Sam360’s Azure integration imports Azure tenant, subscription, resource, virtual machine, SQL Server, host, Azure Hybrid Benefit, and optional resource cost and VM scan data on a scheduled basis.

The integration is normally configured from the Sam360 Management Point using the Azure setup wizard. The wizard creates the required Microsoft Entra application registration and stores the integration credentials locally on the Management Point.

Data Imported By Sam360

  • Azure tenant and subscription details.
  • Azure resource inventory, including resource groups, resource names, resource types, SKU information, locations, tags, and selected resource properties.
  • Azure virtual machine inventory, including VM size, operating system, image, power state, network, disk, SQL VM, location, and tag details.
  • Dedicated host, SQL Server, and SQL database details.
  • Actual and amortized Azure resource costs when cost reporting is enabled.
  • Detailed Windows VM inventory scan results when Azure VM scanning is enabled.

Permissions Used During Setup

The setup wizard requires broader permissions than the ongoing Sam360 Azure integration because it has to create the Sam360 application registration, create a client secret, create or locate the enterprise application, grant admin consent to the required Microsoft Graph application permissions, and optionally assign Azure roles to the application principal.

These setup permissions are only used during the setup process. Sam360 does not store the setup administrator’s password, Graph access token, refresh token, or setup-time permissions.

Setup requirementWhy it is needed during setup
Read and write applicationsAllows the setup wizard to create the Sam360 app registration and add its client secret.
Read and write directory dataAllows the setup wizard to read tenant details and create or update the Sam360 enterprise application in the tenant.
Manage app permission grants and app role assignmentsAllows the setup wizard to grant admin consent to the ongoing Microsoft Graph application permissions used by the Azure integration.
Azure role assignment rightsRequired only when the wizard is used to assign Azure roles to the Sam360 app principal on the included subscriptions.
Azure custom role definition rightsRequired only when the VM Scan option is selected, because the wizard creates or updates a narrowly scoped custom role for Azure VM scanning.

Ongoing Microsoft Graph Permissions

The ongoing Sam360 Azure integration uses Microsoft Graph application permissions for tenant and directory context. These are application permissions granted to the Sam360 application principal.

PermissionReason
Organization.Read.AllRead tenant organisation details used to identify and correlate Azure tenant data.
Directory.Read.AllRead directory details used to correlate Azure tenant and application principal information.

The integration runs unattended as the Sam360 application identity. It does not run as the setup administrator or as an interactive user.

Azure Subscription Role Options

The Azure setup wizard can assign Azure roles to the Sam360 app principal. These roles are assigned at subscription scope for the subscriptions included in the setup.

Wizard optionRole assignedReporting enabled
Add Reader Role to App PrincipalReaderEnables core Azure inventory reporting, including subscriptions, resources, resource groups, VMs, hosts, SQL servers, SQL databases, locations, SKUs, tags, and Azure Hybrid Benefit details.
Add Billing Reader Role to App PrincipalBilling ReaderEnables Azure cost reporting, including actual and amortized usage cost by resource and subscription. Without this role, inventory can still run but cost reporting may be blank or incomplete.
Add VM Scan Role to App PrincipalSam360 Azure VM Scan RunnerEnables detailed inventory scanning of Azure Windows VMs through the Azure API. This custom role can read subscriptions, resource groups, virtual machines, and Run Command metadata, and can invoke VM Run Command to run the Sam360 inventory scan on supported running Windows VMs.
Why we recommend Billing Reader: this allows Sam360 to collect Azure billing and cost information, including resource cost data. The standard Reader role is enough for inventory-style data such as subscriptions, resources, VMs, SQL servers, and related metadata, but billing/cost queries can be denied unless the app principal also has billing or cost visibility. Without this role, the Azure inventory may still run, but billing/cost sections may be blank or incomplete.

Tenant and Subscription Selection

The wizard also includes Choose Tenant and Subscriptions During Setup. Select this option when the setup administrator can access more than one Azure tenant or subscription, or when only specific subscriptions should be included in Sam360 reporting.

