How to configure your Service Principal to monitor Subscriptions

Raise a ticket if you need help.

Security Overview

There are 2 important points to note about Security with CloudMonitor:

  1. You choose which Subscriptions you would like CloudMonitor to monitor
  2. CloudMonitor has READ-ONLY access and cannot update anything
  3. This flexible model is enforced with standard Azure RBAC IAM controls. 

For each Azure Subscription that you want to monitor, add the CloudMonitor ServicePrincipal that you selected during install as the READER role at the Subscription scope.

At this point, you should have already set up your Service Principal and Client Secret. If you have not yet done that then do this first. You will also need to be logged in as someone with the Owner Role at the Subscription level for each Subscription that you want to monitor. This is because only an Owner can assign permissions.

Assigning Access

Find the Azure Subscription that you want to monitor in CloudMonitor. You can do this from the Subscriptions list in the Azure Portal, for example:


Go into the Subscription and click on “Access Control (IAM)” in the left menu, then click on “+ Add” to add a new Role at the Subscription scope. 

Note: If the “+ Add” button is greyed out then your logged in user does not have the Owner and will be unable to proceed. Contact your IT department to find out who can do this step for you.

Subscription Add IAM Role
  1. Select “Add role assignment” and select the “Reader” Role
  2. Type in the name of your Service Principal (In our walkthroughs we always call it “CloudMonitor-SP”)
  3. This will allow you to click on the matching Service Principal 
  4. Click on “Save” to save the assignment

Note: CloudMonitor only has read-access to your Subscription and can in no way make any updates to your resources.

You have completed this step and granted CloudMonitor the access it needs. It will now be able to perform analytics on your cost data. Repeat this step for as many Subscriptions as you wish.

Note: You can also set IAM access at the Management Group level if this has been configured and you have many Subscriptions.

Check Subscription Access (Optional)

If you want to check if a Subscription has the required access, you can go to the Subscription -> “Access control (IAM)” and click on the “Role Assignments” tab. You should see “CloudMonitor-SP” with the “Reader” role assigned. If you do not, then follow the steps above in order and contact us if you have any problems.

Subscription Check Access
Share on linkedin
Share on twitter
Share on email
Share on print

Subscribed! We'll let you know when we have new blogs and events...