Azure CSP Setup Guide

Follow

Once cloudtamer.io is installed in your environment, you’ll need to provide the Azure CSP API access to manage your Azure resources and provide the API access to access the billing data. You'll need to enable CSP subscription creation. Then you'll add the info to cloudtamer.io and set up a billing source in the application.

You’ll need access to certain Microsoft accounts to complete this setup. For CSP, you'll need:

  • Login credentials for: Azure Tenant (at the CSP Customer level)
  • Login credentials for: Azure Tenant (at the CSP Partner level)*

*CSP Partner-level login credentials are only needed if you are running a version of cloudtamer.io that is earlier than release 2.19. See the "cloudtamer.io Version 2.18.x and Earlier: Setting up Access at CSP Partner Level" section below.

 

Configure Azure CSP Access Settings

Provide Azure API access to manage your Azure resources and provide CSP API access to retrieve the billing data. Expand the sections and complete the steps below.

1. Create/Configure the App Registration

cloudtamer.io requires an App Registration with a client secret to interact with the Azure APIs. You must have cloudtamer.io set up with an HTTPS URL to continue.

Follow the steps under "Create an App Registration" below to create a new app registration. If you already have an Azure Enterprise Application registered for SAML 2.0 authentication in cloudtamer.io, proceed to "Configure an Existing App Registration" instead.

Create an App Registration

To create a new app registration:

  1. Log in to the Azure Portal.
  2. Click Azure Active Directory in the left menu.
  3. Click App Registrations.
  4. Click the New Registration button.
  5. In the Name  field, enter in: cloudtamer.io App Registration.
  6. In the Supported account types section, select the option: Accounts in this organizational directory only.
  7. In the Redirect URI section, select: web.
  8. In the URI field, type in the base URL of the cloudtamer.io instance and append the path: /api/v3/account/link-azure-callback. For example, if your cloudtamer.io instance is hosted at https://yourcompany.cloudtamer.io you would type in: https://yourcompany.cloudtamer.io/api/v3/account/link-azure-callback.
  9. Click the Register button.
  10. Record the following values:
    1. Application (client) ID
  11. Click Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. In the Description field, type in: cloudtamer.io Application.
  14. In the Expires field, select: Never.
  15. Click the Add button.
  16. Copy down the Value field and store in a password vault because it will not be visible again.

Configure an Existing App Registration

Follow these steps if you already had an Azure Enterprise Application registered for SAML 2.0 authentication in cloudtamer.io. You do not need to complete these steps if you already completed the "Create an App Registration" steps above.

  1. Log in to the Azure Portal.
  2. Click Azure Active Directory in the left menu.
  3. Click App Registrations.
  4. Click All Applications tab.
  5. Click the name of the application. This should match the Enterprise Application you're using for SAML with cloudtamer.io.
  6. Record the following value from the overview:
    1. Application (client) ID.
  7. Click Authentication in the left menu.
  8. In the Redirect URI section, click Add URI.
  9. In the URI field, type in the base URL of the cloudtamer.io instance and append the path: /api/v3/account/link-azure-callback. For example, if your cloudtamer.io instance is hosted at https://yourcompany.cloudtamer.io you would type in: https://yourcompany.cloudtamer.io/api/v3/account/link-azure-callback.
  10. Click Save at the top.
  11. Click Certificates & secrets.
  12. In the Client secrets section, click New client secret.
  13. In the Description field, type in: cloudtamer.io Application.
  14. In the Expires field, select: Never.
  15. Click the Add button.
  16. Copy down the Value field and store it in a password vault because it will not be visible again.

2. Assign API permissions to the App Registration

You will need to apply several Microsoft Graph permissions to allow cloudtamer.io to read the user data and associate Azure user accounts with cloudtamer.io users. cloudtamer.io will also need permission to manage user groups so it can ensure Azure Users have the correct permissions on subscriptions.

