Create an Azure connection via Settings

Latest Dynatrace
How-to guide
Published Oct 31, 2025
Preview

Prerequisites

Only a Dynatrace account administrator and an Azure administrator can successfully complete the initial prerequisites.

1. Azure

Actions in this section must be performed by an Azure administrator with appropriate permissions.

Before running Azure CLI commands, ensure:

You have Azure CLI installed and authenticated (az login)
Your Azure account has one of the following:
- Application Administrator role in Microsoft Entra ID
- Cloud Application Administrator role in Microsoft Entra ID
- microsoft.directory/servicePrincipals/create permission.
  
  And one of the following:
- Owner role at the target scope (subscription or management group)
- User Access Administrator role at the target scope
- A custom role with Microsoft.Authorization/roleAssignments/write permission

For Management Group monitoring scope, you need role assignment permissions at the management group level, not just individual subscriptions.

Identify your Azure monitoring scope

Decide which monitoring scope you'll use and gather the required IDs:

Monitoring scope	Required information
`Management Group`	Management Group ID (found in Azure portal under Management groups)
`Subscription`	Subscription ID (found in Azure portal under Subscriptions)

2. Dynatrace

Actions in this section must be performed by a Dynatrace administrator with appropriate permissions.

The new Azure Platform Monitoring has been integrated with the core Dynatrace Identity and Access Management (IAM) design.

Learn more about the basic concepts:

Create the Dynatrace IAM baseline

In this documentation section context:

Dynatrace account admin: A built-in user with View and manage users and groups permission.
CloudsAdmins: A customer-created custom IAM group where its members will be able to create and manage Azure connections in Settings.
CloudAdmin: An IAM user, member of the CloudsAdmins group. The name is used here solely for context; any Dynatrace IAM user can be used.
Data-Acquisition Cloud Integrations All: A Dynatrace-created built-in IAM policy which contains all the (least privilege) permission scopes required to support the creation and management of an Azure connection from Settings.

Interactive IAM identity (IAM user)

Create the CloudsAdmins group.

Once the CloudsAdmins group is created, select Permissions > Scope and add the Data-Acquisition Cloud Integrations All and Standard User policies.

Apply Account-Wide or Environment-Wide, then select Save.

Validate: The CloudsAdmins Permissions section should show:
- Data-Acquisition Cloud Integrations All
- Standard User
Assign your CloudAdmin IAM user (or any other Dynatrace IAM user) as a member of the CloudsAdmins group.

Onboarding

Before you start onboarding, make sure all prerequisites are completed.

Log in to Dynatrace as the IAM user (member of the CloudsAdmins IAM Group) and open Settings.
Go to Collect and capture > Cloud and virtualization > Azure (Preview) and select New connection.

If the button is grayed out, it means you do not have the proper permissions to create a connection. Please, contact your administrator.

1. Select connection model

Enter a friendly connection name that is unique (for example, MyEastProd3Account).
Select the Monitoring scope:
- Management Group Recommended: Grant access to all subscriptions within a Management Group or across the entire tenant, with automatic detection and inclusion of newly created subscriptions.
- Subscription: Grant access to specific subscriptions individually. To include additional subscriptions later, you'll need to manually assign the necessary permissions.
Choose Management Group for easier management of multiple subscriptions. New subscriptions are automatically included without additional configuration.
Select Next.

2. Create a Microsoft Entra ID app

Ensure you meet the prerequisites before running these commands. You need permissions to create service principals and assign RBAC roles.

Select authentication method:

Federated credential Recommended: Does not require managing the lifetime of a long-term credential.
Client secret: Long-term credential whose lifetime must be managed manually.

The shell commands on this page use \ for line continuation (bash/zsh). On Windows, replace \ with a backtick (`) in PowerShell, or ^ in Command Prompt.

Select the option that applies to you:

I have an existing app registration — Enter your credentials directly, no commands needed.
I need to register a new app — Run the commands below to create and configure a service principal.

I have an existing app registration

Enter your Microsoft Entra ID app credentials and service principal details directly into the onboarding wizard fields:

Application (client) ID
Directory (tenant) ID

Principal (object) ID — to retrieve your Object ID, run:

az ad sp show --id "<CLIENT_ID>" --query "{OBJECT_ID:id}" --output table

Select Next.

