database Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure SQL Database sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Sql/servers/*/read",
                    "Microsoft.Insights/Metrics/providers/Metrics/Read",
                    "Microsoft.Insights/Metrics/Microsoft.Insights/Read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Insights/Metricnamespaces/Read",
                    "Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read",
                    "Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Microsoft Azure Storage Account sensor (stable release n/n)

Here you can find the JSON with the required permissions for the Microsoft Azure Storage Account sensor:

{
    "properties": {
        "roleName": "PRTG Microsoft Azure Storage Account Sensor",
        "description": "This role has the required permissions to use the Microsoft Azure Storage Account sensor of PRTG.",
        "assignableScopes": [

        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Insights/Metrics/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.