Create an Azure connection via Settings

  • Latest Dynatrace
  • How-to guide
  • Published Oct 31, 2025
  • Preview

Overview

General recommendations

  • We highly discourage onboarding Azure subscriptions that are actively monitored by our classic Azure integration. Onboarding such subscriptions might increase the likelihood of Azure APIs throttling, potentially resulting in service interruptions.
  • During the Preview, we do not support the onboarding of Azure subscriptions that contain production or business-critical workloads.

Limitations

  • Global Azure Regions are supported.
  • GovCloud and China partitions are not supported.
  • During the Preview, we will only allow the onboarding of three Azure subscriptions (max), where the total number of Azure resources does not exceed 50k.
  • Deleting an existing Azure connection within Dynatrace permanently deletes its associated monitoring configuration; there is no way to restore it.

Prerequisites

Only a Dynatrace account administrator and an Azure administrator can successfully complete the initial prerequisites.

1. Azure

Actions in this section must be performed by an Azure administrator with appropriate permissions.

Before running Azure CLI commands, ensure:

  • You have Azure CLI installed and authenticated (az login)

  • Your Azure account has one of the following:

    • Application Administrator role in Microsoft Entra ID

    • Cloud Application Administrator role in Microsoft Entra ID

    • microsoft.directory/servicePrincipals/create permission.

      And one of the following:

    • Owner role at the target scope (subscription or management group)

    • User Access Administrator role at the target scope

    • A custom role with Microsoft.Authorization/roleAssignments/write permission

For Management Group monitoring scope, you need role assignment permissions at the management group level, not just individual subscriptions.

Identify your Azure monitoring scope

Decide which monitoring scope you'll use and gather the required IDs:

Monitoring scopeRequired information
Management GroupManagement Group ID (found in Azure portal under Management groups)
SubscriptionSubscription ID (found in Azure portal under Subscriptions)

2. Dynatrace

Actions in this section must be performed by a Dynatrace administrator with appropriate permissions.

The new Azure Platform Monitoring has been integrated with the core Dynatrace Identity and Access Management (IAM) design.

Learn more about the basic concepts:

Create the Dynatrace IAM baseline

In this documentation section context:

Dynatrace account admin

A built-in user with View and manage users and groups permission.

CloudAdminWrite

A customer-created IAM policy that contains all the (least privilege) permission scopes required to support the CloudAdmin IAM user Azure connection managment in Settings Settings.

CloudsAdmins

A customer-created custom IAM group where its members will be able to create and manage Azure connections in Settings Settings.

CloudAdmin

An IAM user, member of the CloudsAdmins group. The name is used here solely for context; any Dynatrace IAM user can be used.

Service user

A non-interactive IAM identity, against which platform tokens will be created.

Platform token

The authentication and authorization secret used to establish secure communication with the Dynatrace APIs. In a future release, a single platform token will be required for onboarding:

  • Settings PT—allows the programmatic creation and managment of an Azure connection.
Interactive IAM identity (IAM user)

  1. Create the CloudAdminWrite permission policy:

    1. Go to Account Management and choose the desired Dynatrace account.

    2. Go to Identity & access management > Policy management.

    3. In the upper-right corner, select Create policy.

      Policy name: CloudAdminWrite

      Policy description: Allow the cloud admin users or groups to fully admin (read and write) all cloud connections, from creation to deletion

    4. Copy and paste the Policy statement below:

      ALLOW environment:roles:manage-settings, settings:objects:read,
      extensions:configurations:read, extensions:configurations:write,
      extensions:definitions:read, extensions:definitions:write, data-acquisition:events:ingest,
      data-acquisition:logs:ingest, data-acquisition:metrics:ingest,
      storage:logs:read,storage:metrics:read, storage:smartscape:read,
      storage:events:read, storage:buckets:read, iam:service-users:use;

      The iam:service-users:use can be descoped to allow only a specific service user.

      Once you create the service user, the email ID can be used as a condition.

  2. Select Save.

  1. Create the CloudsAdmins group.

    Once the CloudsAdmins group is created, select Permissions > Scope and add the CloudAdminWrite and Standard User policies.

    Apply Account-Wide or Environment-Wide, then select Save.

    Validate: The CloudsAdmins Permissions section should show:

    • CloudAdminWrite
    • Standard User

  2. Assign your CloudAdmin IAM user (or any other Dynatrace IAM user) as a member of the CloudsAdmins group.

Onboarding

Before you start onboarding, make sure all prerequisites are completed.

  1. Log in to Dynatrace as the IAM user (member of the CloudsAdmins IAM Group) and open Settings Settings.
  2. Go to Collect and capture > Cloud and virtualization > Azure (Preview) and select New connection.

If the button is grayed out, it means you do not have the proper permissions to create a connection. Please, contact your administrator.

1. Select connection model

  1. Enter a friendly connection name that is unique (for example, MyEastProd3Account).

  2. Select the Monitoring scope:

    • Management Group Recommended: Grant access to all subscriptions within a Management Group or across the entire tenant, with automatic detection and inclusion of newly created subscriptions.

