Azure EA Billing Sources

Follow

Azure EA Billing Sources

Once Kion is installed in your environment, grant the Azure API access to manage your Azure resources and the EA API access to access billing data. Then, add the info to Kion, and set up a billing source in the application.

If you are unsure what your Azure billing account type is, see Identifying Your Azure Billing Type.

Requirements

  • You must have Kion set up with an HTTPS URL.
  • Credentials for the Azure portal within your tenant with access to create new applications and assign permissions for billing data.

Configuring Azure Access Settings

First, we will configure the Azure API to manage your Azure resources and then configure Azure Billing Exports.

During this process, take note of your app registration's Application (client) ID and Client Secret Value for later use.

1. Configure the App Registration

Kion requires an app registration with a client secret to interact with the Azure APIs.

Follow the steps to configure an existing registration if you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion. Otherwise, select the tab to create a new registration.

Configure an Existing RegistrationCreate a New Registration
  1. Log in to the Azure Portal.
  2. Search for and select the service: Microsoft Entra ID.
  3. Navigate to Manage > App Registrations.
  4. Click All Applications tab.
  5. Click enterprise application you're using for SAML with Kion.
  6. Record the Application (client) ID from the overview somewhere you will be able to reference it later.
  7. Select Authentication in the left menu.
  8. In the Redirect URI section, click Add URI.
  9. In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
    For example, if your Kion instance is hosted at https://yourcompany.kion, you would enter: https://yourcompany.kion/api/v3/account/link-azure-callback
  10. Click Save.
  11. Select Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. For the Description, enter: Kion Application
  14. Select an expiration period for the client secret.
  15. Click Add.
  16. Copy the Value next to your client secret from the client secrets table, and store it in a password vault.

2. Assign API permissions to the App Registration

Kion requires several Microsoft Graph permissions to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure users have the correct permissions on subscriptions.

  1. If you aren't already there, navigate to Azure Portal > Microsoft Entra ID > App Registrations > Your Kion app registration.
  2. Select API permissions in the left menu.
  3. Click Add Permission, and add the following permissions:
    • Microsoft Graph > Delegated permissions > User.Read.
    • Microsoft Graph > Delegated permissions > Directory.Read.All.
    • Microsoft Graph > Application permissions > User.Read.All.
    • Microsoft Graph > Application permissions > Group.Read.All
  4. (Optional but recommended) Client Secrets in Azure have an expiration period. If you would like Kion to automatically rotate the Client Secret used by Kion to access your Azure environment, also add the following permissions:
    • Microsoft Graph > Application permissions > Application.Read.All
      • This permission is used to lookup the Kion Application Registration object using the Azure API.
    • Microsoft Graph > Application permissions > Application.ReadWrite.OwnedBy
      • This permission is used to allow us to successfully rotate the Client Secret used by Kion in place of you maintaining this on your own.
  5. Click Grant admin consent for [your app registration name]. This ensures users are able to link their Azure accounts.
  6. If you added the permissions for automatic Client Secret rotation, you will also need to run the following commands in Cloud Shell:
    export APP_ID='YOUR_APP_REGISTRATION_ID'
    az ad app owner add --id $APP_ID --owner-object-id $(az ad sp list --filter "appId eq '$APP_ID'" --query [].id --output tsv)

3. Add the App Registration to a Management Group

Kion manages Azure resources under a management group. By granting Kion access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

  1. If you haven't configured management groups yet, see Microsoft's article Create a management group to set up a management group, and then Add a Subscription to a Management Group to add the subscription(s) you want to manage in Kion to the group.
  2. In the Azure portal, search for and select the service: Management Groups.
  3. Select the management group containing the subscriptions you want to manage in Kion. For consistency and visibility, we suggest selecting your highest level management group.
  4. Navigate to Access control (IAM) > Role assignments.
  5. Click Add > Add role assignment.
  6. Select Role > Privileged administrator roles.
  7. Search for and select Owner.
  8. Click Next.
  9. For Assign access to, select User, group, or service principal.
  10. Click Select members.
  11. Search for and select your Kion app registration.
  12. Click Review and Assign.
  13. If you are prompted on the Conditions tab, select Allow user to assign all roles (highly privileged). Click Review and Assign.
  14. Click Review and Assign.

Importing Financial Data

Kion uses the Azure Billing Export to import financial data for Azure tenants. Follow these steps to configure this export.

