Connecting to Azure

Aimably Documentation > Data Integrations > Connecting to Azure

Confirm the Scope of the Integration

This analysis should be performed on all Azure Subscriptions and Billing Accounts, including those Subscriptions and/or Billing Accounts that are accessed through an unaffiliated Microsoft Entra ID accounts. 

This analysis covers the last 12 months of usage data. Please grant access to every Subscription and Billing Account that has had activity in the last 12 months, even if not currently active.

Create a scope list of every Azure Subscription and Billing Account associated with your business. This list will be used to verify Aimably access.

Invite Aimably As Guest to Microsoft Entra ID

Sign in to the Azure portal as the Account Administrator.

Search for and select “Microsoft Entra ID” from any page. (Azure Active Directory was recently renamed to “Microsoft Entra ID”.  If Microsoft Entra ID cannot be found, search for Users)

Under “Manage,” select “Users” from the left-panel menu.

Select “+ New user” from the top of the page, then select “Invite external user.” (Or, if you're using the legacy experience, select “New guest user”).

On the New user page:

• Complete the following required fields:

• Email Address: azureintegration@aimably.com

• Display Name: Aimably Integration

• Check the box labeled “Send invite message” and complete the additional fields:

• Message: Invitation for Aimably Integration guest user

• Cc:  Leave Blank or use your own email to confirm the message is sent

• Do not adjust any other fields, then click the “Review + Invite” button

Repeat this process for any other Microsoft Entra Directories in use.

Grant Reader and Reader and Data Access to Each Subscription Using Azure Portal

Sign in to the Azure portal as the Account Administrator.

Search for and select “Subscriptions” from any page.

Click on the first Subscription on the list

Select “Access control (IAM)” from the left-panel menu.

To add “Reader” access, 

• Select “Add” from the top of the page, then select “Add role assignment”

• From the Roles list, search for and select “Reader”

• Select “Members” at the top of the page. Confirm “Reader” is entered at the “Selected role” line and “User, group, or service principal” is selected at the “Assign access to” line, then click “Select Members”

• Enter azureintegration@aimably.com in the selection window and select the Aimably Integration user, then click “Select”

• Select “Review + assign” at the top of the page. Confirm all data matches your expectations, then click “Review + assign” at the bottom of the page.

To add “Reader and Data Access”

• Select “Add” from the top of the page, then select “Add role assignment”

• From the Roles list, search for and select “Reader and Data Access”

• Select “Members” at the top of the page. Confirm “Reader” is entered at the “Selected role” line and “User, group, or service principal” is selected at the “Assign access to” line, then click “Select Members”

• Enter azureintegration@aimably.com in the selection window and select the Aimably Integration user, then click “Select”

• Select “Review + assign” at the top of the page. Confirm all data matches your expectations, then click “Review + assign” at the bottom of the page.

Repeat this process for every Subscription on the Subscriptions list, then sign into any other Microsoft Entra Directories and repeat this for the Subscriptions therein.

Alternatively, you can use the CLI to perform these two steps faster:

• List the current subscriptions
  az account list --query "[].{Name:name, ID:id, State:state}" --output table

• Assign the roles to the Aimably user for each subscription:
  az role assignment create --assignee azureintegration@aimably.com --role "Reader" --scope /subscriptions/{subscriptionId}
  az role assignment create --assignee azureintegration@aimably.com --role "Reader and Data Access" --scope /subscriptions/{subscriptionId}

Grant Billing Reader Access to Billing Account Using Azure Portal

Sign in to the Azure portal as the Account Administrator.

Search for and select “Cost Management + Billing” from any page.

Review the default Scope by clicking the “Scope” selection pill at the top-left of the view. Select the Billing Account as the Scope if it has not already been selected.

Select “Access Control (IAM)” or “Access Control” from the left panel menu.

Select “Add” from the top of the page. 

In the “Role” drop-down list, select “Billing Account Reader.” 

In the “Select” list, enter azureintegration@aimably.com.

Select “Save.”

Repeat this process for any Billing Accounts within the same Azure Active Directory. Then, sign into any other Microsfoft Entra Directories and repeat this process for the Billing Accounts therein.

Re-Confirm the Scope

Sign in to the Azure portal as the Account Administrator.

Search for and select “Users” from any page.

Select the “Aimably Integration” user from the Users list.

Select “Azure role assignments” from the left-panel menu.

Review all entries to ensure Reader and Billing Reader access has been granted to all known Azure subscriptions.

Repeat this process by signing into any other Microsoft Entra  Directories and repeat this process for the Aimably Integration user therein.

Repeat the process from the top if any Reader or Billing Reader permissions are missing for any known Subscriptions.

When this process is completed, please email your project lead to confirm that integration has been configured and request a review of your setup.