  1. From the App Registration page in the Azure portal, click API permissions in the left menu.
  2. In the API permissions section, click the Add Permission button.
  3. Click on the item: Microsoft Graph.
  4. Click on the item: Delegated permissions.
  5. In the User section, ensure the User.Read permission is checked. This will ensure cloudtamer.io can read data about the user it is trying to associate.
  6. Expand the Directory section and select the permission: Directory.Read.All. This will ensure cloudtamer.io can validate users have access to the Azure AD directory.
  7. Click the Add permissions button.
  8. Click on the item: Application permissions.
  9. For users running cloudtamer.io version 19.x and earlier: expand the Group section and enable the Group.ReadWrite.All permission so cloudtamer.io can create user groups. This step is only necessary for users running cloudtamer.io versions 19.x and earlier, as version 2.20.0 and later do not place users into user groups.
  10. Expand the User section and enable the User.Read.All permission so cloudtamer.io can read users to place into user groups.
  11. Click Add Permissions.
  12. In the API permissions section, under the Grant consent section, click the button: Grant admin consent for cloudtamer.io. This will ensure users are able to link their Azure accounts successfully.

3. Add the App Registration to a Management Group

cloudtamer.io manages Azure resources under a management group. By granting cloudtamer.io access to a management group, the application will be able to access and manage all resources and subscriptions contained inside the management group.

Note: If you are already using management groups to manage your subscriptions, skip to the "Grant the app registration access to the management group" section below and grant the cloudtamer.io app registration access to the highest level management group. cloudtamer.io supports nested management group schemes, but should not be granted access to multiple management groups at different levels in the same hierarchy.

To create the Azure management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. If visible, click the button: Start using management groups. Otherwise, click the Add Management Group button.
  5. Select the option: Create new.
  6. In the Management group ID field, type in: cloudtamerManagementGroup.
  7. In the Management group display name field, type in: cloudtamer.io Management Group.
  8. Click the Save button. After about a minute, the management group should appear on the screen.

To add a subscription to the Azure management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. Click on the cloudtamer.io Management Group.
  5. Click the details hyperlink.
  6. Click the Add subscription button.
  7. Select the desired subscription.
  8. Click the Save button.

Grant the app registration access to the management group:

  1. Log in to the Azure Portal.
  2. Click All Services in the left menu.
  3. Click Management Groups or type it into the search box at the top of the page and then click on it.
  4. Click on the cloudtamer.io Management Group.
  5. Click the details hyperlink.
  6. Click the Access control (IAM) item on the left.
  7. Click the tab: Role assignments.
  8. Click the + Add button and then click Add role assignment.
  9. In the Role drop-down, type in: Owner.
  10. Leave the Assign access to field as the default: Azure AD user, group, or service principal.
  11. In the Select field, type in the name of the app registration you created earlier: cloudtamer.io App Registration.
  12. Click the Save button.

4. Retrieve the Microsoft ID for the CSP Customer

To retrieve the Microsoft ID for the customer’s subscription, you’ll need to login to the CSP Partner Center.

  1. Log in to the Microsoft Partner Center.
  2. Click the Dashboard menu item.
  3. Click Customers in the left menu.
  4. Click on the Company name of the customer.
  5. Click on Account.
  6. Under the Customer account info section, copy down the following values:
    1. Microsoft ID
    2. Domain name

 

Enabling CSP Subscription Creation (cloudtamer.io 2.29.0 and Later)

Before you can enable CSP subscription creation in cloudtamer.io, you must follow these steps to allow cloudtamer.io to move subscriptions to the cloudtamer.io managed management group.