1. Create a Storage Container for Your Billing Data:

Next, we will create a recurring export that places your billing data in an Azure storage account where Kion can access the data.During this process, take note of the name of your storage account name, the storage container name you select to export your data to, and the directory path your data is saved to.

  1. In the Azure Portal, search for and select the service:Storage accounts
  2. Click + Create
  3. Select a Subscription for your Azure storage account
  4. Select an existing Resource group or create a new one
  5. For Storage account name enter a name to be used by Kion, and document this value for later use.
  6. Select the appropriate Region
  7. For Primary service, select Azure files
  8. For performance, select Standard
  9. For redundancy, select Locally-redundant storage (LRS)
  10. Click Review + create
  11. Once your Storage account is created, navigate to Storage accounts > [Kion storage account] > Data storage > Containers
  12. Click + Container
  13. Enter a Name to be used by Kion, and document this value for later use.

2. Create a Billing Export for Kion:

  1. In the Azure portal, search for and select the service: Cost exports
  2. Ensure the Scope is either your Billing Account or Management Group you are using for Kion.
    1. We recommend using Management Group if possible but this option is not always available for every tenant.
      1. Using Management Group ensures that your exports align exactly with the permissions you assigned earlier in these instructions.
      2. Using Billing Account may mean that extra data is included in your export for accounts you cannot manage. While this causes no functional issue in Kion, it will mean that the Invoice tab for your Billing Source will show data for extra accounts and may not properly reconcile to Kion.
  3. Click + Create
  4. Click Create your own export

Depending on the scope chosen in the previous step, follow the appropriate steps below:

Management Account:

  1. For Type of data select Cost and usage details (usage only)
  2. For Export name, enter billing
  3. For Frequency select Daily export of month-to-date costs
  4. For Export prefix enter kion
  5. For Storage type select Azure blob storage
  6. For Destination and storage select Use existing
  7. For Subscription, Storage account, and Container select the resources from Create a Storage Container for your Billing Data
  8. For Directory enter a folder name that will be used by Kion, and document this value for later use.
  9. Click Review + create

Billing Account:

  1. For Type of data select Cost and usage details (actual)
  2. For Export name, enter billing
  3. For Dataset version select 2024-08-01
  4. For Frequency select Daily export of month-to-date costs
  5. For Export prefix enter kion
  6. For Storage type select Azure blob storage
  7. For Destination and storage select Use existing
  8. For Subscription, Storage account, and Container select the resources from Create a Storage Container for your Billing Data
  9. For Directory enter a folder name that will be used by Kion, and document this value for later use.
  10. For Format select CSV
  11. For Compression type select None
  12. Ensure Overwrite data is unchecked
  13. Click Review + create

3. Add the Storage Blob Data Reader Role to the Container

To manage your billing data, your storage container must be enabled for blob storage.

  1. In the Azure Portal, navigate to Storage accounts > [Kion storage account] > Data storage > Containers
  2. Click the ellipsis menu next to your container, and select Container properties.
  3. In the left menu, select Access Control (IAM).
  4. Select the Role Assignments tab.
  5. Click Add > Add role assignment
  6. Search for and select Storage Blob Data Reader.
  7. Click Next.
  8. For Assign access to, select User, group, or service principal.
  9. Click Select members.
  10. Search for and select your Kion app registration.
  11. Click Review and Assign.
  12. Click Review and Assign again.

4. Create a Billing Source in Kion

  1. Log in to Kion.
  2. Navigate to Accounts > Billing Sources.
  3. Click Add New.
  4. For the Account Type, select Azure EA Commercial or Azure EA Government.
  5. For the Billing Source Name, enter a friendly name for your account.
  6. For the Domain, enter your Azure domain ([yourdomain].onmicrosoft.com).
  7. For the App ID, enter the Application (client) ID from your app registration.
  8. For the Client Secret, enter the Client Secret Value from your app registration.
  9. For the Resource Group Creation option, select whether this billing source should be able to create new Azure resource groups.
  10. Click Test Tenant Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  11. File Type Selection:
    • Selecting Azure Billing Export will generate data from the default Azure billing file. This is the recommended path at this time and matches with the previous instructions in this document.
    • Selecting FOCUS will generate data from the FOCUS data export if you have this available. This document does not provide guidance for enabling this report type.
      • Click here for more information on the FOCUS spec
    • Selecting FOCUS and Azure Billing Export will prioritize generating data from the FOCUS export, and the Azure Billing Export will be an alternative option if Kion is unable to find the FOCUS export.
  12. For the Billing Start Date, enter the date when you would like financial data to be available. This date should not be before the export was created.
  13. For the Storage Primary Endpoint, enter: https://[your storage account name].blob.core.windows.net
  14. For the Storage Container, enter the name of the container you exported your billing data to.
  15. For the Storage Prefix, enter the directory path to your exported data. You only need to include the directories after the name of your storage container. For example, using the location pictured below, you would enter report/cloudtamerexport.
    blob-storage-location.png
  16. For the Subscription Creation option, select whether this billing source should be able to create new Azure subscriptions.
  17. Click Test Billing Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  18. Click Create Billing Source.

