What are the impacts if you do not configure Azure Reader Role permissions for Service Principals and Subscriptions?

If the CloudHealth App, is provisioned using an Azure Service Principal, is not granted the appropriate permissions, accounts may show as UNKNOWN, Critical, or Warning. 

Individual Azure Subscriptions may also show as UNCONFIGURED or optionally toggled as Ignored.

When the Service Principal and/or Subscription status is shown as UNKNOWN, Critical, Warning, UNCONFIGURED, or Ignored, this means that CloudHealth cannot accurately reflect cost and usage reporting, gather performance metrics and asset-specific metadata, or provide accurate recommendations.

If permissions are not configured or are misconfigured, the following may occur:

• CloudHealth may over-recommend RI purchases, since RI purchases made at the Subscription level are not available to the recommendation engine
• Reservation and Usage Costs may be inaccurate
  • For example, without the Reader Role, CloudHealth infers that the Reservation is 1yr upfront, so amortized costs in reports may not be accurate.
• CloudHealth cannot gather descriptive data for assets, such as Virtual Machine status, timestamps, and all tags applied to the assets themselves
  • Note: Tags enabled for billing will be extracted from the Azure billing artifacts, but are often only a handful of the total key/value tag pairs applied to an asset within AWS
• CloudHealth cannot poll for metrics data, such as CPU and network usage, which are often needed for wasted infrastructure and rightsizing policies

For these reasons and more, CloudHealth recommends read-only permissions, at minimum.

For more advanced automation and actions using our Recommendations and Policy Engine, you may optionally grant additional IAM permissions to CloudHealth to be able to perform actions on your behalf.  Authorizer and Approver workflows can be optionally configured to have the benefit of automation, but still have a "human-in-the-loop".

To view documentation within the CloudHealth Help Center on how to properly configure your Azure account permissions, click the link below for your corresponding Azure account type:

• Enterprise Agreement
• Pay-as-you-go Account
• FAQs About Azure Account Setup

Related content

• Azure subscriptions states
• Azure subscriptions collection
• UNCONFIGURED Azure subscription status
• Automate Azure VM Management Using Actions (Tech Docs)