Azure Access Management

Grant admin consent

You need to grant consent in your Azure environment for the Spotter app registered in Cloud2 Azure tenant. This workflow generates an instance of the Spotter app in your own Azure tenant. This instance can be found under the Enterprise Applications.

Consent URL

https://login.microsoftonline.com/YOUR_TENANT_ID_HERE/adminconsent?client_id=08b8b2cc-48f0-4ce1-8323-411cba07eb78&state=54321&redirect_uri=https://spotter.cloud2.fi/azure-admin-consent

Consent workflow

In order to grant admin consent the user completing this guide needs Global Administrator role in Azure AD.

Open new browser window (preferably use private browsing mode)
Add your tenant ID in the consent URL above and paste it in
Log in with your Global admin account
Grant consent to the Spotter app
Verify under your Enterprise Applications that you can see Spotter

Assign permissions to Spotter

In order to assign permissions you need to be an owner of the object that the assignment is scoped. If you’re an Global admin you can elevate your permissions to User Access Administrator role to see all the management groups and subscriptions. See how to elevate access.

If you’re using management groups and you want data from all your subscriptions, assign Reader role to Spotter at the management group that governs all the subscriptions.
You can also assign the Reader role at the subscription scope per subscription. This enables you to scope out subscriptions if needed.
You can add role assignments from Access Control (IAM) panel as shown below

Spotter Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists and by default it does not have any access to anything before you grant them.
Spotter Enterprise application need reader rights to those subscriptions you want to be visible in Spotter. Reader rights does not have any access to customer data. (MS documentation about reader rights)