Azure EA Setup Guide
Once Kion is installed in your environment, you need to grant the Azure API access to manage your Azure resources and the EA API access to access billing data. Then add the info to Kion, and set up a billing source in the application.
Credentials for the Azure domain with access to the EA Portal are required to complete this setup.
You must have Kion set up with an HTTPS URL to continue.
Configure Azure EA Access Settings
Configure the Azure API to manage your Azure resources and the EA API access to access billing data. Expand the sections and complete the steps below.
1. Create/Configure the App Registration
Kion requires an app registration with a client secret to interact with the Azure APIs.
Follow the steps under "To Create a New App Registration" below to create a new app registration. If you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion, proceed to "To Configure an Existing App Registration" instead.
To create a new app registration:
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click the New Registration button.
- In the Name field, enter: Kion App Registration
- In the Supported account types section, select: Accounts in this organizational directory only.
- In the Redirect URI section, select web.
- In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in: https://yourcompany.Kion/api/v3/account/link-azure-callback - Click the Register button.
- Record the following values:
- Application (client) ID
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, enter: Kion Application
- In the Expires field, select Never.
- Click the Add button.
- Copy the Value field and store it in a password vault. It will not be visible again.
To configure an existing app registration:
Follow these steps if you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion. You do not need to complete these steps if you already completed the "To Create a New App Registration" steps above.
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click All Applications tab.
- Click the name of the application. This should match the Enterprise Application you're using for SAML with Kion.
- Record the following value from the overview:
- Application (client) ID.
- Click Authentication in the left menu.
- In the Redirect URI section, click Add URI.
- In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in: https://yourcompany.Kion/api/v3/account/link-azure-callback - Click Save.
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, enter: Kion Application
- In the Expires field, select Never.
- Click the Add button.
- Copy the Value field and store it in a password vault. It will not be visible again.
2. Assign API permissions to the App Registration
Kion requires several Microsoft Graph permissions to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure Users have the correct permissions on subscriptions.
- Log in to the Azure Portal.
- On the App Registration page, click API permissions in the left menu.
- In the API permissions section, click the Add Permission button.
- Click Microsoft Graph.
- Click Delegated permissions.
- In the User section, ensure the User.Read permission is checked. This ensures Kion can read data about the user.
- Expand the Directory section and select Directory.Read.All. This ensures Kion can validate that users have access to Azure AD directory.
- Click the Add permissions button.
- Click Application permissions.
- Expand the User section and enable the User.Read.All permission.
- Click Add Permissions.
- Under API permissions > Grant consent , click Grant admin consent for Kion. This ensures users are able to link their Azure accounts successfully.
3. Add the App Registration to a Management Group
Kion manages Azure resources under a management group. By granting Kion access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.
Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.
If you are already using management groups to manage your subscriptions, skip to the "To Grant the App Registration Access to the Management Group" section below and grant the Kion app registration access to the highest level management group.
To create the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- If visible, click Start using management groups. Otherwise, click Add Management Group.
- Select Create new.
- In the Management group ID field, enter: cloudtamerManagementGroup
- In the Management group display name field, enter: Kion Management Group
- Click the Save button. After about a minute, the management group should appear on the screen.
To add a subscription to the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click the Kion Management Group.
- Click the details hyperlink.
- Click the Add subscription button.
- Select the desired subscription.
- Click the Save button.
To grant the app registration access to the management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click the Kion Management Group.
- Click the details hyperlink.
- Click Access control (IAM).
- Click Role assignments.
- Click the + Add button.
- Click Add role assignment.
- In the Role dropdown, enter: Owner
- In the Assign access to field, select Azure AD user, group, or service principal.
- In the Select field, enter the name of the app registration you created earlier: Kion App Registration
- Click the Save button.
Import Financial Data
We offer two methods for importing your financial data into Kion: through a billing report export or through the Azure EA Billing Portal. We recommend using the billing report export if possible.
1. Export Your Billing Data to a Storage Account
Create a recurring export that places your billing data in an Azure storage account. This storage account is where Kion accesses your billing data. This part of the process is done in the Azure Portal.