When this option is selected, the setup process asks the administrator to choose the tenant and confirm the enabled subscriptions that Sam360 should include. The wizard then applies the selected Azure role options only to those subscriptions. Exclude any subscription that Sam360 should not read or report on.

Before You Start

  1. Check that the required PowerShell modules for Azure integration are installed on the Management Point — start the Management Point Configuration Tool, open the Advanced tab, then the Components tab, review the module list and the ActionRequired column, and select Update Modules if anything needs installing or updating.
  2. Ensure the Management Point can make outbound HTTPS connections to the Microsoft endpoints required for authentication, Microsoft Graph, and Azure Resource Manager, both during setup and scheduled synchronisation. Allow these endpoints through the firewall:
login.microsoftonline.com:443
graph.microsoft.com:443
management.azure.com:443
EndpointPurpose
login.microsoftonline.com:443Microsoft identity platform authentication.
graph.microsoft.com:443Microsoft Graph API access for tenant and directory context.
management.azure.com:443Azure Resource Manager access for subscription, resource inventory, cost, and VM scan operations.
  1. Have a Microsoft Entra administrator available for the interactive setup prompts.
  2. Have an Azure administrator available with role assignment rights on the subscriptions that should be included.
  3. Decide whether Sam360 should collect resource costs and whether Sam360 should run detailed scans on Azure Windows VMs.

Configure the Integration in the Management Point

1. Open the task list

Start the Management Point Configuration Tool and open the Tasks tab.

2. Add the Azure cloud service task

Select Add Task → Cloud Service → Azure.

3. Configure the Azure sync task

  1. Enter a clear task name and description.
  2. Leave Tenant ID as default for normal setup. Enter a specific tenant ID only if the setup administrator has access to multiple Azure tenants and the wizard does not offer the tenant that should be configured.
  3. Select the Azure role options that match the reporting required for the customer.
  4. Select Choose Tenant and Subscriptions During Setup if the administrator should confirm exactly which subscriptions are included.
  5. Select Set Up Azure Integration.

4. Complete the setup process

The setup wizard will create the required Microsoft Entra application principal in the customer’s tenant and prompt for administrator credentials as needed. Use the same administrator account each time if prompted more than once. These administrator credentials are not stored by Sam360.

If tenant and subscription selection was enabled, choose the correct Azure tenant and include only the subscriptions that Sam360 should report on. If role assignment options were selected, the wizard assigns those roles to the Sam360 app principal for the included subscriptions.

5. Save the task

  1. When setup completes, confirm that the task has the expected tenant and integration details.
  2. Select OK to save the task.
  3. Run the task or wait for the next scheduled sync.

After the First Sync

The Management Point will connect to Azure using the stored application credentials and import the Azure data used by Sam360 reports. Inventory reporting requires the Reader role on the included subscriptions. Cost reporting requires Billing Reader. Detailed Azure Windows VM inventory scans require the VM Scan role and only run on supported running Windows VMs.

Manual Setup Option

For tighter control, the customer can create the Sam360 application manually in Microsoft Entra ID and grant only the permissions needed for the integration. This avoids granting the broader setup-wizard permissions to the setup tool.

If manual setup is used, create the app registration, create a client secret, grant the Microsoft Graph application permissions listed above, grant admin consent, assign the required Azure subscription roles, and store the application client ID and client secret in the Sam360 Management Point.

Security Notes

  • Do not assign Owner or Contributor. Sam360 does not require those roles for standard Azure inventory or cost reporting.
  • Assign roles only at the subscription scopes that Sam360 should access.
  • Store and transmit the client secret securely. Do not send the client secret by email unless the customer has explicitly approved that method.
  • Rotate the client secret before expiry and update the Management Point with the new value.

Partner First

Enabling data driven IT projects

Get Support

    support@sam360.com
    Mon-Fri: 09:00 – 18:00 UTC
  • +353 1 566 6390‬

Find Us

NCI Research Centre, IFSC Dublin 1, Ireland
Go to Top