# Connecting to Azure

At a high-level, OneLens uses an **App Registration** created in your environment with the appropriate **read-only IAM roles** for resource visibility and cost/usage metrics. An **External User** is also created with similar IAM roles in your environment to enable our FinOps experts to manually analyze and identify potential savings.

{% hint style="info" %}
For a full list of IAM roles provisioned to the App Registration and External User, please refer to the [IAM roles](https://app.gitbook.com/o/8dBRgoxJiJRD1R7c7gwr/s/iyNGpqVYfmDF6qt7Lzar/~/edit/~/changes/326/integrations/cloud-services/connecting-to-azure#iam-roles) section.
{% endhint %}

{% hint style="warning" %}
The IAM roles created are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is **read-only** and fully **reversible** - you may delete the individual roles or the App Registration/External User at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.
{% endhint %}

### Architecture

Below is the architecture on our end to support ingestion and analysis of your Azure data:

<figure><img src="https://3963693991-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiyNGpqVYfmDF6qt7Lzar%2Fuploads%2FtkxnhMXZEoVa5P27SM9u%2FOneLens%20Multicloud%20Architecture%20for%20Azure%20Customers%20-%20after%20frontend%20migration.png?alt=media&#x26;token=7ff32774-3f7e-4142-9635-e315af65a0b3" alt=""><figcaption></figcaption></figure>

### Integration flow

Below is a step-by-step flow of the integration process for your Azure environment:

<figure><img src="https://3963693991-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiyNGpqVYfmDF6qt7Lzar%2Fuploads%2FxnwBskKDE0UCVAWI9ggt%2FAzure_flowchart3.png?alt=media&#x26;token=26f4e2e1-175a-4a6d-9930-e581cc00a6c4" alt=""><figcaption></figcaption></figure>

### Components created in your environment

* **Identity:**
  * App Registration
  * Client Secret for App Registration
  * Guest User as external user
* **Infrastructure:**
  * Resource Group, for hosting all OneLens resources
* **Storage:**
  * Storage Account, for storing cost export data
  * Blob Container, for storing cost export data
* **Cost Management Export**
  * Actual Cost export
  * Amortized Cost export

### IAM roles

<table><thead><tr><th width="163">IAM Role</th><th width="177">Scope</th><th width="163">Assignee</th><th width="206">Purpose</th></tr></thead><tbody><tr><td>Reader</td><td><em><strong>*</strong>Target scope</em></td><td>App Registration, External User</td><td>Read resources metadata.</td></tr><tr><td>Cost Management Reader</td><td><em><strong>*</strong>Target scope</em></td><td>App Registration, External User</td><td>Read cost analysis data.</td></tr><tr><td>Billing Reader</td><td>Management Group or Subscription</td><td>App Registration</td><td>Read invoice and billing data (for EA)</td></tr><tr><td>Billing Account Reader</td><td>Billing account</td><td>App Registration</td><td>Read billing data (for MCA/MOSP)</td></tr><tr><td>Storage Blob Data Reader </td><td>Storage account</td><td>App Registration, External User</td><td>Read exported cost report data.</td></tr></tbody></table>

**\*** *- Target scope can be a Resource Group, Subscription or a Management Group, as per your desired setup.*

### Resource providers enabled

For OneLens to be able to call the relevant Azure APIs for cost analysis, we enable the following Resource Providers on your subscription(s):

* `Microsoft.CostManagementExports`
* `Microsoft.CostManagement`
* `Microsoft.Billing`
* `Microsoft.Storage`
* `Microsoft.ContainerService` *(if AKS analysis enabled)*
* `Microsoft.Insights` *(if AKS analysis enabled)*
* `Microsoft.OperationalInsights` *(if AKS analysis enabled)*

### Integration steps

OneLens supports seamless integration across all Azure organizational structures. You can configure the platform to monitor an entire Management Group hierarchy, individual subscriptions with separate billing, or granular Resource Groups.

To get started, follow the below guide to integrate your Azure account with OneLens using a seamless automated setup powered by Terraform:

{% content-ref url="connecting-to-azure/automated-using-terraform" %}
[automated-using-terraform](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-azure/automated-using-terraform)
{% endcontent-ref %}

***

If you prefer to integrate manually using the Azure Portal console, follow the appropriate guide below as per your desired scope:

* **Management Groups:** For organizations with multiple subscriptions.

{% content-ref url="connecting-to-azure/at-management-group" %}
[at-management-group](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-azure/at-management-group)
{% endcontent-ref %}

* **Subscriptions:** For single or multiple subscriptions with individual billing.

{% content-ref url="connecting-to-azure/at-subscription-level" %}
[at-subscription-level](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-azure/at-subscription-level)
{% endcontent-ref %}

* **Resource Groups:** For granular, isolated integration.

{% content-ref url="connecting-to-azure/at-resource-group" %}
[at-resource-group](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-azure/at-resource-group)
{% endcontent-ref %}