    • Subscription: Grant access to specific subscriptions individually. To include additional subscriptions later, you'll need to manually assign the necessary permissions.

    Choose Management Group for easier management of multiple subscriptions. New subscriptions are automatically included without additional configuration.

  3. Select Next.

2. Create a Microsoft Entra ID app

Ensure you meet the prerequisites before running these commands. You need permissions to create service principals and assign RBAC roles.

Select authentication method:

  • Federated credential Recommended: Does not require managing the lifetime of a long-term credential.
  • Client secret: Long-term credential whose lifetime must be managed manually.

The shell commands on this page use \ for line continuation (bash/zsh). On Windows, replace \ with a backtick (`) in PowerShell, or ^ in Command Prompt.

  1. Register a new application in your Microsoft Entra ID tenant using the following command. See How to register an app in Microsoft Entra ID to learn more.

    az ad sp create-for-rbac \
    --name "<AZURE_CONNECTION_NAME>" \
    --create-password false \
    --query "{CLIENT_ID:appId, TENANT_ID:tenant}" \
    --output table

  2. Create a new federated credential for the Microsoft Entra ID app you registered in the previous step. This will be used by Dynatrace to perform OIDC token exchange. Learn more: az ad app federated-credential.

    The onboarding wizard provides the exact --parameters value to use, including the issuer, subject, and audiences configured for your Dynatrace environment.

    az ad app federated-credential create \
    --id "<CLIENT_ID>" \
    --parameters '{ \
       "name": "<AZURE_CONNECTION_NAME>-Federated-Credential", \
       "issuer": "https://token.dynatrace.com", \
       "subject": "dt:connection-id/<AZURE_AUTH_CONNECTION_ID>", \
       "audiences": [ \
           "<DYNATRACE_ENVIRONMENT_ID>.apps.dynatrace.com/svc-id/com.dynatrace.da" \
       ] \
     }'

  3. Assign the Monitoring Reader Azure RBAC built-in role to the service principal created above at the appropriate scope. Replace CLIENT_ID in the field below with the output received above, and supply either SUBSCRIPTION_ID or MANAGEMENT_GROUP_ID.

    For Management Group scope:

    az role assignment create \
      --assignee "<CLIENT_ID>" \
      --role "Monitoring Reader" \
      --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>" \
      --assignee-principal-type ServicePrincipal \
    --description "Dynatrace Monitoring"

    For Subscription scope:

    az role assignment create \
      --assignee "<CLIENT_ID>" \
      --role "Monitoring Reader" \
      --scope "/subscriptions/<SUBSCRIPTION_ID>" \
      --assignee-principal-type ServicePrincipal \
    --description "Dynatrace Monitoring"

  4. Verify the role assignment was successful, you should see the Monitoring Reader role listed at your specified scope.

az role assignment list --assignee "<CLIENT_ID>" --output table

  1. Once you have successfully executed the commands above, copy and paste TENANT_ID and CLIENT_ID from output into the relevant fields in the onboarding wizard.

  2. Select Next.

If you cannot run these commands yourself, select Download instructions in the wizard to save and share the commands with someone who has the required Azure permissions.

3. Select observability options

  1. Choose the Recommended observability path. Two paths are currently supported:

  • Recommended: The default and fastest way to onboard an Azure subscription. The monitoring configuration is an opinionated (immutable) option—only monitored Regions are customizable. This flow provides:

    • Azure subscription resources inventory using Clouds Clouds (for Azure services supported by Azure Resource Graph).

    • Azure subscription resources topology, depicted as rich resource entities using Clouds Clouds (for supported Azure services).

    • Azure Monitor API metric polling (per enabled region) for common services and their recommended metric collection set

  • Advanced: The most fine-grained path to onboard an Azure subscription. Allows you to fully customize the monitoring configuration to meet any advanced use cases.

    Metric collection set is a group of metrics assigned to a supported Azure service. Once assigned, all metrics on this collection set will be scheduled for polling.

    Only a single metric collection set can be assigned to a service at any given time (1:1).

    Metric collection set types:

    • Recommended : A customer-immutable list of opinionated Dynatrace recommended metrics list (per cloud service). An optimal starting point.
    • Recommended+Custom : Cherry-pick specific metrics from the Recommened set as well as from a larger set of Dynatrace curated metrics.
    • Auto-discovery : All metrics for a specific Azure service are auto-discovered and marked for polling. (This metric collection set type has the potential to generate elevated Azure Monitor and Dynatrace costs.)

Regardless of the selected path, customizing all the supported monitoring settings is possible post-onboarding.

The topology signal is an auto-enabled signal; you can't disable it.

  1. Choose the Azure Regions you want to monitor.

  2. Apply optional Azure subscription ID filters.

  3. Select Finish.

After a successful onboarding, you'll be able to customize monitored Azure Regions and all other monitoring settings.

4. Advanced: Ingest any Azure Monitor metricsOptional

In addition to the predefined metric collection sets, you can configure Dynatrace to collect Any Azure Monitor Native Platform Metric. This enables monitoring of metrics not included in the standard collection sets or metrics from Azure services not yet fully supported.

