Azure CSP Billing Sources
Once Kion is installed in your environment, you’ll need to provide the Azure CSP API access to manage your Azure resources and provide the API access to access the billing data. You'll need to enable CSP subscription creation. Then you'll add the info to Kion and set up a billing source in the application.
If you are unsure what your Azure billing account type is, see Identifying Your Azure Billing Type.
You’ll need access to certain Microsoft accounts to complete this setup. For CSP, you'll need:
- Login credentials for: Azure Tenant (at the CSP Customer level)
Configure Azure CSP Access Settings
Provide Azure API access to manage your Azure resources and provide CSP API access to retrieve the billing data. Expand the sections and complete the steps below.
1. Create/Configure the App Registration
Kion requires an App Registration with a client secret to interact with the Azure APIs. You must have Kion set up with an HTTPS URL to continue.
Follow the steps under "Create an App Registration" below to create a new app registration. If you already have an Azure Enterprise Application registered for SAML 2.0 authentication in Kion, proceed to "Configure an Existing App Registration" instead.
To create a new app registration:
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click the New Registration button.
- In the Name field, enter in:
Kion App Registration. - In the Supported account types section, select the option: Accounts in this organizational directory only.
- In the Redirect URI section, select: web.
- In the URI field, type in the base URL of the Kion instance and append the path:
/api/v3/account/link-azure-callback. For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in:https://yourcompany.Kion/api/v3/account/link-azure-callback. - Click the Register button.
- Record the following values:
- Application (client) ID
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, type in:
Kion Application. - In the Expires field, select: Never.
- Click the Add button.
- Copy down the Value field and store in a password vault because it will not be visible again.
To configure an existing app registration:
Follow these steps if you already had an Azure Enterprise Application registered for SAML 2.0 authentication in Kion. You do not need to complete these steps if you already completed the "Create an App Registration" steps above.
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click All Applications tab.
- Click the name of the application. This should match the Enterprise Application you're using for SAML with Kion.
- Record the following value from the overview:
- Application (client) ID.
- Click Authentication in the left menu.
- In the Redirect URI section, click Add URI.
- In the URI field, type in the base URL of the Kion instance and append the path:
/api/v3/account/link-azure-callback. For example, if your Kion instance is hosted at https://yourcompany.Kion you would type in:https://yourcompany.Kion/api/v3/account/link-azure-callback. - Click Save at the top.
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, type in:
Kion Application. - In the Expires field, select: Never.
- Click the Add button.
- Copy down the Value field and store it in a password vault because it will not be visible again.
2. Assign API Permissions to the App Registration
Several Microsoft Graph permissions are required to allow Kion to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure users have the correct permissions on subscriptions.
To assign API permissions to the app registration:
- Log in to the Azure Portal.
- Click API permissions in the left menu.
- In the API permissions section, click Add Permission .
- Click Microsoft Graph.
- Click Delegated permissions.
- In the User section, ensure the User.Read permission is enabled. This ensures Kion can read data about the user.
- Expand the Directory section and select Directory.Read.All. This ensures Kion can validate that users have access to the Azure AD directory.
- Click Add permissions.
- Click Application permissions.
- Expand the User section and enable the User.Read.All permission. This allows Kion to read user data.
- Click Add Permissions.
- Under API permissions > Grant consent, click Grant admin consent for Kion. This ensures users are able to link their Azure accounts successfully.
3. Add the App Registration to a Management Group
Kion manages Azure resources under a management group. By granting Kion access to a management group, we are able to access and manage all resources and subscriptions contained inside the management group.
If you are already using management groups to manage your subscriptions, skip to the Grant the app registration access to the management group section below. Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.
To create the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- If visible, click Start using management groups. Otherwise, click Add Management Group.
- Click Create new.
- In the Management group ID field, enter:
cloudtamerManagementGroup. - In the Management group display name field, enter:
Kion Management Group. - Click Save .
After about a minute, the management group is created.
To add a subscription to the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click on the Kion Management Group.
- Click Details.
- Click Add subscription.
- Select the desired subscription.
- Click Save.
Grant the app registration access to the management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click on the Kion Management Group.
- Click Details .
- Click Access control (IAM).
- Click the Role assignments tab.
- Click the Add > Add role assignment.
- For the Role, enter:
Owner. - Leave the Assign access to field as the default: Azure AD user, group, or service principal.
- In the Select field, enter the name of the app registration you created earlier:
Kion App Registration. - Click Save .
4. Retrieve the Microsoft ID for the CSP Customer
To retrieve the Microsoft ID for the customer’s subscription, you’ll need to login to the CSP Partner Center.
- Log in to the Microsoft Partner Center.
- Click the Dashboard menu item.
- Click Customers in the left menu.
- Click on the Company name of the customer.
- Click on Account.
- Under the Customer account info section, copy down the following values:
- Microsoft ID
- Domain name
Enabling CSP Subscription Creation
Before you can enable CSP subscription creation in Kion, you must follow these steps to allow Kion to move subscriptions to the Kion managed management group.
Enable CSP Subscription Creation
- Login to the Azure console with a user that has the Global Admin Azure AD role.
- Enter Tenant properties in the Azure search box at the top of the screen and select the first option.
- Enable Access Management for Azure Resources to provide the current user with access to manage all Azure subscriptions and management groups in the tenant.
- In the Azure search box, type in Management groups and select the first option.
- Record the ID for the Tenant Root Group as the root group ID for later use.
- In the Azure search box, enter Enterprise applications and select the first option.
- Find the Kion app registration created above and click on it.
- Record the Object ID as the app registration's service principal object ID for later use.
