Skip to main content

Azure

Vantage integrates with your Azure account using an Active Directory Service Principal. This principal is then assigned access to either management groups or individual subscriptions.

You can connect hundreds of Azure subscriptions to Vantage through the management group method. Any subscriptions that are part of a resource group will be automatically imported.

note

The service principal is granted Reader permissions. It does not have permissions—nor will it ever attempt—to make any changes to your infrastructure.

Connect Your Azure Account

tip

Instructions are provided below for you to connect via the Azure CLI or the Azure portal.

Connect via the Azure CLI

Prerequisites

  • The below commands are run via the Azure CLI. Ensure you have access to Azure CLI and can create service principals and manage their permissions.
  • Create a free Vantage account, then follow the steps below to integrate Azure costs.

Step 1: Create an Azure Service Principal

Create a service principal using the following command:

az ad sp create-for-rbac -n "vantage"

You should see output similar to the below output:

{
"appId": "2d218f0f5-7ad5-4a12-abc7-bad2889d6407",
"displayName": "vantage",
"password": "8zkj3~yswKd433U12SHrvp22UoA6tOOOkZ_BYar2",
"tenant": "1050a480-ef60-43d7-b8db-224aad100b60"
}

Record the appId, password, and tenant as you will enter these credentials into the Vantage console.

Step 2: Grant the Service Principal Permissions

note

Vantage recommends assigning permissions to a management group that aggregates your subscriptions. By following this recommendation, you do not have to manually assign each subscription.

Grant permissions to the appId from the service principal created above. The scope can be a subscription or management group. Ensure you replace <SERVICE_PRINCIPAL_APP_ID> with the appId. Replace <MANAGEMENT_GROUP_ID> (or <SUBSCRIPTION_ID>) with your management group ID (or subscription ID).

az role assignment create --assignee <SERVICE_PRINCIPAL_APP_ID> \
--role Reader \
--scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"

Skip to the Save the Credentials in Vantage section for the steps to complete the connection with Vantage.

Connect via the Azure Portal

Prerequisites

  • The below instructions are for connecting using the Azure portal. If you already completed the steps via the Azure CLI, skip to the Save the Credentials in Vantage section. You should have access to set up service principals and grant those service principals permissions.
  • Create a free Vantage account, then follow the steps below to integrate Azure costs.

Step 1: Create a New Application Registration

  1. From the main page of the Azure portal, search for and navigate to Microsoft Entra ID.
  2. In the left navigation, under Manage, select App registrations.
  3. Click + New registration.
    Expand to view example image
    Azure portal with App Registration menu option selected
  4. The Register an application screen is displayed. For Name, enter vantage.
  5. Leave all other settings as their defaults and click Register.
    Expand to view example image
    Azure portal the Register an application screen and vantage entered as app name
  6. The app details are displayed. Record the Application (client) ID and Directory (tenant) ID to use later.
    Expand to view example image
    Azure portal with the client ID and tenant ID displayed and highlighted

Step 2: Generate a Client Secret

  1. On the same page, next to the Client credentials field, click Add a certificate or secret. (You can also access the Certificates and secrets screen from the left navigation menu.)
  2. Click + New client secret.
  3. The Add a client secret pane is displayed. For Description, enter a description, such as vantage-secret.
    Expand to view example image
    Azure portal with the Azure client secret window open and a new secreted created called vantage-secret
  4. For Expires, select an expiration option for the secret.
    caution

    If this secret expires, you will need to supply Vantage with a new secret before the expiration date.

  5. Click Add.
  6. The newly created secret is displayed. Copy the secret's Value to add to the Vantage console later. This value will be displayed only one time.

Step 3: Grant the Service Principal Permissions

note

Vantage recommends assigning permissions to a management group that aggregates your subscriptions. By following this recommendation, you do not have to manually assign each subscription.

  1. From the top navigation, search for and navigate to Management groups. (If you want to assign permissions to a subscription, navigate to Subscriptions.)
  2. Open the management group for which you will be assigning permissions.
  3. On the left navigation, click Access control (IAM).
  4. Click Add role assignment.
    Expand to view example image
    Azure portal with management group window open. The Access control tab is highlighted.
  5. On the Add role assignment screen, select Reader. Then, click Next.
    Expand to view example image
    Azure portal with Reader role highlighted
  6. For Assign access to, select User, group, or service principal.
  7. Click + Select members. The Select members tab is displayed on the right. Search for the vantage app you created before. Select the listed app, then click Select.
    Expand to view example image
    Azure portal with Add role assignment window displayed
  8. Click Next > Review + assign.

Save the Credentials in Vantage

After you complete the steps for connecting via the Azure CLI or Azure portal, follow the steps below to add the Azure tenant ID, service principal App ID, and service principal password/secret in Vantage.

  1. Navigate to the Integrations page in the Vantage console, and add an Azure integration.
  2. On the Azure integration page, click Add Credentials.
  3. Add the Azure AD Tenant ID, Service Principal App ID, and Service Principal Password you previously obtained, then click Connect Account. Vantage will begin importing your Azure costs.

Azure Cost and Rightsizing Recommendations

Vantage currently supports cost recommendations for Compute Reserved Instances and Compute Unattached Virtual Hard Disks (disks that have not been attached to a VM in the last 30 days). Each recommendation shows potential savings value, which is something that is not shown in Azure Advisor. Savings estimates are displayed in USD.

Kubernetes and AKS

Vantage supports Kubernetes cost allocation on Azure, including Kubernetes clusters running on VMs or through AKS. Vantage recommends using the Vantage Kubernetes agent to monitor and ingest Kubernetes costs from Azure.

Azure Reporting Dimensions

On Azure Cost Reports, you can filter across several dimensions:

  • Resource Group
  • Category
  • Tagged/Not Tagged
  • Subcategory
  • Resource
  • Region
  • Subscription
  • Service

Manage Workspace Access

See the Workspaces documentation for information on how to update workspace access for an integration.