Azure CSP Billing Sources

Follow

Azure CSP Billing Sources

Once Kion is installed in your environment, provide the Azure CSP API access to manage your Azure resources and access to your billing data. Then, add the info to Kion, and set up a billing source in the application.

Before you can create Azure subscriptions or resource groups through Kion, you need to ensure creation is enabled on the Azure billing source.

If you are unsure what your Azure billing account type is, see Identifying Your Azure Billing Type.

Requirements

  • Credentials for the Azure domain with access to the CSP Portal.

Configure Azure CSP Access Settings

First, we will configure the Azure API to manage your Azure resources and the CSP API access to access billing data.

During this process, take note of your app registration's Application (client) ID and Client Secret Value for later use.

1. Configure the App Registration

Kion requires an app registration with a client secret to interact with the Azure APIs.

Follow the steps to configure an existing registration if you already have Azure registered for SAML 2.0 authentication in Kion. Otherwise, select the tab to create a new registration.

Configure an Existing RegistrationCreate a New Registration
  1. Log in to the Azure Portal.
  2. Search for and select the service: Microsoft Entra ID.
  3. Navigate to Manage > App Registrations.
  4. Click All Applications tab.
  5. Click enterprise application you're using for SAML with Kion.
  6. Record the Application (client) ID from the overview somewhere you will be able to reference it later.
  7. Select Authentication in the left menu.
  8. In the Redirect URI section, click Add URI.
  9. In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
    For example, if your Kion instance is hosted at https://yourcompany.kion, you would enter: https://yourcompany.kion/api/v3/account/link-azure-callback
  10. Click Save.
  11. Select Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. For the Description, enter: Kion Application
  14. Select an expiration period for the client secret.
  15. Click Add.
  16. Copy the Value next to your client secret from the client secrets table, and store it in a password vault.

2. Assign API permissions to the App Registration

Kion requires several Microsoft Graph permissions to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure Users have the correct permissions on subscriptions.

  1. If you aren't already there, navigate to Azure Portal > Microsoft Entra ID > App Registrations > Your Kion app registration.
  2. Select API permissions in the left menu.
  3. Click Add Permission, and add the following permissions:
    • Microsoft Graph > Delegated permissions > User.Read.
    • Microsoft Graph > Delegated permissions > Directory.Read.All.
    • Microsoft Graph > Application permissions > User.Read.All.
    • Microsoft Graph > Application permissions > Group.Read.All
  4. If you would like Kion to automatically rotate the Client Secret, also add the following permissions:
    • Microsoft Graph > Application permissions > Application.Read.All
    • Microsoft Graph > Application permissions > Application.ReadWrite.OwnedBy
  5. Click Grant admin consent for [your app registration name]. This ensures users are able to link their Azure accounts.
  6. If you added the permissions for automatic Client Secret rotation, you will also need to run the following commands:
    APP_ID='YOUR_APP_REGISTRATION_ID'
    az ad app owner add --id $APP_ID --owner-object-id $(az ad sp list --filter "appId eq '$APP_ID'" --query [].id --output tsv)

3. Add the App Registration to a Management Group

Kion manages Azure resources under a management group. By granting Kion access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

  1. If you haven't configured management groups yet, see Microsoft's article Create a management group to set up a management group, and then Add a Subscription to a Management Group to add the subscription(s) you want to manage in Kion to the group.
  2. In the Azure portal, search for and select the service: Management Groups.
  3. Select the management group containing the subscriptions you want to manage in Kion. For consistency and visibility, we suggest selecting your highest level management group.
  4. Navigate to Access control (IAM) > Role assignments.
  5. Click Add > Add role assignment.
  6. Select Role > Privileged administrator roles.
  7. Search for and select Owner.
  8. Click Next.
  9. For Assign access to, select User, group, or service principal.
  10. Click Select members.
  11. Search for and select your Kion app registration.
  12. Click Review and Assign.
  13. Click Assign.

4. Retrieve the Microsoft ID for the CSP

  1. Log in to the Microsoft Partner Center.
  2. Navigate to Dashboard > Customers.
  3. Select the Company name of the customer.
  4. Click Account.
  5. Under the Customer account info section, copy down the following values:
    • Microsoft ID
    • Domain name

Adding the CSP Access Information into Kion

We offer two methods for importing your financial data into Kion: through a billing report export or through the Azure Partner Center. We recommend using the billing report export if possible.

Billing Report Export (Recommended)Partner Center

1. Export Your Billing Data to a Storage Account

Next, we will create a recurring export that places your billing data in an Azure storage account where Kion can access the data.

During this process, take note of the name of your storage account name, the storage container name you select to export your data to, and the directory path your data is saved to.

  1. In the Azure portal, search for and select the service: Cost Management.
  2. Navigate to Settings > Exports.
  3. For the scope, select the management group you are using for Kion.
  4. Click Add.
  5. For the name, enter Kion billing export.
  6. For the export type, select Daily export of month-to-date costs.
    • For FOCUS specific setup information, please reference here.
  7. For the start date, select today's date or the date you want to begin the export.
  8. For storage, select Create new.
  9. Select the subscription for your Azure storage account.
  10. Select a resource group or create a new one.
  11. Enter a name for the storage account.
  12. Select the location (Azure region).
  13. Enter a name for the container.
  14. Enter the directory path that you want the export file to go to.
  15. Click Create.

