From 55986996bc1693727eb6868e352678b7c9be70a7 Mon Sep 17 00:00:00 2001 From: Bryce Eadie Date: Mon, 16 Jun 2025 16:43:27 -0700 Subject: [PATCH 1/4] [DOCS-11197] Add permissions section --- .../integrations/guide/azure-manual-setup.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/content/en/integrations/guide/azure-manual-setup.md b/content/en/integrations/guide/azure-manual-setup.md index 8b645c98459ca..b6eb1cece26ee 100644 --- a/content/en/integrations/guide/azure-manual-setup.md +++ b/content/en/integrations/guide/azure-manual-setup.md @@ -1,6 +1,5 @@ --- title: Azure Integration Manual Setup Guide - description: "Steps for manually setting up the Datadog Azure integration" further_reading: - link: "https://docs.datadoghq.com/agent/faq/why-should-i-install-the-agent-on-my-cloud-instances/" @@ -33,6 +32,33 @@ Use this guide to manually set up the [Datadog Azure integration][1] through an ## Setup +{{% collapse-content title="Permissions required for integration setup" level="h4" expanded=false id="required-permissions" %}} + +#### In Azure + +Your Microsoft Entra ID user needs the following permissions: + +##### Permission to create an app registration + +**One** of the following must be true for the user: + +- `Users can register applications` has been set to `Yes` +- The user has the [Application Developer][17] role + +##### Permission to assign `Monitoring Reader` permissions + +The `Microsoft.Authorization/roleAssignments/write` permission is required, scoped to any subscriptions or management groups to monitor. This permission is part of the [Role Based Access Control Administrator role][14]. + +##### Permission to add and grant consent for Graph API permissions + +The [Privileged Role Administrator role][15] contains the required permissions. + +#### In Datadog + +A Datadog [Application key][16] with at least the `azure_configurations_manage` permission. + +{{% /collapse-content %}} + ### Integrating through the Azure CLI To integrate Datadog with Azure using the Azure CLI, Datadog recommends using the [Azure Cloud Shell][7]. @@ -323,3 +349,7 @@ See the [Azure Logging guide][5] to set up log forwarding from your Azure enviro [9]: /monitors/notify/#configure-notifications-and-automations [12]: https://learn.microsoft.com/azure/partner-solutions/datadog/overview [13]: /integrations/guide/azure-native-manual-setup/ +[14]: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator +[15]: https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator +[16]: /account_management/api-app-keys/#application-keys +[17]: https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer From 7256270e9ecd6db30da16cb644ecf83510245ed4 Mon Sep 17 00:00:00 2001 From: Bryce Eadie Date: Fri, 27 Jun 2025 13:03:36 -0700 Subject: [PATCH 2/4] [DOCS-11197] Incorporate feedback --- content/en/integrations/guide/azure-manual-setup.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/content/en/integrations/guide/azure-manual-setup.md b/content/en/integrations/guide/azure-manual-setup.md index b6eb1cece26ee..1ec81f18f3f02 100644 --- a/content/en/integrations/guide/azure-manual-setup.md +++ b/content/en/integrations/guide/azure-manual-setup.md @@ -47,7 +47,7 @@ Your Microsoft Entra ID user needs the following permissions: ##### Permission to assign `Monitoring Reader` permissions -The `Microsoft.Authorization/roleAssignments/write` permission is required, scoped to any subscriptions or management groups to monitor. This permission is part of the [Role Based Access Control Administrator role][14]. +This permission is included in all of the [Azure built-in roles in the Privileged category][14]. If you want to create a custom role, the required permission is `Microsoft.Authorization/roleAssignments/write`. ##### Permission to add and grant consent for Graph API permissions @@ -55,7 +55,7 @@ The [Privileged Role Administrator role][15] contains the required permissions. #### In Datadog -A Datadog [Application key][16] with at least the `azure_configurations_manage` permission. +The Datadog `Admin` role, or any other role with the `azure_configurations_manage` permission. {{% /collapse-content %}} @@ -349,7 +349,6 @@ See the [Azure Logging guide][5] to set up log forwarding from your Azure enviro [9]: /monitors/notify/#configure-notifications-and-automations [12]: https://learn.microsoft.com/azure/partner-solutions/datadog/overview [13]: /integrations/guide/azure-native-manual-setup/ -[14]: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator +[14]: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/privileged [15]: https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator -[16]: /account_management/api-app-keys/#application-keys [17]: https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer From 4f04a4768b3fd1142aceb20e6c66598a0ab3dbd9 Mon Sep 17 00:00:00 2001 From: Bryce Eadie Date: Fri, 27 Jun 2025 13:04:31 -0700 Subject: [PATCH 3/4] [DOCS-11197] Update wording --- content/en/integrations/guide/azure-manual-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/integrations/guide/azure-manual-setup.md b/content/en/integrations/guide/azure-manual-setup.md index 1ec81f18f3f02..7ab452728f529 100644 --- a/content/en/integrations/guide/azure-manual-setup.md +++ b/content/en/integrations/guide/azure-manual-setup.md @@ -47,7 +47,7 @@ Your Microsoft Entra ID user needs the following permissions: ##### Permission to assign `Monitoring Reader` permissions -This permission is included in all of the [Azure built-in roles in the Privileged category][14]. If you want to create a custom role, the required permission is `Microsoft.Authorization/roleAssignments/write`. +This permission is included in all of the [Azure built-in roles in the Privileged category][14]. If you want to use a custom role, the required permission is `Microsoft.Authorization/roleAssignments/write`. ##### Permission to add and grant consent for Graph API permissions From 514daa23ccf0c4bdee231fca8357270957ca0426 Mon Sep 17 00:00:00 2001 From: Bryce Eadie Date: Fri, 27 Jun 2025 14:17:01 -0700 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Grant Palmer <41966217+gpalmz@users.noreply.github.com> --- content/en/integrations/guide/azure-manual-setup.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/integrations/guide/azure-manual-setup.md b/content/en/integrations/guide/azure-manual-setup.md index 7ab452728f529..5329b151eac3e 100644 --- a/content/en/integrations/guide/azure-manual-setup.md +++ b/content/en/integrations/guide/azure-manual-setup.md @@ -45,9 +45,9 @@ Your Microsoft Entra ID user needs the following permissions: - `Users can register applications` has been set to `Yes` - The user has the [Application Developer][17] role -##### Permission to assign `Monitoring Reader` permissions +##### Permission to assign roles within your subscriptions -This permission is included in all of the [Azure built-in roles in the Privileged category][14]. If you want to use a custom role, the required permission is `Microsoft.Authorization/roleAssignments/write`. +You must have one of the [Azure built-in roles in the Privileged category][14], or a custom role including the `Microsoft.Authorization/roleAssignments/write` action, in each of the subscriptions you wish to connect. ##### Permission to add and grant consent for Graph API permissions @@ -55,7 +55,7 @@ The [Privileged Role Administrator role][15] contains the required permissions. #### In Datadog -The Datadog `Admin` role, or any other role with the `azure_configurations_manage` permission. +The `Datadog Admin Role`, or any other role with the `azure_configurations_manage` permission. {{% /collapse-content %}}