- Open up a terminal on your local system or open up the Azure Cloud Shell.
- Save the following text to a file named role.json in the current directory. You should replace <ROOT MANAGEMENT GROUP ID> with the root group ID from the step above.
{
"Name": "Minimal subscription move",
"Description": "Allows Kion to move created subscriptions under an owned management group",
"Actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"subscriptions/write"
],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/<ROOT MANAGEMENT GROUP ID>"
]
}
11. In the terminal, run the following command to create a role definition from the role:
az role definition create --role-definition @role.json
12. To assign the role to the app registration, run the following command.
- You should replace the $SERVICE_PRINCIPAL text with the service principal object ID from the step above.
- You should replace the $ROOT_GROUP_ID text with the root group ID from the step above.
az role assignment create \
--assignee $SERVICE_PRINCIPAL \
--role "Minimal subscription move" \
--scope /providers/Microsoft.Management/managementGroups/$ROOT_GROUP_ID
Adding the CSP Access Information into Kion
We offer two methods for importing your financial data into Kion: through a billing report export or through the Azure Partner Center. We recommend using the billing report export if possible.
1. Export Your Billing Data to a Storage Account
Create a recurring export that places your billing data in an Azure storage account. This storage account is where Kion accesses your billing data. This part of the process is done in the Azure Portal.
To create a recurring task to export your billing data to Azure storage, see Microsoft's documentation: Create and manage exported data.
Ensure that the both the export and the Azure Storage account have write permissions, and that the Azure storage account is configured for blob file storage.
During this process, take note of the name of your storage account, the storage container you select to export your data to, and the directory path your data is saved to.
2. Add the Storage Blob Data Reader Role to the Container
To manage your billing data, your storage container must be enabled for blob storage. This part of the process is done in the Azure Portal.
- In the Azure Portal, navigate to Cost Management > Exports.
- Click the name of your export.
- Click the link next to Storage account.
- In the left menu, click Containers.
- Click the Role Assignments tab.
- Click Add.
- In the Role dropdown, select Storage Blob Data Reader.
- In the Assign access to dropdown, select User, group, or service principal.
- In the Select dropdown, select your Kion app registration.
3. Create a Billing Source in Kion
- Log in to Kion.
- Navigate to Accounts > Billing Sources.
- Click Add New +.
- Account Type. Select Azure CSP Commercial or Azure CSP Government.
- Customer Name. Enter the customer name.
- Domain. Enter your Azure domain (
[yourdomain].onmicrosoft.com). - App ID. Enter the Application (client) ID value that you copied down from the steps above.
- Client Secret. Enter the client secret value that you copied down from the steps above.
- Resource Group Creation. Select whether this billing source should be able to create new Azure resource groups.
- Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
- An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
- Select Billing Report Export as your data import method.
- Billing Start Date. Enter the date when you would like financial to be available. This date should not be before the creation of the customer.
- Storage Primary Endpoint. Enter:
https://[your storage account name].blob.core.windows.net - Storage Container. Enter the name of the container you selected to export your billing data to.
- Storage Prefix. Enter the location of your exported data. You only need to include the directories after the name of your storage container. For example, using the location pictured below, you would enter
report/cloudtamerexport.
- Subscription Creation. Select whether this billing source should be able to create new Azure subscriptions.
- Click the Test Billing Credentials button to test the billing credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's billing management API. Without a connection, financial data may fall out of date.
- An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
- Select Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
- Click the Create Billing Source button.
Your billing data will be pulled in to Kion the next time new data is available in your Azure storage.
Kion needs access to Cloud Service Provider (CSP) APIs so it can access the Azure billing data for CSP subscriptions.
Azure CSPs use the Microsoft-recommended authentication strategy to pull financial data, making it compatible with pulling spend from Azure Government CSPs.
- In the left navigation menu, click Accounts > Azure CSPs > Add New +.
- Give your CSP a name to identify it within Kion in the Name field.
- Select the CSP Type from the dropdown menu. Kion supports Commercial CSPs and Government CSPs.
- You can obtain partner consent by either entering the partner domain name application registration ID, and application client secret now, or you can generate a link to send to your partner so they can enter the information themselves. For more information, see Azure CSP Partner Consent.
- Click Create Azure CSP.
2. Create a Billing Source in Kion
- Log in to Kion.
- Navigate to Accounts > Billing Sources.
- Click Add New +.
- Account Type. Select Azure CSP Commercial or Azure CSP Government.
- Customer Name. Enter the customer name.
- Domain. Enter your Azure domain (
[yourdomain].onmicrosoft.com). - App ID. Enter the Application (client) ID value that you copied down from the steps above.
- Client Secret. Enter the client secret value that you copied down from the steps above.
- Resource Group Creation. Select whether this billing source should be able to create new Azure resource groups.
- Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
- An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
- Select Partner Center as your data import method.
- Billing Start Date. Enter the date when you would like financial to be available. This date should not be before the creation of the customer.
- CSP Customer ID. Enter the Microsoft ID of the customer (you can get this within the Azure Portal: under Azure Services, click Azure Active Directory. In the Tenant Information section, find the Tenant ID. This is the same as the CSP Customer ID).
- Azure CSP. Select the Azure CSP that this customer purchases subscriptions from.
- Subscription Creation. Select whether this billing source should be able to create new Azure subscriptions.
- Click the Test Billing Credentials button to test the billing credentials you entered.
- This tests whether the credentials you've entered are valid to connect Kion with Azure's billing management API. Without a connection, financial data may fall out of date.
- An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, see Troubleshooting Your Azure Connection.
- Select Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
- Click the Create Billing Source button.