  1. Login to the Azure console with a user that has the Global Admin Azure AD role.
  2. Enter Tenant properties in the Azure search box at the top of the screen and select the first option.
  3. Enable Access Management for Azure Resources to provide the current user with access to manage all Azure subscriptions and management groups in the tenant.
  4. In the Azure search box, type in Management groups and select the first option.
  5. Record the ID for the Tenant Root Group as the root group ID for later use.
  6. In the Azure search box, enter Enterprise applications and select the first option.
  7. Find the cloudtamer.io app registration created above and click on it.
  8. Record the Object ID as the app registration's service principal object ID for later use.
  9. Open up a terminal on your local system or open up the Azure Cloud Shell.
  10. Save the following text to a file named role.json in the current directory. You should replace the <ROOT MANAGEMENT GROUP ID> text with the root group ID from the step above.
{
    "Name": "Minimal subscription move",
    "Description": "Allows cloudtamer.io to move created subscriptions under an owned management group",
    "Actions": [
		"Microsoft.Authorization/roleAssignments/write",
		"Microsoft.Authorization/roleAssignments/delete",
		"subscriptions/write"
    ],
    "AssignableScopes": [
        "/providers/Microsoft.Management/managementGroups/<ROOT MANAGEMENT GROUP ID>"
    ]
}

11. In the terminal, run the following command to create a role definition from the role:

az role definition create --role-definition @role.json

12. To assign the role to the app registration, run the following command.

  • You should replace the $SERVICE_PRINCIPAL text with the service principal object ID from the step above.
  • You should replace the $ROOT_GROUP_ID text with the root group ID from the step above.
az role assignment create \
--assignee $SERVICE_PRINCIPAL \
--role "Minimal subscription move" \
--scope /providers/Microsoft.Management/managementGroups/$ROOT_GROUP_ID

 

cloudtamer.io Version 2.19.0 and Later: Setting up Access at the CSP Partner Level

cloudtamer.io needs access to Cloud Service Provider (CSP) APIs so it can access the Azure billing data for CSP subscriptions.

As of cloudtamer.io Version 2.19.0, Azure CSPs now use the Microsoft-recommended authentication strategy to pull financial data, making it compatible with pulling spend from Azure Government CSPs. To achieve this, we changed the process for CSP access at the partner level.

You’ll generate a link in cloudtamer.io that can be sent to your CSP partner organization for partner consent. Once the consent steps are complete, you'll be able to pull financial data for your Azure CSP accounts into cloudtamer.io.

To begin the partner consent process for cloudtamer.io version 2.19.0 and later, expand the section below and complete the steps. If you're running an earlier version of cloudtamer.io, proceed to the "cloudtamer.io Version 2.18.x and Earlier: Setting up Access at the CSP Partner Level" heading below.

  1. In the left navigation menu, click Accounts > Azure CSPs > +.
  2. Give your CSP a name to identify it within cloudtamer.io in the Name field.
  3. Select the CSP Type from the drop-down menu. cloudtamer.io supports Commercial CSPs and Government CSPs.
  4. Click Create Azure CSP.
  5. An Authentication Credentials pop-up will appear. To pull full financial data, you'll need to send the link to your CSP to acquire consent to read financial data. Click the Copy Link button to copy the link to the clipboard. You can also generate this link again later from the CSP's ellipsis menu.
  6. Send the link to your CSP partner. All of the instructions and information they need to complete the setup is included in the link.
  7. Your CSP will display the Awaiting Partner Consent badge. You can now move on to the "Add the CSP or EA Access Information into cloudtamer.io" section below. You'll be able to move forward with these steps without partner consent, but you won't be able to pull in financial data until they provide it. Once partner consent is granted, the badge will say CSP Is Ready For Use.

Note: if you have existing CSP accounts when you upgrade to 2.19.0, you'll get a notification that states:

cloudtamer.io now requires CSP Partner Consent. Please update the outdated CSP authentication scheme with the new partner consent form.

To do this, click Manage on the notification (or navigate to your CSPs by clicking Accounts > Azure CSPs). The CSPs that use the outdated authentication will have a badge that says Outdated CSP Authentication Scheme. Click the ellipsis menu next to the CSP and select Generate Partner Consent Link to generate the link for your partner organization. Then follow steps 6-7 in the partner consent process above.

