Create an Azure connection via Settings

Latest Dynatrace
How-to guide

Prerequisites

Only a Dynatrace account administrator and an Azure administrator can successfully complete the initial prerequisites.

1. Azure

Actions in this section must be performed by an Azure administrator with appropriate permissions.

Before running Azure CLI commands, ensure:

You have Azure CLI installed and authenticated (az login)
Your Azure account has one of the following:
- Application Administrator role in Microsoft Entra ID
- Cloud Application Administrator role in Microsoft Entra ID
- microsoft.directory/servicePrincipals/create permission.
  
  And one of the following:
- Owner role at the target scope (subscription or management group)
- User Access Administrator role at the target scope
- A custom role with Microsoft.Authorization/roleAssignments/write permission

For Management Group monitoring scope, you need role assignment permissions at the management group level, not just individual subscriptions.

Identify your Azure monitoring scope

Decide which monitoring scope you'll use and gather the required IDs:

Monitoring scope	Required information
`Management Group`	Management Group ID (found in Azure portal under Management groups)
`Subscription`	Subscription ID (found in Azure portal under Subscriptions)

2. Dynatrace

Actions in this section must be performed by a Dynatrace administrator with appropriate permissions.

The new Azure Platform Monitoring has been integrated with the core Dynatrace Identity and Access Management (IAM) design.

Learn more about the basic concepts:

Create the Dynatrace IAM baseline

In this documentation section context:

Dynatrace account admin: A built-in user with View and manage users and groups permission.
CloudsAdmins: A customer-created custom IAM group where its members will be able to create and manage Azure connections in Settings.
CloudAdmin: An IAM user, member of the CloudsAdmins group. The name is used here solely for context; any Dynatrace IAM user can be used.
Data-Acquisition Cloud Integrations All: A Dynatrace-created built-in IAM policy which contains all the (least privilege) permission scopes required to support the creation and management of an Azure connection from Settings.

Interactive IAM identity (IAM user)

If you just created a new Dynatrace Account with a trial environment, you can skip steps 1 and 2, as your IAM user is considered an Admin. When the Account and its assosiated environments are towards promotion to production, we do recommended to adhere the below IAM best practices.

Create the CloudsAdmins group.

Once the CloudsAdmins group is created, select Permissions > Scope and add the Data-Acquisition Cloud Integrations All and Standard User policies.

Apply Account-Wide or Environment-Wide, then select Save.

Validate: The CloudsAdmins Permissions section should show:
- Data-Acquisition Cloud Integrations All
- Standard User
Assign your CloudAdmin IAM user (or any other Dynatrace IAM user) as a member of the CloudsAdmins group.

Onboarding

Before you start onboarding, make sure all prerequisites are completed.

Log in to Dynatrace as the IAM user (member of the CloudsAdmins IAM Group) and open Settings.
Go to Collect and capture > Cloud and virtualization > Azure and select New connection.

If the button is grayed out, it means you do not have the proper permissions to create a connection. Please, contact your administrator.

1. Select connection model

Enter a friendly connection name that is unique (for example, MyEastProd3Account).
Select the Monitoring scope:
- Management Group Recommended: Grant access to all subscriptions within a Management Group or across the entire tenant, with automatic detection and inclusion of newly created subscriptions.
- Subscription: Grant access to specific subscriptions individually. To include additional subscriptions later, you'll need to manually assign the necessary permissions.
Choose Management Group for easier management of multiple subscriptions. New subscriptions are automatically included without additional configuration.
Select Next.

2. Create a Microsoft Entra ID app

Ensure you meet the prerequisites before running these commands. You need permissions to create service principals and assign RBAC roles.

Select authentication method:

Federated credential Recommended: Does not require managing the lifetime of a long-term credential.
Client secret: Long-term credential whose lifetime must be managed manually.

The shell commands on this page use \ for line continuation (bash/zsh). On Windows, replace \ with a backtick (`) in PowerShell, or ^ in Command Prompt.

Select the option that applies to you:

I need to register a new app: Run the commands below to create and configure a service principal.
I have an existing app registration: Enter your credentials and run the federated credential command provided by the wizard.

I need to register a new app

Register and assign roles in Azure using the Azure CLI commands below. The wizard also provides an Azure Portal option if you prefer a guided UI experience.

