Azure EA Setup Guide

Follow

Once cloudtamer.io is installed in your environment, you’ll need to provide Azure API access to manage your Azure resources and provide the EA API access to access the billing data. Then you'll add the info to cloudtamer.io and set up a billing source in the application.

You will need login credentials for the Azure Domain (with access to the EA Portal) to complete this setup.

 

Configure Azure EA Access Settings

Provide Azure API access to manage your Azure resources and provide EA API access to retrieve the billing data. Expand the sections and complete the steps below.

1. Create/Configure the App Registration

cloudtamer.io requires an app registration with a client secret to interact with the Azure APIs. You must have cloudtamer.io set up with an HTTPS URL to continue.

Follow the steps under "Create an App Registration" below to create a new app registration. If you already have an Azure Enterprise Application registered for SAML 2.0 authentication in cloudtamer.io, proceed to "Configure an Existing App Registration" instead.

Create an App Registration

To create a new app registration:

  1. Log in to the Azure Portal.
  2. Click Azure Active Directory in the left menu.
  3. Click App Registrations.
  4. Click the New Registration button.
  5. In the Name  field, enter in: cloudtamer.io App Registration.
  6. In the Supported account types section, select the option: Accounts in this organizational directory only.
  7. In the Redirect URI section, select: web.
  8. In the URI field, type in the base URL of the cloudtamer.io instance and append the path: /api/v3/account/link-azure-callback. For example, if your cloudtamer.io instance is hosted at https://yourcompany.cloudtamer.io you would type in: https://yourcompany.cloudtamer.io/api/v3/account/link-azure-callback.
  9. Click the Register button.
  10. Record the following values:
    1. Application (client) ID
  11. Click Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. In the Description field, type in: cloudtamer.io Application.
  14. In the Expires field, select: Never.
  15. Click the Add button.
  16. Copy down the Value field and store it in a password vault because it will not be visible again.

Configure an Existing App Registration

Follow these steps if you already had an Azure Enterprise Application registered for SAML 2.0 authentication in cloudtamer.io. You do not need to complete these steps if you already completed the "Create an App Registration" steps above.

  1. Log in to the Azure Portal.
  2. Click Azure Active Directory in the left menu.
  3. Click App Registrations.
  4. Click All Applications tab.
  5. Click the name of the application. This should match the Enterprise Application you're using for SAML with cloudtamer.io.
  6. Record the following value from the overview:
    1. Application (client) ID.
  7. Click Authentication in the left menu.
  8. In the Redirect URI section, click Add URI.
  9. In the URI field, type in the base URL of the cloudtamer.io instance and append the path: /api/v3/account/link-azure-callback. For example, if your cloudtamer.io instance is hosted at https://yourcompany.cloudtamer.io you would type in: https://yourcompany.cloudtamer.io/api/v3/account/link-azure-callback.
  10. Click Save at the top.
  11. Click Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. In the Description field, type in: cloudtamer.io Application.
  14. In the Expires field, select: Never.
  15. Click the Add button.
  16. Copy down the Value field and store it in a password vault because it will not be visible again.

2. Assign API permissions to the App Registration

You will need to apply several Microsoft Graph permissions to allow cloudtamer.io to read the user data and associate Azure user accounts with cloudtamer.io users. cloudtamer.io will also need permission to manage user groups so it can ensure Azure Users have the correct permissions on subscriptions.

  1. From the App Registration page in the Azure portal, click API permissions in the left menu.
  2. In the API permissions section, click the Add Permission button.
  3. Click on the item: Microsoft Graph.
  4. Click on the item: Delegated permissions.
  5. In the User section, ensure the User.Read permission is checked. This will ensure cloudtamer.io can read data about the user it is trying to associate.
  6. Expand the Directory section and select the permission: Directory.Read.All. This will ensure cloudtamer.io can validate users have access to the Azure AD directory.
  7. Click the Add permissions button.
  8. Click on the item: Application permissions.
  9. For users running cloudtamer.io version 19.x and earlier: expand the Group section and enable the Group.ReadWrite.All permission so cloudtamer.io can create user groups. This step is only necessary for users running cloudtamer.io versions 19.x and earlier, as version 2.20.0 and later do not place users into user groups.
  10. Expand the User section and enable the User.Read.All permission so cloudtamer.io can read users to place into user groups.
  11. Click Add Permissions.
  12. In the API permissions section, under the Grant consent section, click the button: Grant admin consent for cloudtamer.io. This will ensure users are able to link their Azure accounts successfully.