I need to register a new app

Register a new application in your Microsoft Entra ID tenant using the following command. See How to register an app in Microsoft Entra ID to learn more.
```
az ad sp create-for-rbac \
--name "<AZURE_CONNECTION_NAME>" \
--create-password false \
--query "{CLIENT_ID:appId, TENANT_ID:tenant}" \
--output table
```
Copy and paste CLIENT_ID and TENANT_ID from the command output into the relevant fields in the onboarding wizard.

Create a new federated credential for the Microsoft Entra ID app you registered in the previous step. This will be used by Dynatrace to perform OIDC token exchange. Learn more: az ad app federated-credential.

The onboarding wizard provides the exact --parameters value to use, including the issuer, subject, and audiences configured for your Dynatrace environment.

az ad app federated-credential create \
--id "<CLIENT_ID>" \
--parameters '{ \
   "name": "<AZURE_CONNECTION_NAME>-Federated-Credential", \
   "issuer": "https://token.dynatrace.com", \
   "subject": "dt:connection-id/<AZURE_AUTH_CONNECTION_ID>", \
   "audiences": [ \
       "<DYNATRACE_ENVIRONMENT_ID>.apps.dynatrace.com/svc-id/com.dynatrace.da" \
   ] \
 }'

Run the command below to retrieve the Object ID for your service principal.
```
az ad sp show --id "<CLIENT_ID>" --query "{OBJECT_ID:id}" --output table
```
Copy and paste OBJECT_ID from the command output into the Principal (object) ID field in the onboarding wizard.

Assign the Monitoring Reader Azure RBAC built-in role to the service principal at the appropriate scope. See Assign Azure roles using Azure CLI.

For Management Group scope:

az role assignment create \
  --assignee "<OBJECT_ID>" \
  --role "Monitoring Reader" \
  --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME>" \
  --assignee-principal-type ServicePrincipal \
--description "Dynatrace Monitoring"

For Subscription scope:

az role assignment create \
  --assignee "<OBJECT_ID>" \
  --role "Monitoring Reader" \
  --scope "/subscriptions/<SUBSCRIPTION_ID>" \
  --assignee-principal-type ServicePrincipal \
--description "Dynatrace Monitoring"

Verify the role assignment was successful, you should see the Monitoring Reader role listed at your specified scope.
```
az role assignment list --assignee "<OBJECT_ID>" --output table
```
Select Next.

If you cannot run these commands yourself, select Download instructions in the wizard to save and share the commands with someone who has the required Azure permissions.

3. Select observability options

Choose the Recommended observability path. Two paths are currently supported:

Recommended: The default and fastest way to onboard an Azure subscription. The monitoring configuration is an opinionated (immutable) option—only monitored Regions are customizable. This flow provides:
- Azure subscription resources inventory using Clouds (for Azure services supported by Azure Resource Graph).
- Azure subscription resources topology, depicted as rich resource entities using Clouds (for supported Azure services).
- Azure Monitor API metric polling (per enabled region) for common services and their recommended metric collection set
Advanced: The most fine-grained path to onboard an Azure subscription. Allows you to fully customize the monitoring configuration to meet any advanced use cases.
Metric collection set is a group of metrics assigned to a supported Azure service. Once assigned, all metrics on this collection set will be scheduled for polling.
Only a single metric collection set can be assigned to a service at any given time (1:1).
Metric collection set types:
Recommended : A customer-immutable list of opinionated Dynatrace recommended metrics list (per cloud service). An optimal starting point.
Recommended+Custom : Cherry-pick specific metrics from the Recommened set as well as from a larger set of Dynatrace curated metrics.
Auto-discovery : All metrics for a specific Azure service are auto-discovered and marked for polling. (This metric collection set type has the potential to generate elevated Azure Monitor and Dynatrace costs.)

Regardless of the selected path, customizing all the supported monitoring settings is possible post-onboarding.

The topology signal is an auto-enabled signal; you can't disable it.

Choose the Azure Regions you want to monitor.
Apply optional Azure subscription ID filters.
Select Finish.

After a successful onboarding, you'll be able to customize monitored Azure Regions and all other monitoring settings.

