Skip to main content

Set up Cloud connectors

To set up Cloud connectors, you must complete a number of prerequisites in Microsoft Entra ID, and then use the values you generate in Microsoft Entra ID to add the connector in Snow Atlas. If you have a Microsoft Customer Agreement (MCA) account, you must also add a role assignment for your billing accounts in Azure. This enables Snow Atlas to retrieve the billing data used to render indicators and insights. For more information, see Add a role assignment for your billing accounts.

For information on the data collected and displayed in Snow Atlas by these connectors, see Cloud license management.

caution

While Snow Atlas encrypts all data ingested from third-party vendors by connectors, it is highly recommended you exclude personally identifiable information (PII) from the user-chosen names of cloud resources, resource groups, and subscriptions in Azure.

Prerequisites

The Microsoft Azure user account used to create the service principal.

  • If Microsoft Entra ID > User Settings > Users can register applications is Yes, the user account used to register the application does not have to be assigned to a role.

  • If Microsoft Entra ID > User Settings > Users can register applications is No, the user account used to register the application must be assigned one of the following roles:

    • Global Administrator

    • Application Administrator

    • Cloud Application Administrator

    • Application Developer

Create a service principal in Azure

Create a service principal by registering an application in Microsoft Entra ID. This service principal will authorize Snow Atlas to collect data from Azure.

  1. Sign in to the Azure portal.

  2. Go to Microsoft Entra ID.

  3. Select App registrations from the left menu, and then select New registration.

  4. Enter a name for the service principal.

  5. Under Supported account types, choose Accounts in this organizational directory only.

  6. Select Register.

    You will be redirected to the Overview page.

  7. On the Overview page, copy and save the Application (client) ID and the Directory (tenant) ID.

    You will use these values to set up the connector in Snow Atlas.

Create a client secret for the service principal in Azure

The client secret value is used to authenticate the Azure service principal in Snow Atlas.

  1. From the Overview page of the service principal you created in Create a service principal in Azure, go to Certificates & secrets.

  2. Select New client secret.

  3. Enter a description for the secret, and choose an expiry period.

  4. Select Add.

  5. On the Certificates & secrets page, copy the client secret value.

    You will use this value to configure the connector in Snow Atlas.

    caution

    The client secret value can only be viewed immediately after its creation. Save this value before leaving the Client secrets page.

Add a role assignment for your service principal

You must assign the Reader role to the service principal in Azure to grant the required permissions for Snow Atlas to access data on your Azure cloud resources.

  1. In the Azure portal, navigate the level of scope you want the connector to retrieve data on.

    tip

    You can assign a role from a management group, a subscription, or a resource group. The scope from which you assign the role will determine which cloud resources Snow Atlas can access.

  2. On the left menu, go to Access control (IAM).

  3. Select Add > Add role assignment.

  4. On the Assignment type tab, ensure that Job function roles is selected.

  5. On the Roles tab, select the Reader role.

  6. On the Members tab, select Users, group, or service principal.

  7. Click Select members.

  8. In the Select members dialog, search for the service principal you created in Create a service principal in Azure, and then click Select.

  9. On the Review + assign tab, select Review + assign.

Add a role assignment for your billing accounts

If you have a Microsoft Customer Agreement account, you must also add a role assignment for your billing accounts to enable Snow Atlas to retrieve cost information from Azure. This is not a requirement if you have an Enterprise Agreement account.

  1. In the Azure portal, navigate to a billing account.

  2. On the left menu, go to Access control (IAM).

  3. Select Add.

  4. In the Add role assignment dialog, select Billing account reader.

  5. In the Users, groups, or apps field, enter the name of the service principal you created in Create a service principal in Azure.

  6. Select Add.

Add the connector in Snow Atlas

Use the values you generated in Create a service principal in Azure and Create a client secret for the service principal in Azure to add the connector in Snow Atlas.

  1. In Snow Atlas, go to Settings > Cloud settings > Cloud connectors.

  2. Select Add connector.

  3. Enter a name for the connector.

  4. In Settings, enter the values you generated in Microsoft Entra ID. See the table below for reference.

    SettingValue from Microsoft Entra ID
    Tenant IDDirectory (tenant) ID
    Client IDApplication (client) ID
    Client secretClient secret
  5. Select Save to add the connector in the Snow Atlas system.

    Once the connector has been successfully added, the connector status will show as Active and the connection will be automatically tested.

    If the connector fails to be added, the status will show as Failed. Select the connector, and then select Edit settings to reconfigure.

Multiple vendor portals or tenants

Each connector you add is a specific connector instance with a unique name and settings. If you have multiple vendor portals (regions) or multiple tenants for the same vendor, you can add multiple connectors with different settings. All collected data is consolidated and presented for each vendor, regardless of how many portals or tenants you have connected to for that vendor. For more information, see Manage Cloud connectors.


Flexera does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.