Azure data collection

In order for the Data Collector to access Azure resources, it needs an application and service principal to be added to the Azure tenancy.

Note that when extracting data from cloud providers, Capacity Planner the data collectors are run from the environment using secure read-only credentials provided by the customer. This avoids unnecessary network transfer, the need to upgrade and maintain on-premise data collectors, and ensures that data collection is always at the most up-to-date release.

Access and security Copied

Once retrieved, data is stored on the hosting machine inside the firewall. It is segregated in separate folders by customer and project. Once collected, the data is zipped and encrypted using AES encryption and uploaded to a database exclusively created for the given customer’s data.

ITRS is ISO 27001 accredited. For more information, see our Security policies.

Create Service Principal Copied

To create Service Principal, follow the steps:

  1. Sign in to your Azure account through the Azure portal.
  2. Navigate to Azure Active Directory.
  3. Select App registrations, and then click New registration.
  4. Name the new application ICP-DataCollector.
  5. Under Supported account types, select the option for the Single tenant.
  6. Set the Redirect URI to be Public client/mobile (desktop & mobile).
  7. Click Register to complete the registration.


Complete instructions on how to create a new role can be found in Microsoft Azure documentation.

Create custom role Copied

To limit the permissions only to the ones that Data Collector needs, create a new role.

  1. Create an empty text file called QueryRateCardsRole.json.
  2. Copy the following into the text file and replace <subscriptionID> (including the <>) with the ID of the subscription this role is to be located in.
        "properties": {
            "description": "",
            "assignableScopes": [
            "permissions": [ {
                "actions": [
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            } ]

Complete instructions on how to create a new role can be found in Microsoft Azure documentation.

Assign roles Copied

The ICP-DataCollector app needs the following roles assigned to it in order to collect data from your estate:

To assign roles, follow the steps:

  1. In the Azure portal, click Subscriptions.
  2. Select Access Control (IAM).
  3. Select Add role assignment either from Grant access to this resource or in the Add menu.
  4. In the Role drop-down menu, select QueryRateCardsRole.
  5. Select ICP-DataCollector that you created as the app.
  6. Click Save.
  7. Repeat the steps for the Billing Reader and Monitoring Reader roles.

Gather credentials for Azure collection task Copied

You need to gather the following values from the Azure portal to set up the collection task. They are available from the following locations:

Generate a secret key Copied

To generate a secret key, follow the steps:

  1. Navigate to Azure Active Directory.
  2. From App registrations, select your application.
  3. Select Certificates & secrets.
  4. Select Client secrets > New client secret.
  5. Provide a description and a duration of the secret, then click Add.


After saving the client secret, the value of the client secret is displayed. You must copy this value because you will not be able to retrieve the key later.

Frequency of collection Copied

Connectivity for data collection is every 12 hours, but can be configured to be more frequent.

What data is collected Copied

Once connectivity is established, properties and metrics are collected from the estate using Azure API and RestAPI.

The collected data includes:

["Capacity Planner"] ["Capacity Planner > Data Collector"] ["User Guide", "Video"]

Was this topic helpful?