> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an Application and Obtain Azure Credentials

To enable USM Anywhere to monitor your Microsoft Azure subscription, you must create an application that grants permission to USM Anywhere to fetch data using the Azure software development kit (SDK) and Azure Representational State Transfer (REST) API. USM Anywhere requires the following credentials:

**Required Azure Credentials**

| Azure Credential        | USM Anywhere Field Name |
| ----------------------- | ----------------------- |
| azure\_tenant\_id       | Azure Tenant ID         |
| azure\_subscription\_id | Azure Subscription ID   |
| azure\_application\_id  | Azure Application ID    |
| azure\_application\_key | Azure Application Key   |

The following instructions focus on the requirements for USM Anywhere. See [Microsoft documentation](https://docs.microsoft.com/en-us/graph/auth-register-app-v2#register-a-new-application-using-the-azure-portal) for detailed steps and descriptions to register an application using the Azure portal, including a video demonstration.

<Warning>
  **Important:** You must have global administrator privileges to create an application and obtain credentials.
</Warning>

## Obtain the Azure Subscription ID

The subscription identifier (ID) is required when you complete the [Azure Credentials step](configure-sensor-azure) of the sensor setup in USM Anywhere.

**To get the Azure subscription ID**

1. Log in to the Azure portal ([https://portal.azure.com](https://portal.azure.com/)).
2. From the Azure Dashboard, select your subscription.
3. From the Subscription page, copy your subscription ID and save it somewhere that you can access later.

## Create the Application in Azure

To allow USM Anywhere to access Azure resources, you must first set up an <Tooltip tip="Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks.">Azure Active Directory (AD)</Tooltip> application and complete the Azure standard procedure for adding a new application registration. Then you can create a client secret for Azure AD.

**To create the application in Azure**

1. Log in to the Azure portal ([https://portal.azure.com](https://portal.azure.com/)).

2. Go to **Azure Active Directory > App registrations > New registration**.

3. Enter a name for the application.

4. In Supported account types, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant).**

5. Click **Register**.

6. After the application is created, you can locate the application(client) ID, directory (tenant) ID, and object ID needed to complete the [Azure Credentials step](configure-sensor-azure) of the sensor setup in USM Anywhere.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/adIUcnBkryqG7nEE/images/usm-anywhere/deployment-guide/azure/azure-ids.webp?fit=max&auto=format&n=adIUcnBkryqG7nEE&q=85&s=9125d92308b5bba8ad9db8fad4441aef" width="543" height="302" data-path="images/usm-anywhere/deployment-guide/azure/azure-ids.webp" />
   </Frame>

7. Go to **Certificates & secrets** and click **New client secret**.

8. Enter a description for the secret and select a duration.

9. Click **Add**.

   The value displayed in the Azure portal is the *Azure Application Key* used by USM Anywhere.

<Warning>
  **Important:** Copy this value and save it because you won't be able to copy the key later8/
</Warning>

## Grant API Permissions

To let your application collect user information in your Azure environment, you need to grant Microsoft Graph API permissions.

**To grant API permissions**

1. Log in to the Azure portal ([https://portal.azure.com](https://portal.azure.com/)) and select your application.

2. Go to **API Permissions** and click **Add a permission**.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/adIUcnBkryqG7nEE/images/usm-anywhere/deployment-guide/azure/apipermissionadd.webp?fit=max&auto=format&n=adIUcnBkryqG7nEE&q=85&s=f60794fb779d04fd17c0e47c940e01c7" width="1869" height="951" data-path="images/usm-anywhere/deployment-guide/azure/apipermissionadd.webp" />
   </Frame>

3. Select **Microsoft Graph**.

4. Select **Application permissions** and then **User.Read.All**. Use the search function to help locate the permissions.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/adIUcnBkryqG7nEE/images/usm-anywhere/deployment-guide/azure/requestapipermissions.webp?fit=max&auto=format&n=adIUcnBkryqG7nEE&q=85&s=bc3e3004109fa4a1fef87a7b33871793" width="858" height="963" data-path="images/usm-anywhere/deployment-guide/azure/requestapipermissions.webp" />
   </Frame>

5. Click **Add Permissions**.

6. These permissions require admin approval, so make sure to click **Grant admin consent for**.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/adIUcnBkryqG7nEE/images/usm-anywhere/deployment-guide/azure/grantadminconsent.webp?fit=max&auto=format&n=adIUcnBkryqG7nEE&q=85&s=e1844a5f0d942dee7ac45455dadfb861" width="1029" height="430" data-path="images/usm-anywhere/deployment-guide/azure/grantadminconsent.webp" />
   </Frame>

## Associate the Application with the Entire Subscription

If you want to use USM Anywhere to monitor all of your Azure resources, you should associate it with your Azure subscription as a whole.

**To associate the application with the entire subscription**

1. Log in to the Azure portal ([https://portal.azure.com](https://portal.azure.com)).

2. Go to **More Services > Subscriptions**, locate the subscription, and select it.

3. Select \*\*Access control (IAM) \*\*in the navigation list.

   This displays the roles and permissions for the subscription.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/adIUcnBkryqG7nEE/images/usm-anywhere/deployment-guide/azure/associating-subscription.webp?fit=max&auto=format&n=adIUcnBkryqG7nEE&q=85&s=34d67f66904e13ff4e85b7e8e8be6ae6" width="860" height="443" data-path="images/usm-anywhere/deployment-guide/azure/associating-subscription.webp" />
   </Frame>

4. At the top of the page, click **Add**.

5. Select the **Reader** role (recommended).

   This role allows assigned users to fetch new Azure logs.

   <Danger>
     **Warning:** You must select the **Contributor** role if you want to collect Microsoft Internet Information Services (IIS), Azure SQL Server, or Windows logs.

     This is not recommended unless you require the additional log collection listed here.
   </Danger>

6. Select the [application](getting-azure-credentials) you created previously to assign the role to the subscription.

7. Click **Save** and **OK**.

<Frame caption="Related Video Content">
  <img style={{ width: "100%", margin: "auto", display: "block" }} class="vidyard-player-embed" src="https://play.vidyard.com/vnLKTZGwFFZ7qPJVwa5wGW.jpg" data-uuid="vnLKTZGwFFZ7qPJVwa5wGW" data-v="4" data-type="inline" />
</Frame>