Your billing data will be pulled in to Kion the next time new data is available in your Azure storage. It can take 12-24 hours before the export runs in Azure and data is shown in exported files. A connection error badge may show next to the billing source in Kion until financial data is successfully retrieved.

Enabling Azure Account Creation

Before you can create Azure subscriptions or resource groups through Kion, you need to ensure creation is enabled on the Kion billing source and in the Azure Portal. If you enabled the Resource Group Creation or Subscription Creation options on your billing source, follow these additional steps to enable account creation.

Currently, you must use Azure APIs to enable account creation on Azure EA billing accounts. To do this, you need to know your billing account ID, enrollment account ID, tenant ID, and app registration principal ID. Follow these steps:

  1. Log in to the Azure Portal with credentials to access your Billing Accounts.
  2. Navigate to Cost Management + Billing.
  3. Select Billing > Accounts.
  4. From the list that appears, select the enrollment account where new accounts will be created.
  5. On the page that appears, select Settings > Properties.
  6. Record the (enrollment) Account ID and the Billing Account ID.
  7. Navigate to Entra ID.
  8. Select Manage > App registrations.
  9. From the list that appears, select the app registration that is used for Kion.
    1. NOTE: You may need to select the tab for All Applications to see everything in the list. The default is Owned Applications which will be incomplete.
  10. Record the Directory (Tenant) ID.
  11. Click the link under Manage application in local directory. This will take you to the Enterprise Application profile for this app registration.
  12. Record the Object ID. This is your principal ID.
    1. NOTE: This must be the Object ID value from the Enterprise Application screen, not the App Registration screen. They both contain a value with this name but they are not the same.

To make the role assignments, you must make an API call to Azure as no existing GUI method is available in the Azure Portal. Follow these steps:

  1. From the Azure Portal, click on the command line icon to the right of the search bar at the very top of the screen. This should open Cloud Shell.
    1. If you are prompted about creating a storage area, that is not necessary for this operation.
  2. You will need to execute the command below making the noted substitutions:
    1. export billing_account='[BILLING_ACCOUNT_ID]'
      export enrollment_account='[ENROLLMENT_ACCOUNT_ID]'
      export principal_id='[PRINCIPAL ID]'
      export tenant_id='[TENANT ID]'

      az rest --method put \
      --url https://management.azure.com/providers/Microsoft.Billing/billingAccounts/${billing_account}/enrollmentAccounts/${enrollment_account}/billingRoleAssignments/a0bcee42-bf30-4d1b-926a-48d21664ef71?api-version=2019-10-01-preview \
      --body "{'properties': {'principalId': '${principal_id}', 'principalTenantId': '${tenant_id}', 'roleDefinitionId': '/providers/Microsoft.Billing/billingAccounts/${billing_account}/enrollmentAccounts/${enrollment_account}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71'}}"
    2. Make the following substitutions in the command above (ensuring to replace the [ and ] as well and do not include extra spaces):
      1. [BILLING ACCOUNT ID] is the Billing Account ID from above.
      2. [ENROLLMENT ACCOUNT ID] is the (Enrollment) Account ID from above.
      3. [PRINCIPAL ID] is the Object ID from above.
      4. [TENANT ID] is your Directory ID from above.
  3. Double-check your command and then run it by pasting it into the Cloud Shell.
  4. A successful response will show a JSON object in response that has a property of properties.createdOn with today's date and properties.createdByUserEmailAddress as your Azure Portal username.
    1. NOTE: You will not immediately be able to use this permission. Changes within Azure require some time to propagate. It could take up to an hour for this permission to become available for use in Kion.