Azure
Vantage integrates with your Azure account using an Active Directory Service Principal. This principal is then assigned access to either management groups or individual subscriptions.
You can connect hundreds of Azure subscriptions to Vantage through the management group method. Any subscriptions that are part of a resource group will be automatically imported.
The service principal is granted Reader permissions. It does not have permissions—nor will it ever attempt—to make any changes to your infrastructure.
Connect Your Azure Account
Instructions are provided below for you to connect via the Azure CLI or the Azure portal.
Connect via the Azure CLI
Prerequisites
- The below commands are run via the Azure CLI. Ensure you have access to Azure CLI and can create service principals and manage their permissions.
- Create a free Vantage account, then follow the steps below to integrate Azure costs.
Step 1: Create an Azure Service Principal
Create a service principal using the following command:
az ad sp create-for-rbac -n "vantage"
You should see output similar to the below output:
{
"appId": "2d218f0f5-7ad5-4a12-abc7-bad2889d6407",
"displayName": "vantage",
"password": "8zkj3~yswKd433U12SHrvp22UoA6tOOOkZ_BYar2",
"tenant": "1050a480-ef60-43d7-b8db-224aad100b60"
}
Record the appId
, password
, and tenant
as you will enter these credentials into the Vantage console.
Step 2: Grant the Service Principal Permissions
Vantage recommends assigning permissions to a management group that aggregates your subscriptions. By following this recommendation, you do not have to manually assign each subscription.
Grant permissions to the appId
from the service principal created above. The scope can be a subscription or management group. Ensure you replace <SERVICE_PRINCIPAL_APP_ID>
with the appId
. Replace <MANAGEMENT_GROUP_ID>
(or <SUBSCRIPTION_ID>
) with your management group ID (or subscription ID).
- Management Group
- Subscription
az role assignment create --assignee <SERVICE_PRINCIPAL_APP_ID> \
--role Reader \
--scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"
az role assignment create --assignee <SERVICE_PRINCIPAL_APP_ID> \
--role Reader \
--scope "/subscriptions/<SUBSCRIPTION_ID>"
Skip to the Save the Credentials in Vantage section for the steps to complete the connection with Vantage.
Connect via the Azure Portal
Prerequisites
- The below instructions are for connecting using the Azure portal. If you already completed the steps via the Azure CLI, skip to the Save the Credentials in Vantage section. You should have access to set up service principals and grant those service principals permissions.
- Create a free Vantage account, then follow the steps below to integrate Azure costs.
Step 1: Create a New Application Registration
- From the main page of the Azure portal, search for and navigate to Microsoft Entra ID.
- In the left navigation, under Manage, select App registrations.
- Click + New registration.
Expand to view example image
- The Register an application screen is displayed. For Name, enter vantage.
- Leave all other settings as their defaults and click Register.
Expand to view example image
- The app details are displayed. Record the Application (client) ID and Directory (tenant) ID to use later.
Expand to view example image
Step 2: Generate a Client Secret
- On the same page, next to the Client credentials field, click Add a certificate or secret. (You can also access the Certificates and secrets screen from the left navigation menu.)
- Click + New client secret.
- The Add a client secret pane is displayed. For Description, enter a description, such as vantage-secret.
Expand to view example image
- For Expires, select an expiration option for the secret.caution
If this secret expires, you will need to supply Vantage with a new secret before the expiration date.
- Click Add.
- The newly created secret is displayed. Copy the secret's Value to add to the Vantage console later. This value will be displayed only one time.
Step 3: Grant the Service Principal Permissions
Vantage recommends assigning permissions to a management group that aggregates your subscriptions. By following this recommendation, you do not have to manually assign each subscription.
- From the top navigation, search for and navigate to Management groups. (If you want to assign permissions to a subscription, navigate to Subscriptions.)
- Open the management group for which you will be assigning permissions.
- On the left navigation, click Access control (IAM).
- Click Add role assignment.
Expand to view example image
- On the Add role assignment screen, select Reader. Then, click Next.
Expand to view example image
- For Assign access to, select User, group, or service principal.
- Click + Select members. The Select members tab is displayed on the right. Search for the vantage app you created before. Select the listed app, then click Select.
Expand to view example image
- Click Next > Review + assign.
Save the Credentials in Vantage
After you complete the steps for connecting via the Azure CLI or Azure portal, follow the steps below to add the Azure tenant ID, service principal App ID, and service principal password/secret in Vantage.
- Navigate to the Integrations page in the Vantage console, and add an Azure integration.
- On the Azure integration page, click Add Credentials.
- Add the Azure AD Tenant ID, Service Principal App ID, and Service Principal Password you previously obtained, then click Connect Account. Vantage will begin importing your Azure costs.
Next Steps: Manage Workspace Access
Once your costs are imported, select which workspaces this integration is associated with. See the Workspaces documentation for information.
Data Refresh
See the provider data refresh documentation for information on when data for each provider refreshes in Vantage.
Azure Cost and Rightsizing Recommendations
Vantage currently supports cost recommendations for Compute Reserved Instances and Compute Unattached Virtual Hard Disks (disks that have not been attached to a VM in the last 30 days). Each recommendation shows potential savings value, which is something that is not shown in Azure Advisor. Savings estimates are displayed in USD.
Kubernetes and AKS
Vantage supports Kubernetes cost allocation on Azure, including Kubernetes clusters running on VMs or through AKS. Vantage recommends using the Vantage Kubernetes agent to monitor and ingest Kubernetes costs from Azure.
Azure Reporting Dimensions
On Azure Cost Reports, you can filter across several dimensions:
- Resource Group (resource group name)
- Category (e.g., Virtual Network IP Addresses)
- Tag/Not Tagged (includes Azure tags and virtual tags created in Vantage for this provider)
- Subcategory (e.g., Virtual Network Standard IPv4 Static Public IP)
- Resource (resource ID)
- Region (e.g., Us East)
- Charge Type (e.g., Usage)
- Subscription (subscription name)
- Marketplace (Toggle to show only Marketplace purchases or excluded)
- Service (e.g., Virtual Machines)