To create a recurring task to export your billing data to Azure storage, see Microsoft's documentation: Create and manage exported data.
Ensure that the both the export and the Azure Storage account have write permissions, and that the Azure storage account is configured for blob file storage.
During this process, take note of the name of your storage account, the storage container you select to export your data to, and the directory path your data is saved to.
2. Add the Storage Blob Data Reader Role to the Container
To manage your billing data, your storage container must be enabled for blob storage. This part of the process is done in the Azure Portal.
- In the Azure Portal, navigate to Cost Management > Exports.
- Click the name of your export.
- Click the link next to Storage account.
- In the left menu, click Containers.
- Click the Role Assignments tab.
- Click Add.
- In the Role dropdown, select Storage Blob Data Reader.
- In the Assign access to dropdown, select User, group, or service principal.
- In the Select dropdown, select your Kion app registration.
3. Create a Billing Source in Kion
- Log in to Kion.
- Navigate to Accounts > Billing Sources.
- Click Add New +.
- Account Type. Select Azure EA Commercial or Azure EA Government.
- Customer Name. Enter the customer name.
- Domain. Enter your Azure domain ([yourdomain].onmicrosoft.com).
- App ID. Enter the Application (client) ID value that you copied down from the steps above.
- Client Secret. Enter the client secret value that you copied down from the steps above.
- Resource Group Creation. Select whether this billing source should be able to create new Azure resource groups.
- Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
- An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
- Select Billing Report Export as your data import method.
- Billing Start Date. Enter the date when you would like financial to be available. This date should not be before the creation of the customer.
- Storage Primary Endpoint. Enter: https://[your storage account name].blob.core.windows.net
- Storage Container. Enter the name of the container you selected to export your billing data to.
- Storage Prefix. Enter the location of your exported data. You only need to include the directories after the name of your storage container.
- Click the Test Billing Credentials button to test the billing credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's billing management API. Without a connection, financial data may fall out of date.
- An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
- Select Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
- Click the Create Billing Source button.
Your billing data will be pulled in to Kion the next time new data is available in your Azure storage.
1. Get the EA API Key and Agreement Number
Kion requires access to your enterprise agreement portal, so it can read billing data about your subscriptions. You need an account with access to billing data and price sheets for this.
- Log in to the Azure EA Portal with an account that has access to billing data and price sheets.
- Copy and save the agreement number shown under the Microsoft logo at the top left of the page.
- Click Reports in the sidebar.
- Click Download Usage.
- Click API Access Key.
- Click Generate to generate a new API access key.
- Click Yes when prompted to verify that you’re sure you want to generate a new key.
- Click Expand Key and copy and save the API access key.
- Copy and save the expiration date of the API access key.
Add the EA access information you have gathered to Kion.
- Log in to Kion.
- In the left navigation menu, click Accounts > Azure Enterprise Agreements.
- Click the + button.
- In the Agreement Number field, enter your EA agreement number.
- In the API Key field, enter the EA API key you generated earlier.
- In the API Key Expiration field, enter the expiration date of your API key.
- Click the Create Azure Enterprise Agreement button.
3. Create a Billing Source in Kion
- Log in to Kion.
- Navigate to Accounts > Billing Sources.
- Click Add New +.
- Account Type. Select Azure EA Commercial or Azure EA Government.
- Customer Name. Enter the customer name.
- Domain. Enter your Azure domain ([yourdomain].onmicrosoft.com).
- App ID. Enter the Application (client) ID value that you copied down from the steps above.
- Client Secret. Enter the client secret value that you copied down from the steps above.
- Resource Group Creation. Select whether this billing source should be able to create new Azure resource groups.
- Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
- An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
- Select EA Billing Portal as your data import method.
- Billing Start Date. Enter the date when you would like financial to be available. This date should not be before the creation of the customer.
- Azure EA. Select the Azure EA that this customer purchases subscriptions from.
- Click the Test Billing Credentials button to test the billing credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's billing management API. Without a connection, financial data may fall out of date.
- An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
- Select Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
- Click the Create Billing Source button.