Enabling Azure Account Creation

Last updated August 21, 2024 16:13

Enabling Azure Account Creation

Before you can create Azure subscriptions or resource groups through Kion, you need to ensure creation is enabled on the Kion billing source and in the Azure Portal.

In Kion

The ability to create Azure EA and Azure MCA subscriptions was added in version 3.8.0. If you use an earlier version, account creation is only supported for CSP subscriptions.

To enable the creation of new Azure resource groups in Kion:

Navigate to Accounts > Billing Sources.
Click the ellipsis menu next to the billing source, and select Edit.
Ensure the This Billing Source Supports Resource Group Creation option is enabled.
Click Update Billing Source.

To enable the creation of new Azure subscriptions in Kion:

Navigate to Accounts > Billing Sources.
Click the ellipsis menu next to the billing source, and select Edit.
Ensure the This Billing Source Supports Subscription Creation option is enabled.
Click Update Billing Source.

In Azure

The process to enable account creation in the Azure Portal depends on the type of billing account you have. If you are unsure what your Azure billing account type is, see Identifying Your Azure Billing Type.

Currently, you must use Azure APIs to enable account creation on Azure EA billing accounts. To do this, you need to know your billing account ID, enrollment account ID, tenant ID, and app registration principal ID.

To find this information:

Log in to the Azure Portal with your enrollment account.
Navigate to your enrollment account page.
Select Settings > Properties.
Record the (enrollment) Account ID and the Billing Account ID.
Navigate to your app registration page.
Record the Directory (Tenant) ID.
Click the link next to Managed application in local directory.
Record the Object ID. This is your principal ID.
The billing role assignment ID is: a0bcee42-bf30-4d1b-926a-48d21664ef71

To make the role assignments, you can use any method of call the Azure API. However, you must use a user or auth token that has the ability to make role assignments.

PUT /providers/Microsoft.Billing/billingAccounts/{billingAccountID}/enrollmentAccounts/{enrollmentAccountID}/billingRoleAssignments/{billingRoleAssignmentID}?api-version=2019-10-01-preview

{
	"properties": {
		"principalId": "{principal ID}",
		"principalTenantId": "{tenant ID}",
		"roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/{billingAccountID}/enrollmentAccounts/{encrollmentAccountID}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"
	}
}

In the Azure Portal, search for and select Cost Management + Billing.
Select Access control (IAM) at the billing account level.
On the Access control (IAM) page, click Add.
For the Name, search for and select the name of your Kion app registration.
For the Role, select Billing Account Owner.
Click Save.

During this process, take note of the Tenant Root Group and Object ID for later use.

Login to the Azure Portal with a user that has the Global Admin Microsoft Entra ID role.
Search for and select Tenant properties.
Enable Access Management for Azure Resources to provide the current user with access to manage all Azure subscriptions and management groups in the tenant.
Search for and select Management groups.
Record the ID for the Tenant Root Group (ID).
Search for and select Enterprise applications.
Select your Kion app registration.
Record the Object ID.
Open up a terminal on your local system or open up the Azure Cloud Shell.
Save the following text to a file named role.json in the current directory. You should replace <ROOT MANAGEMENT GROUP ID> with the Tenant Root Group ID from the step above.

 {       
	"Name":  "Minimal subscription move",
	"Description":  "Allows Kion to move created subscriptions under an owned management group",
	"Actions":  [
		"Microsoft.Authorization/roleAssignments/write",
		"Microsoft.Authorization/roleAssignments/delete",
		"subscriptions/write"
		],
	"AssignableScopes":  [
		"/providers/Microsoft.Management/managementGroups/<ROOT MANAGEMENT GROUP ID>"
	]
}

11. Run the following command to create a role definition from the role.

az role definition create --role-definition @role.json

12. To assign the role to the app registration, run the following command.

Replace the $SERVICE_PRINCIPAL text with the Object ID from the step above.
Replace the $ROOT_GROUP_ID text with the Tenant Root Group ID from the step above.

az role assignment create \
--assignee $SERVICE_PRINCIPAL \
--role "Minimal subscription move" \
--scope /providers/Microsoft.Management/managementGroups/$ROOT_GROUP_ID

ZD-main.4.log-399603933.zip
(20 KB)