Azure for Cloud Insights

Cloud Insights enables you to discover and monitor your cloud infrastructure. With Azure for Cloud Insights, you can display a catalog of discovered cloud resources discovered through Inventory Monitoring with Inventory View, grouped by type, with configuration details and relationships.

To set up Azure Inventory Monitoring for Cloud Insights:

  1. Identify the Azure subscriptions to monitor and create an app registration in Azure.

  2. Then, assign the appropriate roles so the ThousandEyes integration can access your inventory data.

  3. Finally, create an Inventory Monitoring integration for the Azure subscriptions in ThousandEyes.

For instructions, see Creating the Azure Inventory Monitoring Integration for Cloud Insights.

Permissions Required for Azure Integration

Azure Permissions for Cloud Insights Integration

Use an Azure service principal to securely integrate Azure services and APIs with ThousandEyes. An Azure service principal is a security identity within Microsoft Entra ID used by applications, services, or automated tools to authenticate and access specific Azure resources in a non-interactive manner. Microsoft Entra ID serves as the identity provider for authenticating users and authorizing access to protected resources. The service principal acts as a programmatic equivalent of a user account, enabling secure, role-based access to Azure services without relying on human credentials. Service principals are useful for automation, CI/CD pipelines, and application integrations, providing fine-grained control over permissions.

To learn more about service principals, see Service Principal. To learn more about Microsoft Entra ID (formerly Azure Active Directory), see Microsoft Entra ID.

You must have the necessary Azure permissions to create a dedicated service principal for ThousandEyes Cloud Insights and to assign the appropriate built-in Azure roles.

In the Azure portal UI, service principals are called "App Registrations". You can use the same app registration to monitor multiple subscriptions (see Cloud Insights Integrations for Multiple Microsoft Entra Tenants for more information). For a detailed step-by-step guide on creating an app registration for ThousandEyes Cloud Insights, see Create a New App Registration in Azure.

ThousandEyes Permissions for Azure Integration with Cloud Insights

To create the integrations, you must have an Organization Admin or Account Admin role in the ThousandEyes platform. For more information about ThousandEyes roles, see Role-Based Access Control, Explained.

How ThousandEyes Manages the Integrations

In ThousandEyes, organizations are divided into account groups. Cloud Insights integrations are specific to each account group. This means that an integration created in one account group is not shared with other groups. Each account group can configure integrations to monitor Azure subscriptions within your cloud network. ThousandEyes recommends creating a single Inventory Monitoring integration even when monitoring multiple Azure subscriptions. If you require multiple Inventory Monitoring integrations within each account group, however, this is also supported.

The monitored subscriptions must be associated with the same Microsoft Entra tenant. If your subscriptions span multiple Microsoft Entra tenants, see the section Cloud Insights Integrations for Multiple Microsoft Entra Tenants.

Cloud Insights Integrations for Multiple Microsoft Entra Tenants

If your Azure subscriptions span multiple Microsoft Entra tenants, create at least one Inventory Monitoring integration which requires a unique app registration for each such tenant.

Cloud Insights automatically discovers the subscriptions in your Azure tenants, allowing multiple Azure subscriptions to be monitored using the same integration in each tenant. However, the same Service Principal (app registration) cannot be shared across multiple Inventory Monitoring integrations to prevent the same Azure subscription from being monitored by more than one integration.

For example, three different account groups within a ThousandEyes organization could each monitor one or more Azure subscriptions. Each monitored Azure subscription can span multiple regions. Account Group A can monitor two Azure subscriptions within Microsoft Entra Tenant A, Account Group B monitors one additional subscription within the same Microsoft Entra Tenant A, and Account Group C monitors another subscription in a completely separate Microsoft Entra tenant, Microsoft Entra Tenant B. In this case, one Inventory Monitoring integration would be configured for all subscriptions in Tenant A and a second Inventory Monitoring integration would be configured for the subscription in Tenant B.

