Service principal management

Introduction

The first step in getting started with Cost Analyzer in Turbo360 is to add a Service principal with reader access.

Service principal is an application within Microsoft Entra ID, which is authorized to access resources in Azure Stack.

Turbo360 uses the authentication tokens of the Service principal to manage the resources.

Client secret expiry

• Turbo360 allows users to configure the same date as the azure portal to notify users 7 days before the expiration date to change the client secret.

• Users can change the client secret expiry date when adding or editing a Service principal during service principal management.

Add a Service principal

Follow these steps to connect Azure environment to Turbo360's Cost Analyzer using a Service principal:

1. Go to the Service principals section and click Add.

2. Select an existing Service principal or choose to add a new one.

3. Enter the required details: Microsoft Entra ID, Client ID, and Client secret expiration date.

4. Click Validate.

5. After successful validation, click Next.

6. Configure access to cost management groups:

   • Select a subscription from the left panel to assign a cost group.
   • To update multiple subscriptions at once, select them together.
   • Use Copy from Subscription to apply a subscription’s access policy to multiple subscriptions.

7. Scope can be applied for selected subscriptions using the Filters option available next to it (e.g., resource types, tags). Click Save to apply the scope to the subscription.

8. Click Add. In the Add Confirmation confirmation dialog, optionally select:
   Add newly mapped subscriptions to existing Views, Widgets, and Monitors, only if all existing subscriptions are selected.

   • When enabled, new subscriptions are automatically included where Select All option is currently selected in the Subscription filtering.

9. Click Confirm to complete the setup.

Update a Service principal

• Editing an existing Service principal allows users to update the Client secret and its expiration date. Users can also add new subscriptions, modify the scope of existing subscriptions, and manage access policies and scope-based automation rules.

• During the update, the confirmation dialog includes an option:
  Add newly mapped subscriptions to existing Views, Widgets, and Monitors only when all subscriptions are selected. When enabled, newly added subscriptions are automatically included in existing Views, Widgets, and Monitors where Select All option is currently selected in the Subscription filtering.

Scope automation

Scopes for cost management groups can be defined automatically by setting up automation rules based on the subscription names, so that if a service principal is provided with access to a new subscription, it will be automatically added to the respective cost groups based on the rules.

1. Navigate to the Service principals section and Add or Edit a Service principal to configure automation rules.
2. Validate the credentials and proceed to the next step.
3. Enable Auto-assign new subscriptions to groups to automatically grant root-level access to newly added subscriptions (when no rules are defined).

4. Click Configure rules to define rules that automatically assign matching subscriptions to specific cost groups. Subscriptions that meet the defined criteria will be granted access to the configured scopes.

5. Click Save rules to apply the automation rules.
6. Click Update to finish setting up the automation rules.

Remove a Service principal

1. Click the Delete icon next to the required Service principal in the Service principals section, and confirm the deletion to remove it from the Cost Analyzer module.

The removed Service principal remains available in the global Service principals section and can be added later.