Azure EA Billing Sources

Follow

Azure EA Billing Sources

Once Kion is installed in your environment, grant the Azure API access to manage your Azure resources and the EA API access to access billing data. Then, add the info to Kion, and set up a billing source in the application.

If you are unsure what your Azure billing account type is, see Identifying Your Azure Billing Type.

Requirements

  • You must have Kion set up with an HTTPS URL.
  • Credentials for the Azure domain with access to the EA Portal.

Configuring Azure Access Settings

First, we will configure the Azure API to manage your Azure resources and the EA API access to access billing data.

During this process, take note of your app registration's Application (client) ID and Client Secret Value for later use.

1. Configure the App Registration

Kion requires an app registration with a client secret to interact with the Azure APIs.

Follow the steps to configure an existing registration if you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion. Otherwise, select the tab to create a new registration.

Configure an Existing RegistrationCreate a New Registration
  1. Log in to the Azure Portal.
  2. Search for and select the service: Microsoft Entra ID.
  3. Navigate to Manage > App Registrations.
  4. Click All Applications tab.
  5. Click enterprise application you're using for SAML with Kion.
  6. Record the Application (client) ID from the overview somewhere you will be able to reference it later.
  7. Select Authentication in the left menu.
  8. In the Redirect URI section, click Add URI.
  9. In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
    For example, if your Kion instance is hosted at https://yourcompany.kion, you would enter: https://yourcompany.kion/api/v3/account/link-azure-callback
  10. Click Save.
  11. Select Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. For the Description, enter: Kion Application
  14. Select an expiration period for the client secret.
  15. Click Add.
  16. Copy the Value next to your client secret from the client secrets table, and store it in a password vault.

2. Assign API permissions to the App Registration

Kion requires several Microsoft Graph permissions to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure users have the correct permissions on subscriptions.

  1. If you aren't already there, navigate to Azure Portal > Microsoft Entra ID > App Registrations > Your Kion app registration.
  2. Select API permissions in the left menu.
  3. Click Add Permission, and add the following permissions:
    • Microsoft Graph > Delegated permissions > User.Read.
    • Microsoft Graph > Delegated permissions > Directory.Read.All.
    • Microsoft Graph > Application permissions > User.Read.All.
    • Microsoft Graph > Application permissions > Group.Read.All
  4. Click Grant admin consent for [your app registration name]. This ensures users are able to link their Azure accounts.

3. Add the App Registration to a Management Group

Kion manages Azure resources under a management group. By granting Kion access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

  1. If you haven't configured management groups yet, see Microsoft's article Create a management group to set up a management group, and then Add a Subscription to a Management Group to add the subscription(s) you want to manage in Kion to the group.
  2. In the Azure portal, search for and select the service: Management Groups.
  3. Select the management group containing the subscriptions you want to manage in Kion. For consistency and visibility, we suggest selecting your highest level management group.
  4. Navigate to Access control (IAM) > Role assignments.
  5. Click Add > Add role assignment.
  6. Select Role > Privileged administrator roles.
  7. Search for and select Owner.
  8. Click Next.
  9. For Assign access to, select User, group, or service principal.
  10. Click Select members.
  11. Search for and select your Kion app registration.
  12. Click Review and Assign.
  13. Click Assign.

Importing Financial Data

We offer two methods for importing your financial data into Kion: through a billing report export or through the Azure EA Billing Portal. We recommend using the billing report export.

Support for using the billing portal was deprecated in Kion 3.8.0. After upgrading, you will need to update existing billing sources using the billing portal to use billing report exports instead. For information on editing a billing source, see Managing Billing Sources.

Billing Export(Deprecated) Billing Portal

1. Export Your Billing Data to a Storage Account

Next, we will create a recurring export that places your billing data in an Azure storage account where Kion can access the data.

During this process, take note of the name of your storage account name, the storage container name you select to export your data to, and the directory path your data is saved to.

