Troubleshooting Your Azure Connection
Troubleshooting an Azure EA Connection
Here are some common issues and solutions for Azure billing connection failure when adding an Azure EA billing source:
- Ensure the account issuing your EA token has Enrollment Administrator permissions in the EA portal. To check this, go to ea.azure.com and check the Administrator list under Enrollment.
- Verify that the EA token has not expired. To check this:
- Sign in to the EA portal with the account with which you issued the API key.
- Go to Reporting > Download Usage > API Access Key.
- Under the API key you've generated, ensure the end date in the Effective Date field is in the future.
Troubleshooting an Azure CSP Connection
Here are some common issues and solutions for Azure billing connection failure when adding an Azure CSP billing source:
- Ensure you've selected the correct Azure CSP type on the Create Azure CSP form in Kion. For example, if you've selected Government CSP on the CSP creation form and enter billing credentials for a commercial CSP account on the Add Billing Source form, it will not work.
- Have your CSP perform partner consent again. You can generate a partner consent link by clicking the ellipsis menu next to the CSP at Accounts > Azure CSPs in Kion and choosing Generate Partner Consent Link.
- Make sure your CSP has the correct configurations for partner consent:
- Their app should have the following delegated permissions:
Directory.AccessAsUser.All
,User.Read
, anduser_impersonation
for the partner center.Directory.AccessAsUser.All
andUser.Read
are part of the Microsoft Entra ID permissions for the app registration, anduser_impersonation
is part of the Microsoft Partner Center permissions. - Their service user should have the Billing Administrator Microsoft Entra ID role. To check this, they can go to Users in the Azure portal, click the user's name, and click Assigned Roles on the left.
- They should double-check the redirect URI on the app registration. To check this, they can go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Redirect URIs. The appropriate redirect URI can be found in the partner consent instructions.
- If they generated an expiring client secret, they should check if the client secret has expired (the client secret should be set to non-expiring, but this may be the issue if it was configured incorrectly).
- They should make sure the app registration is in their Azure tenant.
- They should confirm that the app registration is in their partner center.
- They should have signed in as their service user when authenticating.
- Their app should have the following delegated permissions:
Troubleshooting an Azure Tenant Connection
Here are some common issues and solutions for Azure tenant connection failure when adding a billing source:
- Ensure you've selected the correct account type on the Add Billing Source form in Kion. For example, if you've selected a Microsoft Azure Government (MAG) account type (either Azure CSP Government or Azure EA Government in the Account Type dropdown menu), credentials for a public cloud tenant will not work.
- Make sure the caps lock isn't on when pasting your client secret into the Add Billing Source form.
- Double-check the spelling of your domain name and app ID in the Add Billing Source form.
- Ensure that no one has deleted your client secret for the app registration within the Azure portal. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Certificates and Secrets on the left.
- If you've granted the Kion app registration permissions to perform key rotation, check the name of the Kion rotated key to see if it has been rotated recently; if the last rotation time is older than 2-3 days, you may need to generate a new client secret and update the billing source in Kion. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Certificates and Secrets on the left. The rotated key secret will have the last date of rotation in the Description field.
- Double-check that the redirect URI in your Kion app registration is correct. This may change if you recently added an HTTPS certificate or changed the domain name for your Kion instance. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Redirect URIs.
- Make sure that your app registration has been granted both Application and Delegated permissions for Microsoft Graph, not just one or the other.
User.Read
andDirectory.Read.All
must be granted as Delegated permissions andUser.Read.All
must be granted as an Application permission. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click API Permissions. If you need to grant these permissions, see step 2 ("Assign API Permissions to the App Registration") in the Azure EA Billing Sources or the Azure CSP Billing Sources. - Ensure that you have granted admin consent on the app registration for the Microsoft graph permissions. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click API Permissions.
- Make sure the Kion app registration still has the Owner role on at least one management group containing subscriptions. You should also ensure that the Owner role has not been directly granted to the app registration on two management groups where one is a parent of the other (either directly or indirectly) in the management group hierarchy. To check these:
- Go to Management Groups.
- Select a management group that the app registration should own.
- Click Details next to the name of the management group.
- Click Access Control (IAM) in the left sidebar.
- Click the Role Assignments tab. The role assignments should be listed here, and Kion App Registration should be listed as an owner.