Register a new application in your Microsoft Entra ID tenant using the following command. See How to register an app in Microsoft Entra ID to learn more.
```
az ad sp create-for-rbac \
--name "<AZURE_CONNECTION_NAME>" \
--create-password false \
--query "{CLIENT_ID:appId, TENANT_ID:tenant}" \
--output table
```
Copy and paste CLIENT_ID and TENANT_ID from the command output into the relevant fields in the onboarding wizard.

Create a new federated credential for the Microsoft Entra ID app you registered in the previous step. This will be used by Dynatrace to perform OIDC token exchange. Learn more: az ad app federated-credential.

The onboarding wizard provides the exact --parameters value to use, including the issuer, subject, and audiences configured for your Dynatrace environment.

az ad app federated-credential create \
--id "<CLIENT_ID>" \
--parameters '{ \
   "name": "<AZURE_CONNECTION_NAME>-Federated-Credential", \
   "issuer": "https://token.dynatrace.com", \
   "subject": "dt:connection-id/<AZURE_AUTH_CONNECTION_ID>", \
   "audiences": [ \
       "<DYNATRACE_ENVIRONMENT_ID>.apps.dynatrace.com/svc-id/com.dynatrace.da" \
   ] \
 }'

Run the command below to retrieve the Object ID for your service principal.
```
az ad sp show --id "<CLIENT_ID>" --query "{OBJECT_ID:id}" --output table
```
Copy and paste OBJECT_ID from the command output into the Principal (object) ID field in the onboarding wizard.

Assign the Monitoring Reader Azure RBAC built-in role to the service principal at the appropriate scope. See Assign Azure roles using Azure CLI. The wizard adapts this command based on the scope you selected in step 1.

For Management Group scope:

az role assignment create \
  --assignee-object-id "<OBJECT_ID>" \
  --role "Monitoring Reader" \
  --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>" \
  --assignee-principal-type ServicePrincipal \
  --description "Dynatrace Monitoring"

For Subscription scope:

az role assignment create \
  --assignee-object-id "<OBJECT_ID>" \
  --role "Monitoring Reader" \
  --scope "/subscriptions/<SUBSCRIPTION_ID>" \
  --assignee-principal-type ServicePrincipal \
  --description "Dynatrace Monitoring"

Verify the role assignment was successful, you should see the Monitoring Reader role listed at your specified scope.
```
az role assignment list \
 --assignee "<OBJECT_ID>" \
 --output table
```
Select Next.

I have an existing app registration

Enter your Application (client) ID and Directory (tenant) ID into the onboarding wizard fields.
Create a new federated credential for the Microsoft Entra ID app. This will be used by Dynatrace to perform OIDC token exchange. The wizard provides the exact command with values specific to your Dynatrace environment. Learn more: az ad app federated-credential.

The onboarding wizard provides the exact --parameters value to use, including the issuer, subject, and audiences configured for your Dynatrace environment.
```
az ad app federated-credential create \
--id "<CLIENT_ID>" \
--parameters '{ \
   "name": "public-Federated-Credential", \
   "issuer": "https://token.dynatrace.com", \
   "subject": "dt:connection-id/<AZURE_AUTH_CONNECTION_ID>", \
   "audiences": [ \
       "<DYNATRACE_ENVIRONMENT_ID>.apps.dynatrace.com/svc-id/com.dynatrace.da" \
   ] \
 }'
```

Enter your Principal (object) ID. To retrieve your Object ID, run:

az ad sp show --id "<CLIENT_ID>" --query "{OBJECT_ID:id}" --output table

Select Next.

If you cannot complete the wizard now, select Save and close to save your progress and resume later. If you cannot run the commands yourself, select Download instructions to share them with someone who has the required Azure permissions.

3. Select observability options

Choose your observability option. Two paths are supported:

Recommended: The default and fastest way to onboard an Azure subscription. The monitoring configuration is an opinionated (immutable) option—only monitored Regions are customizable. This flow provides:
- Cloud inventory and topology of Azure subscription resources using Clouds.
- Common Azure services and recommended Azure Monitor metrics polling (per enabled region).
- Azure Monitor logs and events.
Advanced: The most fine-grained path to onboard an Azure subscription. Allows you to fully customize the monitoring configuration to meet any advanced use cases. In addition to everything in the Recommended path, Advanced exposes:
- Azure tag-based filters
- Subscription filters
- Azure tags enrichment
- Dynatrace attribute enrichment
Metric collection set is a group of metrics assigned to a supported Azure service. Once assigned, all metrics on this collection set will be scheduled for polling.
Only a single metric collection set can be assigned to a service at any given time (1:1).
Metric collection set types:
Recommended : A customer-immutable list of opinionated Dynatrace recommended metrics list (per cloud service). An optimal starting point.
Recommended+Custom : Cherry-pick specific metrics from the Recommended set as well as from a larger set of Dynatrace curated metrics.
Auto-discovery : All metrics for a specific Azure service are auto-discovered and marked for polling. (This metric collection set type has the potential to generate elevated Azure Monitor and Dynatrace costs.)

Regardless of the selected path, customizing all the supported monitoring settings is possible post-onboarding.

The topology signal is an auto-enabled signal; you can't disable it.

Choose the Azure Regions you want to monitor.
Optional Advanced only: Configure additional filters and enrichment:
- Tag-based filters: Filter monitored resources by Azure tag key-value pairs. Choose Include filters to monitor only tagged resources, or Exclude filters to skip them.
- Subscription filters: Filter monitoring scope to specific Azure subscription IDs. Choose Include filters to monitor only listed subscriptions, or Exclude filters to exclude specific subscriptions. Enter Subscription IDs in the text field.
- Tag enrichment: Propagate Azure resource tags as Dynatrace entity attributes for filtering and grouping in Clouds.
- Dynatrace attribute enrichment: Map Azure tag keys or labels to specific Dynatrace signal attributes:
  - Enable security context: Populates the dt.security_context attribute from an Azure tag key or label. When enabled, signals and entities are enriched with dt.security_context.
  - Enable cost allocation (Cost center): Populates the dt.cost.costcenter attribute from an Azure tag key or label.
  - Enable cost allocation (Product cost): Populates the dt.cost.product attribute from an Azure tag key or label.
Select Next.

After a successful onboarding, you'll be able to customize monitored Azure Regions and all other monitoring settings.

4. Advanced: Ingest any Azure Monitor metricsOptional

In addition to the predefined metric collection sets, you can configure Dynatrace to collect Any Azure Monitor Native Platform Metric. This enables monitoring of metrics not included in the standard collection sets or metrics from Azure services not yet fully supported.

This is an advanced scenario. You are responsible for providing the exact coordinates (resource type, kind, SKU name, metric name, dimensions, and time grain) for the Azure resource you want to monitor.

Incorrect values will result in failed metric collection.

If the service is already in the supported Azure services list, use the Recommended+Custom metric collection set as a reference. The values Dynatrace has preselected for that service (type, kinds, SKU name, metric name, dimensions, time grain, and statistics) serve as a reliable template for your custom configuration.

To add a custom metric:

In the advanced monitoring configuration, expand Advanced Settings in the Monitor metrics section.
Turn on Ingest any Azure Monitor metrics.
Select Add metric to open the metric definition dialog.

Configure the Resource fields:

Field	Required	Description
Type	Yes	The Azure resource type (for example, `Microsoft.Compute/virtualMachines`). This must match the resource provider namespace and type exactly as defined in Azure.
Kinds	No	Comma-separated list of resource kinds to filter (for example, `Standard,Premium`). Leave empty to include all kinds.
SKU name	No	Filter by specific SKU name if the resource type supports SKUs.
Suffix	No	Resource type suffix for specialized resource variants.

To find the correct values, use Azure Resource Graph Explorer to query for an existing resource of that type, then inspect the Details panel to note the exact type, kind, and sku field values. For example, to find Azure Function App resource details:

resources
| where type == "microsoft.web/sites"

Configure the Metric fields:

Field	Required	Description
Name	Yes	The metric name as defined in Azure Monitor (for example, `BytesSent`). Must match the exact metric name from Azure Monitor.
Dimensions	No	Comma-separated list of dimensions to include in metric collection. Use dimensions to split metrics by specific attributes.
Time grain	Yes	The aggregation interval for the metric (for example, `PT1M` for one minute, `PT5M` for five minutes).
Statistics	Yes	The aggregation type to apply (for example, `Average`, `Sum`, `Minimum`, `Maximum`, `Count`).