Creating the Azure Inventory Monitoring Integration for Cloud Insights

These instructions cover setting up the integration using the Azure portal UI. For instructions on setting up the integration via command line (CLI), see CLI Instructions for Setting Up Azure Inventory Monitoring.

Azure Inventory Monitoring Overview

Cloud Insights Azure Inventory Monitoring collects inventory and configuration data from your Azure subscriptions over time. This data is used in Cloud Insights to:

  • Automatically discover and catalog assets, maintaining an up-to-date inventory without manual effort. This eliminates the need for manual documentation by providing a time-correlated inventory of VNETs, subnets, instances, and more, with metadata like resource IDs and regions. You can view your Azure network assets, including their types and locations by navigating to Cloud Insights > Inventory.

  • Track configuration and operational events (e.g., subnet additions, network security group changes, backend targets changing to unhealthy). You can view historical changes and events under Cloud Insights > Inventory.

  • Correlate infrastructure changes with agent-based metrics (e.g., latency, response time) to pinpoint root causes quickly. You can time-correlate configuration events with performance data in Network & App Synthetics > Views.

  • Track changes and flag anomalies, indicating possible unauthorized or misconfigured resources, ensuring compliance and secure configurations.

  • Identify overprovisioned or underutilized cloud resources that can increase costs, enabling optimization of infrastructure for performance and cost-efficiency. Highlight resource attributes in the Inventory, guiding cost-saving adjustments.

  • Provide end-to-end visibility across cloud infrastructures, integrating with agent data for comprehensive monitoring. Visualize cross-cloud dependencies in the Topology view under Network & App Synthetics > Views.

To create the Azure Inventory Monitoring integration:

Create an Azure App Registration for Inventory Monitoring

For the Inventory Monitoring integration, create an app registration (aka service principal) and assign a custom role to it. This role grants the service principal the necessary permissions to interact with Azure resources and perform the required monitoring tasks. Then, set the scope to the subscription you wish to monitor. If you have multiple subscriptions you want to monitor, consider setting the scope to the management group level, which aggregates the subscriptions (for instructions, see CLI Instructions for Management Groups).

For more information about assigning custom roles, see Azure custom roles. For more information about the permissions granted to ThousandEyes via the service principal, see Understand Azure role definitions: Actions and Azure permissions for Networking. These permissions are listed as "Actions" in step 3 of CLI Instructions for Setting Up Azure Inventory Monitoring.

Create a New App Registration in Azure

The following steps walk through creating the new app registration and noting the parameters needed for the ThousandEyes Cloud Insights integration. In ThousandEyes, these parameters are App ID, Tenant ID, and Password.

If you need more detailed instructions for setting up an Azure service principal, see How to Create a Service Principal.

  1. In the Azure portal, select the App registrations service at the top of the screen. This takes you to a new screen that is titled "App registrations".

  2. Click on New Registration (located in the top left corner). This takes you to a new screen that is titled "Register an application".

  3. Name your app registration (e.g., ThousandEyesCloudInsights) and click the Register button located at the bottom of the screen.

  4. After the registration is complete, Azure will redirect you to an Overview page for the new app registration. Make a note of the Application (client) ID and Directory (tenant) ID values.

The Application (client) ID and Directory (tenant) ID values are needed for the ThousandEyes Cloud Insights integration.

  1. On the left side menu of the screen, select Manage > Certificates & secrets. A screen appears with the title "Certificates & secrets".

  2. Click on New client secret to create a new application password.

  3. A side panel appears on the right. Enter a description into the "Description" field. Click the Add button at the bottom of side panel.

  4. The side panel closes and the "Certificates & secrets" screen now shows the client secret you just created. Make a note of the contents of the Value field.

The Client secret Value is what you provide in the Password field for the ThousandEyes Cloud Insights integration.

Create and Assign Roles to the Azure App Registration

Once the app registration has been created in Azure, create and assign roles to the app registration that will grant permissions for interacting with Azure resources and performing monitoring tasks.

ThousandEyes Cloud Insights Inventory Monitoring requires a custom role. The following instructions walk through how to create and assign that role to the ThousandEyesCloudInsights app registration created in the previous section.