  1. In the Azure portal, search for and select the service: Cost Management.
  2. Navigate to Settings > Exports.
  3. For the scope, select the management group you are using for Kion.
  4. Click Add.
  5. For the name, enter Kion billing export.
  6. For the export type, select Daily export of month-to-date costs.
  7. For the start date, select today's date or the date you want to begin the export.
  8. For storage, select Create new.
  9. Select the subscription for your Azure storage account.
  10. Select a resource group or create a new one.
  11. Enter a name for the storage account.
  12. Select the location (Azure region).
  13. Enter a name for the container.
  14. Enter the directory path that you want the export file to go to.
  15. Click Create.

Creation of the storage account and container may take some time.

2. Add the Storage Blob Data Reader Role to the Container

To manage your billing data, your storage container must be enabled for blob storage.

  1. In the Azure Portal, navigate to Cost Management > Exports.
  2. Click the Storage account link next to your export in the list.
  3. In the left menu, select Containers.
  4. Click the ellipsis menu next to your container, and select Container properties.
  5. In the left menu, select Access Control (IAM).
  6. Select the Role Assignments tab.
  7. Click Add.
  8. Search for and select Storage Blob Data Reader.
  9. Click Next.
  10. For Assign access to, select User, group, or service principal.
  11. Click Select members.
  12. Search for and select your Kion app registration.
  13. Click Review and Assign.
  14. Click Assign.

3. Create a Billing Source in Kion

  1. Log in to Kion.
  2. Navigate to Accounts > Billing Sources.
  3. Click Add New.
  4. For the Account Type, select Azure EA Commercial or Azure EA Government.
  5. For the Customer Name, enter a friendly name for your account.
  6. For the Domain, enter your Azure domain ([yourdomain].onmicrosoft.com).
  7. For the App ID, enter the Application (client) ID from your app registration.
  8. For the Client Secret, enter the Client Secret Value from your app registration.
  9. For the Resource Group Creation option, select whether this billing source should be able to create new Azure resource groups.
  10. Click Test Tenant Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  11. Select Billing Report Export as your data import method.
  12. For the Billing Start Date, enter the date when you would like financial data to be available. This date should not be before the export was created.
  13. For the Storage Primary Endpoint, enter: https://[your storage account name].blob.core.windows.net
  14. For the Storage Container, enter the name of the container you exported your billing data to.
  15. For the Storage Prefix, enter the directory path to your exported data. You only need to include the directories after the name of your storage container. For example, using the location pictured below, you would enter report/cloudtamerexport.
  16. For the Subscription Creation option, select whether this billing source should be able to create new Azure subscriptions.
  17. Click Test Billing Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  18. Click Create Billing Source.

Your billing data will be pulled in to Kion the next time new data is available in your Azure storage. It can take 12-24 hours before the export runs in Azure and data is shown in exported files. A connection error badge may show next to the billing source in Kion until financial data is successfully retrieved.

Enabling Azure Account Creation

Before you can create Azure subscriptions or resource groups through Kion, you need to ensure creation is enabled on the Kion billing source and in the Azure Portal. If you enabled the Resource Group Creation or Subscription Creation options on your billing source, follow these additional steps to enable account creation.

Currently, you must use Azure APIs to enable account creation on Azure EA billing accounts. To do this, you need to know your billing account ID, enrollment account ID, tenant ID, and app registration principal ID.

To find this information:

  1. Log in to the Azure Portal with your enrollment account.
  2. Navigate to your enrollment account page.
  3. Select Settings > Properties.
  4. Record the (enrollment) Account ID and the Billing Account ID.
  5. Navigate to your app registration page.
  6. Record the Directory (Tenant) ID.
  7. Click the link next to Managed application in local directory.
  8. Record the Object ID. This is your principal ID.
  9. The billing role assignment ID is: a0bcee42-bf30-4d1b-926a-48d21664ef71

To make the role assignments, you can use any method of call the Azure API. However, you must use a user or auth token that has the ability to make role assignments.

PUT /providers/Microsoft.Billing/billingAccounts/{billingAccountID}/enrollmentAccounts/{enrollmentAccountID}/billingRoleAssignments/{billingRoleAssignmentID}?api-version=2019-10-01-preview
{
	"properties": {
		"principalId": "{principal ID}",
		"principalTenantId": "{tenant ID}",
		"roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/{billingAccountID}/enrollmentAccounts/{encrollmentAccountID}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"
	}
}