Task: Enable access to resource group tag information to support cost allocation activities.
This guide will help you setup access to Azure resource group tags for Cloudability so that we can help you get a full allocation of cloud costs. Using resource groups - and the tags applied to them - has become a popular primary allocation mechanism with large Azure users. It overcomes the duel problems of low tag coverage and the fact that Azure doesn't report back tag information for all resource types. Resource group tags don't natively appear in the detailed billing information and therefore it's necessary to grant additional access as specified on this page. Cloudability has a tag inheritance model for Azure: if an individual resource has a particular tag in the detailed billing data we will use that first to populate our analytics platform; If that tag doesn't appear in the billing data for that resource Cloudability will then query the resource group it belongs to and pull the tag information from there. If the tag doesn't exist on the resource group we will consider it as "(not set)".
Important! If you are following the regular instructions to setup rightsizing data ingestion for Azure as described here then it's unnecessary to follow these instructions as resource group tags are included with that. However if your focus is just on allocation and financial governance you can simply setup your Azure enrolment described here and then complete the following steps.
Before you begin the process, ensure that:
- You are a Cloudability administrator
- In Azure Active Directory, that you have one of the following Directory roles: 1) Global Administrator, 2) Application developer, or 3) Cloud application administrator.
Permissions you are granting Cloudability
When you give Cloudability Azure Service Management access you grant us the Reader role for Azure subscriptions within your Active Directory. The Reader role allows us to get information about resources in your subscription(s) but not make any changes. Learn more
There are two paths you can take for setting this up 1) through the Cloudability UI (generally recommend) or 2) directly through Azure Service Management.
Setup - via Cloudability UI
1. As a Cloudability administrator, navigate to the Vendor Credentials page.
2. Select the edit pencil icon along on the row for any Subscription.
3. Click on the Select Subscriptions under Azure Service Management.
4. Select the subscription(s) within the same tenant that we'll collect resource group tag information for.
5. Select Generate Links.
6. Click on each link to grant permission (there will only be one link per tenant).
7. In the new tab opened, select Accept to authorize the Cloudability app. This will add the app with a reader role for all the subscriptions you selected in step 4.
(Even though the name of the Cloudability 'app' is "CloudabilityUtilizationDataCollector" it can be used just for resource group tag collection. It can be used also for rightsizing later if desired)
8. Within the Cloudability credentials page, if you click the reverify button for the subscription(s) you selected in step 4 you'll see the status icon appear yellow as below. You can ignore the storage access warning.
9. Repeat steps 6-8 for all available Tenant IDs. Within 24 hours your cost data will be updated with the new tag information. If you need to reload previous months data please reach out to your TAM.
Setup - via Azure Service Management
If you prefer you can manage adding the Cloudability Azure app directly from within Azure Service Management. You can locate the CloudabilityUtilizationDataCollector app there (application ID: 1ba79ced-1862-41d1-95bc-66d6bc5aff7f) and add directly to your Azure subscriptions. Tag inheritance will work for any new subscriptions you onboard with this method. These are the steps to follow:
1. Navigate to the directory for the relevant tenant within Azure Service Management
2. Locate the new subscription -> Scroll to "Access Control (IAM)" and Add Role Assignment
3. For the role assignment chose: role = Reader; Assign Access To = AzureAD user, group, or service principal (this is the default); select the CloudabilityUtilizationDataCollector app and click save.
4. The cloudability app will now appear in role assignments within Azure Service Management. Come back to Cloudability and reverify. A yellow check will confirm success.