  1. In the Azure portal, navigate to the Subscriptions service.

  2. Select the subscription you want to monitor in Cloud Insights Inventory Monitoring. In the subscription overview page that appears, click Access control (IAM) from the menu on the side.

  3. Click Create custom role. In the new window, select the JSON tab, then Edit.

  4. Modify the JSON to match the example below, ensuring that all subscriptions you plan to monitor are included under assignableScopes. Note: if you want to scope the role to a management group, use "/providers/microsoft.management/managementGroups/{group_id}" as the assignable scope (see CLI Instructions for Management Groups for more information about scoping for management groups).

 {
  "properties": {
      "roleName": "thousandeyes-inventory-role",
      "description": "Cloud Insights Inventory Monitoring",
      "assignableScopes": [
          "/subscriptions/{subscription_id}"
      ],
      "permissions": [
          {
              "actions": [
                      "*/read",
                      "microsoft.network/virtualnetworkgateways/getadvertisedroutes/action",
                      "microsoft.network/virtualnetworkgateways/getlearnedroutes/action",
                      "Microsoft.Network/virtualHubs/effectiveRoutes/action"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
          }
      ]
  }
}
  1. Click Next, then Create. The Review + create tab appears.

  2. To assign the role you just created, go back to the Access control (IAM) screen from step 2.

  3. Click Add role assignment. A screen opens with the title Add role assignment.

  4. Search for the name of the custom role you created and select it from the list. Then click Next.

  5. Click Select members. A side panel appears with the title Select members. Search for your application by name (e.g., ThousandEyesCloudInsights), then select it from the list under the search box. The application is now listed under Selected members. Click the Select button at the bottom of the side panel.

  6. Click Review + assign. A new screen appears with the title Add role assignment. The subscription id from the previous screen is now added to the Scope field of the application. Click Review + assign again, to finalize the process.

Follow these steps for each subscription or management group you wish to monitor, ensuring that the custom role is assigned to the app registration. This grants the ThousandEyes Cloud Insights Inventory Monitoring integration access to monitoring data from the subscriptions.

Create the Inventory Monitoring Integration in ThousandEyes

The integration for Azure Inventory Monitoring gives ThousandEyes secure access to your Azure subscription information and data. Before you begin, you'll need the App ID, Tenant ID, and Password for the app registration (service principal) you created in the section Create a New App Registration in Azure.

To find the App ID in the Azure portal, navigate to App registrations. Your application is listed under the All applications tab. You can find the App ID needed for ThousandEyes under the Application (client) ID column.

To find the Tenant ID in the Azure portal, using the search bar at the top of the page, search for "Tenant properties". You can find the Tenant ID needed for ThousandEyes in the Tenant ID field.

To find the Password in the Azure portal, navigate to Manage > Certificates and secrets. Select the Client secrets tab. Locate the row where the Description is the name of your custom role. You can find the Password needed for ThousandEyes under the Value column.

To set up Inventory Monitoring:

  1. In the ThousandEyes app, go to Manage > Integrations.

  2. Click + New Integration in the top right corner.

  3. In the Add New Integration side panel that opens, select Microsoft Azure Cloud Services.

  4. Name your integration. Give your integration a unique name. Duplicate names are not permitted.

  5. Select Inventory Monitoring from the ThousandEyes Supported Services dropdown.

  6. Fill in the App ID, Tenant ID, and Password for the app registration you created for this integration.

An app registration already in use by another Inventory Monitoring integration cannot be reused. This restriction ensures that each integration performs independent subscription discovery, preventing duplicate monitoring of the same subscription across multiple integrations.

  1. Click Test.

The Test function only validates the trust relationship between Azure and ThousandEyes; it does not validate the permission policy.

  1. If testing was successful, click Save. If testing was not successful, see Troubleshooting Azure Integration for Cloud Insights.

  2. After saving successfully, the integrations list shows your new integration with a status of Pending. The status changes to Connected once the subscriptions have been fully onboarded.

