search

Connecting to Azure

At a high-level, OneLens uses an App Registration created in your environment with the appropriate read-only IAM roles for resource visibility and cost/usage metrics. An External User is also created with similar IAM roles in your environment to enable our FinOps experts to manually analyze and identify potential savings.

circle-info

For a full list of IAM roles provisioned to the App Registration and External User, please refer to the IAM rolesarrow-up-right section.

circle-exclamation

The IAM roles created are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is read-only and fully reversible - you may delete the individual roles or the App Registration/External User at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.

hashtag
Architecture

Below is the architecture on our end to support ingestion and analysis of your Azure data:

hashtag
Integration flow

Below is a step-by-step flow of the integration process for your Azure environment:

hashtag
Components created in your environment

  • Identity:

    • App Registration

    • Client Secret for App Registration

    • Guest User as external user

  • Infrastructure:

    • Resource Group, for hosting all OneLens resources

  • Storage:

    • Storage Account, for storing cost export data

    • Blob Container, for storing cost export data

  • Cost Management Export

    • Actual Cost export

    • Amortized Cost export

hashtag
IAM roles

IAM Role
Scope
Assignee
Purpose

Reader

*Target scope

App Registration, External User

Read resources metadata.

Cost Management Reader

*Target scope

App Registration, External User

Read cost analysis data.

Billing Reader

Management Group or Subscription

App Registration

Read invoice and billing data (for EA)

Billing Account Reader

Billing account

App Registration

Read billing data (for MCA/MOSP)

Storage Blob Data Reader

Storage account

App Registration, External User

Read exported cost report data.

* - Target scope can be a Resource Group, Subscription or a Management Group, as per your desired setup.

hashtag
Resource providers enabled

For OneLens to be able to call the relevant Azure APIs for cost analysis, we enable the following Resource Providers on your subscription(s):

  • Microsoft.CostManagementExports

  • Microsoft.CostManagement

  • Microsoft.Billing

  • Microsoft.Storage

  • Microsoft.ContainerService (if AKS analysis enabled)

  • Microsoft.Insights (if AKS analysis enabled)

  • Microsoft.OperationalInsights (if AKS analysis enabled)

hashtag
Integration steps

OneLens supports seamless integration across all Azure organizational structures. You can configure the platform to monitor an entire Management Group hierarchy, individual subscriptions with separate billing, or granular Resource Groups.

To get started, follow the below guide to integrate your Azure account with OneLens using a seamless automated setup powered by Terraform:

Automated using Terraformchevron-right

If you prefer to integrate manually using the Azure Portal console, follow the appropriate guide below as per your desired scope:

  • Management Groups: For organizations with multiple subscriptions.

At Management Groupchevron-right

  • Subscriptions: For single or multiple subscriptions with individual billing.

At Subscription Levelchevron-right

  • Resource Groups: For granular, isolated integration.

At Resource Groupchevron-right

PreviousSetting Up Cost Reports ManuallyNextAutomated using Terraform

Last updated