This is an advanced scenario. You are responsible for providing the exact coordinates (resource type, kind, SKU name, metric name, dimensions, and time grain) for the Azure resource you want to monitor.

Incorrect values will result in failed metric collection.

If the service is already in the supported Azure services list, use the Recommended+Custom metric collection set as a reference. The values Dynatrace has preselected for that service (type, kinds, SKU name, metric name, dimensions, time grain, and statistics) serve as a reliable template for your custom configuration.

To add a custom metric:

  1. In the advanced monitoring configuration, expand Advanced Settings in the Monitor metrics section.

  2. Turn on Ingest any Azure Monitor metrics.

  3. Select Add metric to open the metric definition dialog.

  4. Configure the Resource fields:

    FieldRequiredDescription
    TypeYesThe Azure resource type (for example, Microsoft.Compute/virtualMachines). This must match the resource provider namespace and type exactly as defined in Azure.
    KindsNoComma-separated list of resource kinds to filter (for example, Standard,Premium). Leave empty to include all kinds.
    SKU nameNoFilter by specific SKU name if the resource type supports SKUs.
    SuffixNoResource type suffix for specialized resource variants.

    To find the correct values, use Azure Resource Graph Explorer to query for an existing resource of that type, then inspect the Details panel to note the exact type, kind, and sku field values. For example, to find Azure Function App resource details:

    resources
    | where type == "microsoft.web/sites"

  5. Configure the Metric fields:

    FieldRequiredDescription
    NameYesThe metric name as defined in Azure Monitor (for example, BytesSent). Must match the exact metric name from Azure Monitor.
    DimensionsNoComma-separated list of dimensions to include in metric collection. Use dimensions to split metrics by specific attributes.
    Time grainYesThe aggregation interval for the metric (for example, PT1M for 1 minute, PT5M for 5 minutes).
    StatisticsYesThe aggregation type to apply (for example, Average, Sum, Minimum, Maximum, Count).

    To find the correct metric name, refer to the Azure Monitor supported metrics documentation. You can also verify available dimensions, time grains, and aggregation types using the Azure CLI:

    az monitor metrics list-definitions \
    --resource "<RESOURCE_ID>" \
    --query "[?name.value=='<METRIC_NAME>']"

    Use the smallest available time grain (for example, PT1M) for the most granular data collection.

  6. Select Add metric to save the configuration.

    You can add multiple metrics. Use the search bar to filter existing metrics, or select Delete all to remove all metrics.

The following example shows a completed configuration for the BytesSent metric on an Azure Function App:

FieldValue
TypeMicrosoft.Web/sites
Kindsfunctionapp,linux (if available see the Recommended+Custom set for all supported permutations)
SKU name(leave empty)
Suffix(leave empty)
NameBytesSent
DimensionsInstance
Time grainPT1M
StatisticsAverage, Count, Maximum, Minimum, Total (Sum)

What's next?

Supported Azure services

Topology

We support all Azure services which are currently supported by Azure Resource Graph.

Metrics

See the supported Azure services metrics during Preview
  • Azure API Management Service
  • Azure Cache for Redis
  • Azure Managed Redis
  • Azure IoT Hub
  • Azure Cosmos DB Account (GlobalDocumentDB)
  • Azure Cosmos DB Account (MongoDB)
  • Azure Application Gateway
  • Azure Standard Load Balancer
  • Azure Gateway Load Balancer
  • Azure SQL Database (vCore)
  • Azure SQL Database (DTU)
  • Azure SQL Database—Hyperscale
  • Azure Storage Account
  • Azure Storage Blob Services
  • Azure Storage File Services
  • Azure Storage Queue Services
  • Azure Storage Table Services
  • Azure Virtual Machines
  • Azure Virtual Machine Scalesets
  • Azure Event Hubs Namespace
  • Azure Service Bus Standard Namespace
  • Azure Service Bus Premium Namespace
  • Azure Web App
  • Azure Function App
  • Azure Logic Apps (Standard)
  • Azure Logic Apps (Consumption)
  • Azure Container
  • Microsoft Foundry
  • Azure OpenAI

Troubleshooting

The New connection functionality is disabled, I hover on it, and I get a message that I don't have the permissions.

Make sure that your Dynatrace IAM user has the proper permission scopes to create and manage a connection.

See Create the Dynatrace IAM baseline for more details.

Error: "Authorization_RequestDenied" when creating the service principal

This error occurs when your Azure identity lacks permission to create applications in Microsoft Entra ID.

Solution: Ask your Azure administrator to grant you the Application Administrator role or create the service principal on your behalf.

Error: "AuthorizationFailed" when assigning the Monitoring Reader role

This error occurs when your Azure identity lacks permission to assign roles at the specified scope.

Solution:

  • Ensure you have Owner or User Access Administrator role at the target subscription or management group.
  • For Management Group scope, confirm you have permissions at the management group level, not just individual subscriptions.
Related tags
Infrastructure Observability