A successful test of the Azure integration

CLI Instructions for Setting Up Azure Inventory Monitoring

To set up the permissions in Azure needed for the ThousandEyes Inventory Monitoring integration from the command line, first make sure you have the Azure CLI (Command Line Interface) installed.

  1. From the Azure CLI, log in to your Azure account: az login.

  2. Display a list of subscriptions available in your account: az account list --output table. Make a note of the subcription_id for any subscriptions in the list you want to monitor with ThousandEyes Cloud Insights.

  3. Create a custom role that grants the necessary permissions scoped to the subscriptions you want to monitor. For scoping to management groups, see CLI Instructions for Management Groups.

az role definition create --role-definition '{
 "Name": "thousandeyes-inventory-role",
 "Description": "Cloud Insights Inventory Monitoring",
 "Actions": [
   "*/read",
   "microsoft.network/virtualnetworkgateways/getadvertisedroutes/action",
   "microsoft.network/virtualnetworkgateways/getlearnedroutes/action",
   "Microsoft.Network/virtualHubs/effectiveRoutes/action"
 ],
 "AssignableScopes": [
   "/subscriptions/{subscription_id}"
 ]
}'
  1. Create a service principal named ThousandEyesInventory and assign it the thousandeyes-inventory-role role you created in the previous step: az ad sp create-for-rbac -n "ThousandEyesInventory --role "thousandeyes-inventory-role" --scopes "/subscriptions/{subscription_id1}" "/subscriptions/{subscription_id2}" "/subscriptions/{subscription_id3}" Replace <subscription_id_n_> with the subscription ids from the previous step. Use spaces to delimit the subscription ids.

  2. From the CLI output returned from the previous step, copy the values for the following fields: AppId, TenantId, Password. Enter these fields into the Azure integration form in ThousandEyes when prompted.

CLI Instructions for Management Groups

When creating your custom roles, you can assign scopes by subscription, as above, or by management group, the latter enabling you to manage multiple subscriptions at the same time. If you choose to scope by management group, follow these steps. Note the following limitations that Microsoft applies to using custom roles on management groups.

  1. From the Azure CLI, log in to your Azure account: az login.

  2. Display a list of management groups available in your account: az account management-group list --output table. Note that in further steps you need the group_id; in the output from this step, the group ID is found in the Name column, not the DisplayName column.

  3. Create a custom role that grants the necessary permissions scoped to the relevant management group, replacing <group_id> with the group ID from step 2.

az role definition create --role-definition '{
 "Name": "thousandeyes-inventory-role",
 "Description": "Cloud Insights Inventory Monitoring",
 "Actions": [
   "*/read",
   "microsoft.network/virtualnetworkgateways/getadvertisedroutes/action",
   "microsoft.network/virtualnetworkgateways/getlearnedroutes/action",
   "Microsoft.Network/virtualHubs/effectiveRoutes/action"
 ],
 "AssignableScopes": [
   "/providers/microsoft.management/managementGroups/{group_id}"
 ]
}'
  1. Create a service principal named ThousandEyesInventory and assign it the thousandeyes-inventory-role role you created in the previous step: az ad sp create-for-rbac -n "ThousandEyesInventory --role "thousandeyes-inventory-role" --scopes /providers/microsoft.management/managementGroups/{group_id}. Replace <group_id> with the group ID from step 2.

  2. From the CLI output returned from the previous step, copy the values for the following fields: AppId, TenantId, Password. Enter these fields into the Azure integration form in ThousandEyes when prompted.

Verify Your Azure Cloud Insights Integrations

After saving your integrations, ThousandEyes will begin monitoring the resources in your Azure subscriptions. Upon saving, the integration status will initially be set to Pending. The status update can take a few minutes and requires you to refresh the page. If an issue prevents successful monitoring, the integration status will change to Failed. Clicking on the integration will display a detailed error message. If no errors occur, the integration status will change to Connected.

For more information about troubleshooting your Cloud Insights Azure integration, see Troubleshooting Azure for Cloud Insights.

Last updated