Configure Entra ID app registration for user cost attribution
To enable user cost attribution (UCA) in Nerdio Manager, an app registration and the corresponding Enterprise app entry must exist in Microsoft Entra ID. In certain scenarios, such as manually deploying the Azure resources or customizing the app registration in Entra ID, you need to create and configure these entries yourself.
For the App registration, follow the default Microsoft configuration process in Entra ID:
To create an app registration, see Register an application in Microsoft Entra ID.
To create the app secrets, see Add and manage application credentials in Microsoft Entra ID.
Creating an app registration automatically creates a service principal, which is the object you see and assign roles to in the Azure subscription. Once the app registration is created, assign the following roles to its corresponding service principal.
Note:
UCA is available only in the Nerdio Manager Premium edition.
UCA works only when the required Azure roles are assigned.
The following Azure role assignments are required:
-
Storage account permissions:
Scope: Storage account created for UCA
Role: Storage Blob Data Contributor
-
Subscription permissions for the service principal:
Scope: Subscription(s) used in UCA report configurations
-
Roles:
Cost Management Reader
Desktop Virtualization Reader
Monitoring Reader
-
Log Analytics workspace permissions:
Scope: Log Analytics workspace(s) used in report configurations
Role: Reader
Note:
If the user enabling UCA has the required permissions, Nerdio Manager will assign these roles automatically. Otherwise, you’ll need to manually assign the required roles to each resource.
The user deploying UCA requires a minimum of read-only privileges to all required scopes to initiate deployment. A lack of read-only permissions will cause the deployment to fail.
Comments (0 comments)