4. Advanced: Ingest any Azure Monitor metricsOptional

In addition to the predefined metric collection sets, you can configure Dynatrace to collect Any Azure Monitor Native Platform Metric. This enables monitoring of metrics not included in the standard collection sets or metrics from Azure services not yet fully supported.

This is an advanced scenario. You are responsible for providing the exact coordinates (resource type, kind, SKU name, metric name, dimensions, and time grain) for the Azure resource you want to monitor.

Incorrect values will result in failed metric collection.

If the service is already in the supported Azure services list, use the Recommended+Custom metric collection set as a reference. The values Dynatrace has preselected for that service (type, kinds, SKU name, metric name, dimensions, time grain, and statistics) serve as a reliable template for your custom configuration.

To add a custom metric:

In the advanced monitoring configuration, expand Advanced Settings in the Monitor metrics section.
Turn on Ingest any Azure Monitor metrics.
Select Add metric to open the metric definition dialog.

Configure the Resource fields:

Field	Required	Description
Type	Yes	The Azure resource type (for example, `Microsoft.Compute/virtualMachines`). This must match the resource provider namespace and type exactly as defined in Azure.
Kinds	No	Comma-separated list of resource kinds to filter (for example, `Standard,Premium`). Leave empty to include all kinds.
SKU name	No	Filter by specific SKU name if the resource type supports SKUs.
Suffix	No	Resource type suffix for specialized resource variants.

To find the correct values, use Azure Resource Graph Explorer to query for an existing resource of that type, then inspect the Details panel to note the exact type, kind, and sku field values. For example, to find Azure Function App resource details:

resources
| where type == "microsoft.web/sites"

Configure the Metric fields:

Field	Required	Description
Name	Yes	The metric name as defined in Azure Monitor (for example, `BytesSent`). Must match the exact metric name from Azure Monitor.
Dimensions	No	Comma-separated list of dimensions to include in metric collection. Use dimensions to split metrics by specific attributes.
Time grain	Yes	The aggregation interval for the metric (for example, `PT1M` for 1 minute, `PT5M` for 5 minutes).
Statistics	Yes	The aggregation type to apply (for example, `Average`, `Sum`, `Minimum`, `Maximum`, `Count`).

To find the correct metric name, refer to the Azure Monitor supported metrics documentation. You can also verify available dimensions, time grains, and aggregation types using the Azure CLI:

az monitor metrics list-definitions \
--resource "<RESOURCE_ID>" \
--query "[?name.value=='<METRIC_NAME>']"

Use the smallest available time grain (for example, PT1M) for the most granular data collection.

Select Add metric to save the configuration.

You can add multiple metrics. Use the search bar to filter existing metrics, or select Delete all to remove all metrics.

The following example shows a completed configuration for the BytesSent metric on an Azure Function App:

Field	Value
Type	`Microsoft.Web/sites`
Kinds	`functionapp,linux` (if available see the Recommended+Custom set for all supported permutations)
SKU name	(leave empty)
Suffix	(leave empty)
Name	`BytesSent`
Dimensions	`Instance`
Time grain	`PT1M`
Statistics	`Average`, `Count`, `Maximum`, `Minimum`, `Total (Sum)`

What's next?

Go to Clouds. Azure resources with telemetry should start to appear shortly.
See Manage your Azure connections to learn how to manage your newly created connection.

Supported Azure services

For a full list of supported Azure services, including topology relationships and available metric collection sets, see Supported Azure services.

Troubleshooting

The New connection functionality is disabled, I hover on it, and I get a message that I don't have the permissions.

Make sure that your Dynatrace IAM user has the proper permission scopes to create and manage a connection.

See Create the Dynatrace IAM baseline for more details.

Error: "Authorization_RequestDenied" when creating the service principal

This error occurs when your Azure identity lacks permission to create applications in Microsoft Entra ID.

Solution: Ask your Azure administrator to grant you the Application Administrator role or create the service principal on your behalf.

Error: "AuthorizationFailed" when assigning the Monitoring Reader role

This error occurs when your Azure identity lacks permission to assign roles at the specified scope.

Solution:

Ensure you have Owner or User Access Administrator role at the target subscription or management group.
For Management Group scope, confirm you have permissions at the management group level, not just individual subscriptions.