Support Center Home

2b. Adding your Azure environment into LogicMonitor

Adding your Azure account into LogicMonitor for monitoring is quite easy, and includes the following steps:

Required setup (instructions below):

Additional, optional setup:

For a list of Azure services monitored, see this page.

1. Add Cloud Account from the Devices page in LogicMonitor:

Enter a meaningful name and description for your Azure environment – this will determine how it is displayed in LogicMonitor. Once done, proceed to the Permissions section:

2. Provide credentials for an Azure AD application that LogicMonitor will use to monitor your resources

LogicMonitor collects metrics for your Azure resources via the Azure Monitor (Insights) ARM API. As such, you will need to set up an Azure Active Directory (AAD) application that LogicMonitor can use to make requests to the Azure Monitor ARM API. Note that because LogicMonitor is using ARM APIs, only ARM based resources are monitored – this excludes resources such as Azure Classic VMs.

All API requests need to be authenticated via AAD, which is why you’ll need to create an AAD application for LogicMonitor. That application will need reader permissions associated with the resources that you want to be monitored in LogicMonitor. Typically, these permissions are set at the subscription level, but you can also set them at the resource group level. The following steps provide instruction for creating an application and assigning the necessary permissions at the subscription level.

  1. In the Azure services section of your Azure portal, search for or open the App registrations service.
    App registration service in Azure portal

  2. Click New registration to create and register an application for LogicMonitor.
  3. From the Register an application dialog, shown next, configure the following settings:
    • Name. In the Name field, enter a display name for the application. This name will be used throughout your Azure portal and does not have any specific requirements.
    • Supported account types. Select the Accounts in this organizational directory only option.
    • Redirect URI. This setting is optional and can be left unspecified.
    Registering an application in Azure

  4. Click the Register button.
  5. On the following dialog, the Application (client) ID and Directory (tenant) ID that are generated for the new LogicMonitor application display. Enter these IDs into their respective fields on the New Cloud Account dialog in LogicMonitor.

  6. Navigate to the Certificates & secrets settings for the LogicMonitor application and click the New client secret button.

  7. From the Add a client secret dialog, provide a description for the secret string, select an expiration period, and click the Add button.
  8. Copy the generated Client secret value and enter it into the Azure Secret Key field found on the New Cloud Account dialog in LogicMonitor.
  9. Now that you have an application with a set of API Keys, you’ll need to give this application access to the resources that you want to be monitored. To do this, open the Subscriptions service. (In Azure, you can assign permissions at the resource group level or the subscription level. Usually, assigning permissions at the subscription level is easiest and provides the most value.)
  10. For each subscription that you would like to assign the application permissions for, navigate to the subscription’s Access control (IAM) settings and add the LogicMonitor application as a user with a minimum role of Reader.
    Access control (IAM) settings for Azure Subscription service

    For a large number of subscriptions, you may want to consider assigning permissions via PowerShell. For example, the following PowerShell script will add an AAD application for LogicMonitor and add the application as a reader to each subscription available to the user that runs the script.

    # Authenticate to all Azure subscriptions that the user has access to
    # Password for the service principal
    $pwd = "{service-principal-password}"
    # Create a new Azure AD application
    $azureAdApplication = New-AzureRmADApplication `
                 -DisplayName "LogicMonitor" `
                 -HomePage "" `
                 -IdentifierUris "" `
                 -Password $pwd
    # Create a new service principal associated with the designated application
    New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
    # Assign Reader role to the newly created service principal for each subscription
    Get-AzureRmSubscription | ForEach-Object {
      Set-AzureRmContext -SubscriptionId $_.SubscriptionId
      New-AzureRmRoleAssignment -RoleDefinitionName Reader `
                -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

3. Select Azure Subscriptions

Once you’ve filled out your Azure account information (tenant ID, client id and secret key), you can select the Get Available Subscriptions button to select subscriptions for monitoring. All subscriptions available to LogicMonitor based on the permissions you’ve configured will be listed. If you don’t see one or more subscriptions you expect to see, ensure that the application you created in Azure has reader permissions for those subscriptions.

3. Select Azure Subscriptions

4. Configure Azure Services to be monitored

Next, in the Azure Services section of the dialog, you will need to set your default service settings.

These settings include which regions services should be discovered from, what tag filters (if any) should be applied, and whether or not deleted instances should be automatically removed.

The Auto-Discovery Frequency indicates how often LogicMonitor will check for new Azure resources in your account. You can override this setting for the VM service if desired.

If you specify a Tag Filter, only Azure resources that meet the filter criteria will be added to your LogicMonitor account. Note that:

  • You can use glob expressions with the tag filter (e.g. tag value = prod*)
  • Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags
  • The tag filter is case sensitive

If you choose to automatically remove dead instances, you can further select whether this should happen immediately or after a specified period of time during which no data is received for the instance.

Disabling alerting for terminated instances ensures you will not receive any alerts once instances are terminated, if they are not scheduled to be automatically deleted.  While LogicMonitor intelligently and automatically stops Azure Monitor API data collection once instances are terminated, this option will ensure you do not receive alerts for traditional Collector DataSources like Ping.

Beyond the default services configuration, all services will be auto-selected.  This means LogicMonitor will attempt to discover resources for all supported Azure services (if no resources are found, you’ll just see an empty group for that service).  You can de-select services if desired, but there are no negative impacts of leaving unused services selected for discovery. If you’d like to monitor only certain Azure instances for a particular service, you can tag those instances from your Azure portal & apply a tag filter to that service in LogicMonitor (by toggling the configuration from default to custom for that service).

For example, you might add an Azure tag with a key value pair of monitoring:true to the Event Hubs you’d like to monitor, and then add a Tag Filter in LogicMonitor such that only Event Hubs with tags matching monitoring:true are added into monitoring.

For the VM service, you can additionally enable monitoring via a local Collector and configure how discovered instances are named.

5. Configure Azure Billing

Optionally set up monitoring for your Azure spend via the instructions on this page.

6. Done!

LogicMonitor will search for and auto-discover Azure resources using our NetScan functionality. A new device group will be created for each Azure Service selected, and each resource discovered for that Azure Service will be added as a LogicMonitor device in that device group. For example, if LogicMonitor discovers 4 Application Gateways for an Azure Account, an Application Gateway group will be created and 4 devices will be added to this group. Each Azure resource will get a system.categories value that identifies the type of resource (e.g. Application Gateway, VM, VM Scale Set, etc.)

After you’ve added your Azure Account to LogicMonitor, you can force a NetScan to run and detect any new Azure resources in your account by selecting ‘Manage’ for your Azure Account group in LogicMonitor and then selecting ‘save’.


  • If you manually delete an Azure ‘device’ in LogicMonitor and don’t change the configuration for discovering instances in your Azure account, that instance will be re-discovered as a device. Make sure to de-select the appropriate region or service, or add a tag filter to ensure that only Azure resources you’d like to monitor are being discovered.
  • If you move resources to different resource groups and/or subscriptions, the Azure resource IDs will change & LogicMonitor will be unable to recognize the moved resources as the same resources that were monitored prior to the move. As a result, the existing monitored resources will be detected as dead and the moved resources will be discovered as new.

In This Article