Azure Integration Manual Setup Guide

Overview

Use this guide to manually set up the Datadog Azure integration through an app registration with read permissions to the monitored subscriptions.

All sites: All Datadog sites can use the steps on this page to complete the app registration credential process for Azure metric collection and the Event Hub setup for sending Azure Platform Logs.

US3: If your organization is on the Datadog US3 site, you can use the Azure Native integration to streamline management and data collection for your Azure environment. Datadog recommends using this method when possible. Setup entails creating a Datadog resource in Azure to link your Azure subscriptions to your Datadog organization. This replaces the app registration credential process for metric collection and Event Hub setup for log forwarding. See the Azure Native manual setup guide for more information.

Setup

Integrating through the Azure CLI

To integrate Datadog with Azure using the Azure CLI, Datadog recommends using the Azure Cloud Shell .

az login

az ad sp create-for-rbac

az account list --output table

az ad sp create-for-rbac --role "Monitoring Reader" --scopes /subscriptions/{subscription_id}

{
  "appId": "4ce52v13k-39j6-98ea-b632-965b77d02f36",
  "displayName": "azure-cli-2025-02-23-04-27-19",
  "password": "fe-3T~bEcFxY23R7NHwVS_qP5AmxLuTwgap5Dea6",
  "tenant": "abc123de-12f1-82de-97bb-4b2cd023bd31"
}

az account management-group entities list --query "[?inheritedPermissions!='noaccess' && permissions!='noaccess'].{Name:displayName,Id:id}" --output table

azure login

az account show

azure ad sp create -n <NAME> -p <PASSWORD>

azure role assignment create --objectId <OBJECT_ID> -o "Monitoring Reader" -c /subscriptions/<SUBSCRIPTION_ID>/

Integrating through the Azure portal

1. Create an app registration in your Active Directory and pass the correct credentials to Datadog.
2. Give the application read-access to any subscriptions you would like to monitor.

Creating the app registration

1. Under Azure Active Directory, navigate to App Registrations and click New registration.

2. Enter the following and click the Create button. The name and sign-on URL are not used but are required for the setup process.

   • Name: Datadog Auth
   • Supported Account Types: Accounts in this organizational directory only (Datadog)
   • Redirect URI:

Giving read permissions to the application

1. To assign access at the individual subscription level, navigate to Subscriptions through the search box or the left sidebar.

To assign access at the Management Group level, navigate to Management Groups and select the Management Group that contains the set of subscriptions you would like to monitor. Note: Assigning access at the Management Group level means that any new subscriptions added to the group are automatically discovered and monitored by Datadog.

To configure monitoring for the entire tenant, assign access to the Tenant Root Group.

2. Click on the subscription you would like to monitor.

3. Select Access control (IAM) in the subscription menu and click Add > Add role assignment:

4. For Role, select Monitoring Reader. Under Select, choose the name of the Application you just created:

5. Click Save.

6. Repeat this process for any additional subscriptions you want to monitor with Datadog. Note: Users of Azure Lighthouse can add subscriptions from customer tenants.

Note: Diagnostics must be enabled for ARM deployed VMs to collect metrics, see Enable diagnostics .

Completing the integration

1. Under App Registrations, select the App you created, copy the Application ID and Tenant ID, and paste the values in the Datadog Azure integration tile under Client ID and Tenant ID.

2. For the same app, go to Manage > Certificates and secrets.

3. Add a new Client Secret called datadogClientSecret, select a timeframe for Expires, and click Add:

4. When the key value is shown, copy and paste the value in the Datadog Azure integration tile under Client Secret and click Install Integration or Update Configuration.

Note: Your updates to the Azure configuration can take up to 20 minutes to be reflected in Datadog.

Configuration

To limit metric collection for Azure-based hosts, open the integration tile for Azure. Select the Configuration tab, then open App Registrations. Enter a list of tags in the text box under Metric Collection Filters.

This list of tags in <KEY>:<VALUE> form is separated by commas and defines a filter used while collecting metrics. Wildcards such as ? (for single characters) and * (for multiple characters) can also be used.

Only VMs that match one of the defined tags are imported into Datadog. The rest are ignored. VMs matching a given tag can also be excluded by adding ! before the tag. For example:

datadog:monitored,env:production,!env:staging,instance-type:c1.*

Monitor the integration status

Once the integration is configured, Datadog begins running a continuous series of calls to Azure APIs to collect critical monitoring data from your Azure environment. Sometimes these calls return errors (for example, if the provided credentials have expired). These errors can inhibit or block Datadog’s ability to collect monitoring data.

When critical errors are encountered, the Azure integration generates events in the Datadog Events Explorer, and republishes them every five minutes. You can configure an Event Monitor to trigger when these events are detected and notify the appropriate team.

Datadog provides a recommended monitor you can use as a template to get started. To use the recommended monitor:

1. In Datadog, go to Monitors -> New Monitor and select the Recommended Monitors tab.
2. Select the recommended monitor titled [Azure] Integration Errors.
3. Make any desired modifications to the search query or alert conditions. By default, the monitor triggers whenever a new error is detected, and resolves when the error has not been detected for the past 15 minutes.
4. Update the notification and re-notification messages as desired. Note that the events themselves contain pertinent information about the event and are included in the notification automatically. This includes detailed information about the scope, error response, and common steps to remediate.
5. Configure notifications through your preferred channels (email, Slack, PagerDuty, or others) to make sure your team is alerted about issues affecting Azure data collection.

Metrics collection

After the integration tile is set up, metrics are collected by a crawler. To collect additional metrics, deploy the Datadog Agent to your VMs:

Agent installation

You can use the Azure extension to install the Datadog Agent on Windows VMs, Linux x64 VMs, and Linux ARM-based VMs.

1. In the Azure portal , navigate to your VM > Settings > Extensions > Add and select Datadog Agent.
2. Click Create, enter your Datadog API key , and click OK.

To install the Agent based on operating system or CI and CD tool, see the Datadog Agent installation instructions .

Note: Domain controllers are not supported when installing the Datadog Agent with the Azure extension.

Sending logs

See the Azure Logging guide to set up log forwarding from your Azure environment to Datadog.

Additional helpful documentation, links, and articles:

Why should I install the Datadog Agent on my cloud instances?DOCUMENTATION Datadog in the Azure PortalDOCUMENTATION Monitor Azure Government with DatadogBLOG Monitor Azure Container Apps with DatadogBLOG How to Monitor Microsoft Azure VMsBLOG Explore Azure App Service with the Datadog Serverless viewBLOG