Kion requires an app registration with a client secret to interact with the Azure APIs.

Follow the steps under "To Create a New App Registration" below to create a new app registration. If you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion, proceed to "To Configure an Existing App Registration" instead.

To create a new app registration:

1. Log in to the Azure Portal.
2. Click Azure Active Directory in the left menu.
3. Click App Registrations.
4. Click the New Registration button.
5. In the Name  field, enter: Kion App Registration
6. In the Supported account types section, select: Accounts in this organizational directory only.
7. In the Redirect URI section, select web.
8. In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
   For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in: https://yourcompany.Kion/api/v3/account/link-azure-callback
9. Click the Register button.
10. Record the following values:
    • Application (client) ID
11. Click Certificates & secrets.
12. In the Client secrets section, click New client secret.
13. In the Description field, enter: Kion Application
14. In the Expires field, select Never.
15. Click the Add button.
16. Copy the Value field and store it in a password vault. It will not be visible again.

To configure an existing app registration:

Follow these steps if you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion. You do not need to complete these steps if you already completed the "To Create a New App Registration" steps above.

1. Log in to the Azure Portal.
2. Click Azure Active Directory in the left menu.
3. Click App Registrations.
4. Click All Applications tab.
5. Click the name of the application. This should match the Enterprise Application you're using for SAML with Kion.
6. Record the following value from the overview:
   • Application (client) ID.
7. Click Authentication in the left menu.
8. In the Redirect URI section, click Add URI.
9. In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
   For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in: https://yourcompany.Kion/api/v3/account/link-azure-callback
10. Click Save.
11. Click Certificates & secrets.
12. In the Client secrets section, click New client secret.
13. In the Description field, enter: Kion Application
14. In the Expires field, select Never.
15. Click the Add button.
16. Copy the Value field and store it in a password vault. It will not be visible again.

Kion requires several Microsoft Graph permissions to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure Users have the correct permissions on subscriptions.

1. Log in to the Azure Portal.
2. On the App Registration page, click API permissions in the left menu.
3. In the API permissions section, click the Add Permission button.
4. Click Microsoft Graph.
5. Click Delegated permissions.
6. In the User section, ensure the User.Read permission is checked. This ensures Kion can read data about the user.
7. Expand the Directory section and select Directory.Read.All. This ensures Kion can validate that users have access to Azure AD directory.
8. Click the Add permissions button.
9. Click Application permissions.
10. Expand the User section and enable the User.Read.All permission.
11. Click Add Permissions.
12. Under API permissions > Grant consent , click Grant admin consent for Kion. This ensures users are able to link their Azure accounts successfully.

Kion manages Azure resources under a management group. By granting Kion access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

If you are already using management groups to manage your subscriptions, skip to the "To Grant the App Registration Access to the Management Group" section below and grant the Kion app registration access to the highest level management group.

To create the Azure management group:

1. Log in to the Azure Portal.
2. Click All Services in the left menu.
3. Click Management Groups.
4. If visible, click Start using management groups. Otherwise, click Add Management Group.
5. Select Create new.
6. In the Management group ID field, enter: cloudtamerManagementGroup
7. In the Management group display name field, enter: Kion Management Group
8. Click the Save button. After about a minute, the management group should appear on the screen.

To add a subscription to the Azure management group:

1. Log in to the Azure Portal.
2. Click All Services in the left menu.
3. Click Management Groups.
4. Click the Kion Management Group.
5. Click the details hyperlink.
6. Click the Add subscription button.
7. Select the desired subscription.
8. Click the Save button.

To grant the app registration access to the management group:

1. Log in to the Azure Portal.
2. Click All Services in the left menu.
3. Click Management Groups.
4. Click the Kion Management Group.
5. Click the details hyperlink.
6. Click Access control (IAM).
7. Click Role assignments.
8. Click the + Add button.
9. Click Add role assignment.
10. In the Role dropdown, enter: Owner
11. In the Assign access to field, select Azure AD user, group, or service principal.
12. In the Select field, enter the name of the app registration you created earlier: Kion App Registration
13. Click the Save button.

1. Log in to the Azure EA Portal with an account that has access to billing data and price sheets.
2. Copy and save the agreement number shown under the Microsoft logo at the top left of the page as seen below.
   
3. Click Reports in the sidebar.
4. Click Download Usage.
5. Click API Access Key.
6. Click Generate to generate a new API access key.
7. Click Yes when prompted to verify that you’re sure you want to generate a new key.
8. Click Expand Key and copy and save the API access key.
9. Copy and save the expiration date of the API access key.

1. Log in to Kion.
2. In the left navigation menu, click Accounts > Azure Enterprise Agreements.
3. Click the +  button.
4. In the Agreement Number field, enter your EA agreement number.
5. In the API Key field, enter the EA API key you generated earlier.
6. In the API Key Expiration field, enter the expiration date of your API key.
7. Click the Create Azure Enterprise Agreement button.

1. Log in to Kion.
2. In the left navigation menu, click Accounts > Billing Sources.
3. Click the Add New +  button.
4. In the Account Type dropdown, select: Azure EA Commercial or Azure EA Government.
5. In the Customer Name field, enter a name of your choosing to represent this Azure domain.
6. In the Domain field, enter the domain name of the Azure domain.
7. In the App ID field, enter the Application (client) ID value that you copied.
8. In the Client Secret field, enter the client secret value that you copied.
9. Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered. This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. For inactive connections, click Troubleshoot to read Troubleshooting Your Azure Connection.
10. In the Billing Start Date field, enter the date from which you would like financial data to be available. This date should not be before the creation of the customer.
11. In the Azure EA field, select the Azure EA that this Azure domain allocates subscriptions from.
12. Enable the This Billing Source Supports Resource Group Creation box if you'd like to allow resource group creation.
13. Click the Test Billing Credentials button to test the billing credentials you entered. This tests whether the credentials you've entered are valid to connect Kion with Azure's billing management API. For inactive connections, click Troubleshoot to read Troubleshooting Your Azure Connection.

Once these steps are completed, you can add existing Azure subscriptions to Kion.

Your Azure customer credentials will be scanned once a day to confirm that Kion still has access. If we lose or re-gain access to Azure's API using these credentials, we'll send you a digest email outlining what has changed.