To find the correct metric name, refer to the Azure Monitor supported metrics documentation. You can also verify available dimensions, time grains, and aggregation types using the Azure CLI:

az monitor metrics list-definitions \
--resource "<RESOURCE_ID>" \
--query "[?name.value=='<METRIC_NAME>']"

Use the smallest available time grain (for example, PT1M) for the most granular data collection.

Select Add metric to save the configuration.

You can add multiple metrics. Use the search bar to filter existing metrics, or select Delete all to remove all metrics.

The following example shows a completed configuration for the BytesSent metric on an Azure Function App:

Field	Value
Type	`Microsoft.Web/sites`
Kinds	`functionapp,linux` (if available see the Recommended+Custom set for all supported permutations)
SKU name	(leave empty)
Suffix	(leave empty)
Name	`BytesSent`
Dimensions	`Instance`
Time grain	`PT1M`
Statistics	`Average`, `Count`, `Maximum`, `Minimum`, `Total (Sum)`

5. Deploy ARM template for log and event ingestionOptional

Metrics and topology for this connection are ingested based on the observability options. To enable log and event ingestion, you can deploy the ARM template directly in the Azure Portal with a guided setup. Alternatively, you can choose Download ARM template and deploy it using Azure CLI, PowerShell, or your preferred automation workflow.

The Dynatrace wizard displays the following values for reference. You will need to copy and paste these values into the relevant fields while deploying via the Azure Portal:

Value	Description
Dynatrace environment ID	Your Dynatrace environment identifier.
Monitoring configuration ID	The ID of the monitoring configuration associated with your Azure connection.
Principal (object) ID	The Object ID of the Azure service principal. Note: this is the Object ID, not the Application (client) ID.

Azure Portal guided deployment

Using the ARM template you can deploy Event Hubs namespaces across multiple Azure regions for Dynatrace log and event ingestion. Complete the following tabs in the Azure Portal:

Basics: Select your Azure Subscription and Location for the deployment.
Dynatrace configuration: The Dynatrace Environment ID, Monitoring Configuration ID, and Principal (object) ID must be copy and pasted from the Dynatrace onboarding wizard.
Event Hubs configuration: Select the Azure Locations where Event Hubs namespaces should be deployed.
- Azure Resource log forwarding: Requires a regional Event Hubs namespace.
  - Select the Azure Locations where your Azure resources are deployed.
- Azure Event Grid System Topic subscriber: Can use an Event Hubs namespace from any region.
  - You can use one of the Azure Locations selected above.
Choose a Configuration size that matches your workload requirements.

Configuration size Max throughput
Dev/Test
7.2 GB/hour
Small
14.4 GB/hour
Medium
57.6 GB/hour
Large
115.2 GB/hour
Custom
Customize the deployed Azure resources to your exact scaling needs
Optional Tags: Add custom tags to all deployed resources.
Select Review + create, then Create to deploy.

Configuration size	Max throughput
Dev/Test	7.2 GB/hour
Small	14.4 GB/hour
Medium	57.6 GB/hour
Large	115.2 GB/hour
Custom	Customize the deployed Azure resources to your exact scaling needs

Once the ARM deployment completes, return to the Dynatrace onboarding wizard and select Next.

6. Next steps

You can explore your telemetry in the applications listed below. Note that it may take up to five minutes for newly ingested telemetry to appear in your Dynatrace environment.

Smartscape

Clouds app

Health alerts

Dashboards

Select Finish to close the wizard.

What's next?

Go to Clouds. Azure resources with telemetry should start to appear shortly.
See Manage your Azure connections to learn how to manage your newly created connection.

Supported Azure services

For a full list of supported Azure services, including topology relationships and available metric collection sets, see Supported Azure services.

Troubleshooting

The New connection functionality is disabled, I hover on it, and I get a message that I don't have the permissions.

Make sure that your Dynatrace IAM user has the proper permission scopes to create and manage a connection.

See Create the Dynatrace IAM baseline for more details.

Error: "Authorization_RequestDenied" when creating the service principal

This error occurs when your Azure identity lacks permission to create applications in Microsoft Entra ID.

Solution: Ask your Azure administrator to grant you the Application Administrator role or create the service principal on your behalf.

Error: "AuthorizationFailed" when assigning the Monitoring Reader role

This error occurs when your Azure identity lacks permission to assign roles at the specified scope.

Solution:

Ensure you have Owner or User Access Administrator role at the target subscription or management group.
For Management Group scope, confirm you have permissions at the management group level, not just individual subscriptions.