Creation of the storage account and container may take some time.

2. Add the Storage Blob Data Reader Role to the Container

To manage your billing data, your storage container must be enabled for blob storage.

  1. In the Azure Portal, navigate to Cost Management > Exports.
  2. Click the Storage account link next to your export in the list.
  3. In the left menu, select Containers.
  4. Click the ellipsis menu next to your container, and select Container properties.
  5. In the left menu, select Access Control (IAM).
  6. Select the Role Assignments tab.
  7. Click Add.
  8. Search for and select Storage Blob Data Reader.
  9. Click Next.
  10. For Assign access to, select User, group, or service principal.
  11. Click Select members.
  12. Search for and select your Kion app registration.
  13. Click Review and Assign.
  14. Click Assign.

3. Create a Billing Source in Kion

  1. Log in to Kion.
  2. Navigate to Accounts > Billing Sources.
  3. Click Add New.
  4. For the Account Type, select Azure CSP Commercial or Azure CSP Government.
  5. For the Customer Name, enter a friendly name for your account.
  6. For the Domain, enter your Azure domain ([yourdomain].onmicrosoft.com).
  7. For the App ID, enter the Application (client) ID from your app registration.
  8. For the Client Secret, enter the Client Secret Value from your app registration.
  9. For the Resource Group Creation option, select whether this billing source should be able to create new Azure resource groups.
  10. Click Test Tenant Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  11. File Type Selection
    • Selecting FOCUS will generate data from the FOCUS data export
      1. Click here for more information on the FOCUS spec
    • Selecting FOCUS and Azure Billing Export will prioritize generating data from the FOCUS export, and the Azure Billing Export will be an alternative option if Kion is unable to find the FOCUS export.
    • Selecting Azure Billing Export will generate data from the default Azure billing file.
  12. For the Billing Start Date, enter the date when you would like financial data to be available. This date should not be before the export was created.
  13. For the Storage Primary Endpoint, enter: https://[your storage account name].blob.core.windows.net
  14. For the Storage Container, enter the name of the container you exported your billing data to.
  15. For the Storage Prefix, enter the directory path to your exported data. You only need to include the directories after the name of your storage container. For example, using the location pictured below, you would enter report/cloudtamerexport.
  16. For the Subscription Creation option, select whether this billing source should be able to create new Azure subscriptions.
  17. Click Test Billing Credentials to test the if Kion can communicate with Azure using the credentials you entered.
    • An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
  18. Click Create Billing Source.

Your billing data will be pulled in to Kion the next time new data is available in your Azure storage. It can take 12-24 hours before the export runs in Azure and data is shown in exported files. A connection error badge may show next to the billing source in Kion until financial data is successfully retrieved.

Enabling CSP Subscription Creation

Before you can create Azure subscriptions or resource groups through Kion, you need to ensure creation is enabled on the Kion billing source and in the Azure Portal. If you enabled the Resource Group Creation or Subscription Creation options on your billing source, follow these additional steps to enable account creation.

During this process, take note of the Tenant Root Group and Object ID for later use.

  1. Login to the Azure console with a user that has the Global Admin Microsoft Entra ID role.
  2. Search for and select Tenant properties.
  3. Enable Access Management for Azure Resources to provide the current user with access to manage all Azure subscriptions and management groups in the tenant.
  4. Search for and select Management groups.
  5. Record the ID for the Tenant Root Group (ID).
  6. Search for and select Enterprise applications.
  7. Select your Kion app registration.
  8. Record the Object ID.
  9. Open up a terminal on your local system or open up the Azure Cloud Shell.
  10. Save the following text to a file named role.json in the current directory. You should replace <ROOT MANAGEMENT GROUP ID> with the Tenant Root Group ID from the step above.
 {       
	"Name":  "Minimal subscription move",
	"Description":  "Allows Kion to move created subscriptions under an owned management group",
	"Actions":  [
		"Microsoft.Authorization/roleAssignments/write",
		"Microsoft.Authorization/roleAssignments/delete",
		"subscriptions/write"
		],
	"AssignableScopes":  [
		"/providers/Microsoft.Management/managementGroups/<ROOT MANAGEMENT GROUP ID>"
	]
}			

11. Run the following command to create a role definition from the role.

az role definition create --role-definition @role.json				

12. To assign the role to the app registration, run the following command.

  • Replace the $SERVICE_PRINCIPAL text with the Object ID from the step above.
  • Replace the $ROOT_GROUP_ID text with the Tenant Root Group ID from the step above.
az role assignment create \
--assignee $SERVICE_PRINCIPAL \
--role "Minimal subscription move" \
--scope /providers/Microsoft.Management/managementGroups/$ROOT_GROUP_ID