3. Add the App Registration to a Management Group

cloudtamer.io manages Azure resources under a management group. By granting cloudtamer.io access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Note: If you are already using management groups to manage your subscriptions, skip to the "Grant the app registration access to the management group" section below and grant the cloudtamer.io app registration access to the highest level management group. cloudtamer.io supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

To create the Azure management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. If visible, click the button: Start using management groups. Otherwise, click the Add Management Group button.
  5. Select the option: Create new.
  6. In the Management group ID field, type in: cloudtamerManagementGroup.
  7. In the Management group display name field, type in: cloudtamer.io Management Group.
  8. Click the Save button. After about a minute, the management group should appear on the screen.

To add a subscription to the Azure management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. Click on the cloudtamer.io Management Group.
  5. Click the details hyperlink.
  6. Click the Add subscription button.
  7. Select the desired subscription.
  8. Click the Save button.

Grant the app registration access to the management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. Click on the cloudtamer.io Management Group.
  5. Click the details hyperlink.
  6. Click the Access control (IAM) item on the left.
  7. Click the tab: Role assignments.
  8. Click the + Add button and then click Add role assignment.
  9. In the Role drop-down, type in: Owner.
  10. Leave the Assign access to field as the default: Azure AD user, group, or service principal.
  11. In the Select field, type in the name of the app registration you created earlier: cloudtamer.io App Registration.
  12. Click the Save button.

 

Grant Access in the Azure EA Portal 

You’ll need to grant cloudtamer.io access to your enterprise agreement portal so it can read billing data about your subscriptions. You will need an account with access to the billing data and price sheets for this.

Get the EA API Key and Agreement Number

  1. Log in to the Azure EA Portal with an account matching the description at the beginning of this section.
  2. Copy down the agreement number shown under the Microsoft logo at the top left of the page as seen below.
mceclip0.png
The EA Agreement Number
  1. Click Reports in the sidebar.
  2. Click Download Usage.
  3. Click API Access Key.
  4. Click Generate to generate a new API access key.
  5. Click Yes when prompted to verify that you’re sure you want to generate a new key.
  6. Click Expand Key and copy down the API access key.
  7. Copy down the expiration date of the API access key.

 

Add the EA Access Information to cloudtamer.io

In these final steps, you will add the EA access information you have gathered to cloudtamer.io.

1. Add the EA Level Access

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Azure Enterprise Agreements.
  3. Click the button.
  4. In the Agreement Number field, enter your EA agreement number.
  5. In the API Key field, enter the EA API key you generated earlier.
  6. In the API Key Expiration field, enter the expiration date of your API key.
  7. Click the Create Azure Enterprise Agreement button.

2. Add the EA Azure Domain-Level Access

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Billing Sources.
  3. Click the Add New +  button.
  4. In the Account Type drop-down, select: Azure EA Commercial or Azure EA Government.
  5. In the Customer Name field, enter a name of your choosing to represent this Azure Domain.
  6. In the Domain field, enter the domain name of the Azure Domain.
  7. In the App ID field, enter the Application (client) ID value that you copied down from the steps above.
  8. In the Client Secret field, enter the client secret value that you copied down from the steps above.
  9. Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
    • This tests whether the credentials you've entered are valid to connect cloudtamer.io with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
    •  Version 2.28.0 and higher: An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
  10. In the Billing Start Date field, enter the date from which you would like financial data to be available. This date should not be before the creation of the customer.
  11. In the Azure EA field, select the Azure EA that this Azure Domain allocates subscriptions from.
  12. Check off the This Billing Source Supports Resource Group Creation box if you'd like to allow resource group creation.
  13. Click the Test Billing Credentials button to test the billing credentials you entered. 
    • This tests whether the credentials you've entered are valid to connect cloudtamer.io with Azure's billing management API. Without a connection, financial data may fall out of date.
    •  Version 2.28.0 and higher: An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
  14.  Version 2.28.0 and higher: Click Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
  15. Click the Create Billing Source button.CreateEABillingSource.png

 

Once these steps are completed, you should be able to add existing Azure subscriptions to cloudtamer.io.

Your Azure customer credentials will be scanned once a day to confirm that cloudtamer.io still has access. If we lose or re-gain access to Azure's API using these credentials, we'll send you a digest email outlining what has changed.

 

 

Was this article helpful?
0 out of 0 found this helpful