Azure MCA Billing Sources
When using Azure Microsoft Customer Agreement (MCA) billing sources, Kion uses exports and Azure storage accounts to access your billing data. Exporting MCA billing data to an Azure storage account simplifies management, allowing Kion to work with any billing profile hierarchy and any billing account type.
Once Kion is installed in your environment, you need to create an app registration to manage your Azure resources in Kion and set up a storage account to export your billing data to. Then, create an Azure MCA billing source in Kion.
We support Azure MCA for both gov and commercial account types.
Configure Azure Access Settings
Create or edit an app registration with access to manage your Azure resources in Kion. This part of the process is done in the Azure Portal.
Follow the steps under "1a. Create a New App Registration to Obtain Tenet Credentials" below to create a new app registration. If you already have an Azure application registered in Kion, proceed to "1b. Configure an Existing App Registration to Obtain Tenet Credentials" instead.
1a. Create a New App Registration to Obtain Tenet Credentials
To create a new app registration:
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click the New Registration button.
- In the Name field, enter: Kion App Registration
- In the Supported account types section, select: Accounts in this organizational directory only.
- In the Redirect URI section, select web.
- In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
For example, if your Kion instance is hosted at https://yourcompany.Kion you would enter: https://yourcompany.Kion/api/v3/account/link-azure-callback. - Click the Register button.
- Record the following values:
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, enter: Kion Application
- In the Expires field, select Never.
- Click the Add button.
- Copy the Value field and store it in a password vault. It will not be visible again.
1b. Configure an Existing App Registration to Obtain Tenet Credentials
Follow these steps if you already have an Azure application registered in Kion. You do not need to complete these steps if you already completed the "To Create a New App Registration" steps above.
To configure an existing app registration:
- Log in to the Azure Portal.
- Click Azure Active Directory in the left menu.
- Click App Registrations.
- Click All Applications tab.
- Click the name of your application.
- Record the following value from the overview:
- Click Authentication in the left menu.
- In the Redirect URI section, click Add URI.
- In the URI field, enter the base URL of your Kion instance and append the path: /api/v3/account/link-azure-callback
For example, if your Kion instance is hosted at https://yourcompany.Kion you would enter: https://yourcompany.Kion/api/v3/account/link-azure-callback - Click Save.
- Click Certificates & secrets.
- In the Client secrets section, click New client secret.
- In the Description field, enter: Kion Application
- In the Expires field, select Never.
- Click the Add button.
- Copy the Value field and store it in a password vault. It will not be visible again.
2. Assign API permissions to the app registration
Several Microsoft Graph permissions are required to allow Kion to read user data and associate Azure user accounts with Kion users. Kion also needs permission to manage user groups, so it can ensure Azure users have the correct permissions on subscriptions.
To assign API permissions to the app registration:
- Log in to the Azure Portal.
- Click API permissions in the left menu.
- In the API permissions section, click Add Permission .
- Click Microsoft Graph.
- Click Delegated permissions.
- In the User section, ensure the User.Read permission is enabled. This ensures Kion can read data about the user.
- Expand the Directory section and select Directory.Read.All. This ensures Kion can validate that users have access to the Azure AD directory.
- Click Add permissions.
- Click Application permissions.
- Expand the User section and enable the User.Read.All permission. This allows Kion to read user data.
- Click Add Permissions.
- Under API permissions > Grant consent, click Grant admin consent for Kion. This ensures users are able to link their Azure accounts successfully.
3. Add the App Registration to a Management Group
Kion manages Azure resources under a management group. By granting Kion access to a management group, we are able to access and manage all resources and subscriptions contained inside the management group.
If you are already using management groups to manage your subscriptions, skip to the Grant the app registration access to the management group section below. Kion supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.
To create the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- If visible, click Start using management groups. Otherwise, click Add Management Group.
- Click Create new.
- In the Management group ID field, enter: cloudtamerManagementGroup.
- In the Management group display name field, enter: Kion Management Group.
- Click Save. After about a minute, the management group is created.
To add a subscription to the Azure management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click on the Kion Management Group.
- Click Details.
- Click Add subscription.
- Select the desired subscription.
- Click Save.
Grant the app registration access to the management group:
- Log in to the Azure Portal.
- Click All Services in the left menu.
- Click Management Groups.
- Click on the Kion Management Group.
- Click Details .
- Click Access control (IAM).
- Click the Role assignments tab.
- Click the Add > Add role assignment.
- For the Role, enter: Owner.
- Leave the Assign access to field as the default: Azure AD user, group, or service principal.
- In the Select field, enter the name of the app registration you created earlier: Kion App Registration.
- Click Save .
Export Billing Data to Azure Storage
Create a recurring export that places your billing data in an Azure storage account. This storage account is where Kion accesses your billing data. This part of the process is done in the Azure Portal.
4. Export Your Billing Data to a Storage Account
To create a recurring task to export your billing data to Azure storage, see Microsoft's documentation: Create and manage exported data.
Ensure that the both the export and the Azure Storage account have write permissions, and that the Azure storage account is configured for blob file storage.
During this process, take note of the name of your storage account, the storage container you select to export your data to, and the directory path your data is saved to.
Grant the Container Permissions
To manage your billing data, your storage container must be enabled for blob storage. This part of the process is done in the Azure Portal.
5. Add the Storage Blob Data Reader Role to the Container
- In the Azure Portal, navigate to Cost Management > Exports.
- Click the name of your export.
- Click the link next to Storage account.
- In the left menu, click Containers.
- Click the Role Assignments tab.
- Click Add.
- In the Role dropdown, select Storage Blob Data Reader.
- In the Assign access to dropdown, select User, group, or service principal.
- In the Select dropdown, select your Kion app registration.
Add the Billing Source to Kion
Enter the information you have gathered in the above steps into Kion to create an Azure MCA billing source.
6. Add the Billing Source Information to Kion
- Log in to Kion.
- In the left navigation menu, click Accounts > Billing Sources.
- Click the Add New + button.
- In the Account Type dropdown, select Azure MCA Commercial or Azure MCA Government.
- In the Customer Name field, enter a name of your choosing to represent this Azure domain.
- In the Domain field, enter the domain name of the Azure domain.
- In the App ID field, enter the Application (client) ID value that you copied.
- In the Client Secret field, enter the client secret value that you copied.
- Enable the This Billing Source Supports Resource Group Creation box if you'd like to allow resource group creation.
- Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
This tests whether the credentials you've entered are valid to connect Kion with Azure's resource management API. For inactive connections, click Troubleshoot to read Troubleshooting Your Azure Connection.
- In the Billing Start Date field, enter the date from which you would like financial data to be available. This date should not be before the creation of the customer.
- In the Storage Primary Endpoint field, enter: https://[your storage account name].blob.core.windows.net
- In the Storage Container field, enter the name of the container you selected to export your billing data to.
- In the Storage Prefix field, enter the location of your exported data. You only need to include the directories after the name of your storage container. For example, using the location pictured below, you would enter report/cloudtamerexport.

Your billing data will be pulled in to Kion the next time new data is available in your Azure storage.