 

cloudtamer.io Version 2.18.x and Earlier: Setting up Access at the CSP Partner Level

cloudtamer.io needs access to Cloud Service Provider (CSP) APIs so it can access the Azure billing data for CSP subscriptions. You’ll generate an App Registration in the CSP Partner Center. You’ll also need credentials for a service user in the CSP Partner’s tenant. Any billing API queries will be performed on behalf of this service user, so the CSP can revoke the cloudtamer.io access at any time by deleting this user or deactivating it.

1. Create the Service User

Create a service user, then write down its username and password.

  1. Log in to the Microsoft Partner Center.
  2. Click the gear in the upper right corner and select User Management from the drop-down menu.
  3. Click Add User.
  4. In the Name field, type in: cloudtamer.io Service User.
  5. In the Email field, type in: cloudtamer-service-user. Microsoft will automatically add your domain information to finish the email address.
  6. Place a check next to Manages your organization's account as and select Billing admin from the drop-down menu.
  7. Click Add to create the user.
  8. On the confirmation screen, you'll see your temporary password. Copy down the password for use in later steps.

If you want to change the service user’s password, you can follow these steps:

  1. Log in to the Azure Portal as the Service User using the password you copied.
  2. During login, Microsoft will have you change the password. Make sure it is a secure password.
  3. Save the password for the service user in a password vault for safekeeping.

2. Create the App Registration

cloudtamer.io requires an App Registration to interact with the Azure Billing APIs in a CSP. You must have cloudtamer.io set up with an HTTPS URL to continue.

  1. Log in to the Microsoft Partner Center.
  2. Click the Dashboard menu item.
  3. Click the gear in the upper right corner and select Partner Settings.
  4. Click App management.
  5. In the Native app section:
    1. Click Register new Native App
      • The app can be renamed inside the CSP partner’s Azure Portal later.
  6. Copy down the Domain value and the App ID value.

If you want to rename the native app:

  1. Log in to the CSP Partner’s Azure Portal
  2. Click All Services on the left.
  3. Click App Registrations.
  4. Click the All applications tab.
  5. Find the name of the app created in the partner center (it should be something like “Partner Center Native App 1”) and select it.
  6. Click Branding in the side menu of the app registration.
  7. Change the name to cloudtamer.io Partner Center Native App
  8. Click Save.

 

Adding the CSP Access Information into cloudtamer.io

1. cloudtamer.io Version 2.18.x and Earlier: Add the Azure CSP Partner-Level Access

If you are using cloudtamer.io version 2.19.0 or later, proceed to "Add the Azure CSP Customer-Level Access" below.

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Azure CSPs.
  3. Click the + button.
  4. In the Name field, enter a recognizable name for this CSP.
  5. In the Domain field, enter the Domain value that you copied down from the steps above.
  6. In the Partner Center App ID field, enter the Partner Center’s App ID value that you copied down from the steps above.
  7. In the Username field, enter the Email value of the cloudtamer.io service user from above.
  8. In the Password field, enter the password from the cloudtamer.io service user from above.
  9. Click the Create CSP button.

2. Add the Azure CSP Customer-Level Access

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Billing Sources.
  3. Click the button.
  4. In the Account Type drop-down, select Azure CSP Commercial or Azure CSP Government.
  5. In the Customer Name field, enter the customer name.
  6. In the Domain field, enter the domain of the customer.
  7. In the App ID field, enter the Application (client) ID value that you copied down from the steps above.
  8. In the Client Secret field, enter the client secret value that you copied down from the steps above.
  9. Click the Test Tenant Credentials (formerly Test Resource Management Credentials) button to test the credentials you entered.
    • This tests whether the credentials you've entered are valid to connect cloudtamer.io with Azure's resource management API. Without a connection, users might not be able to access cloud resources.
    •  Version 2.28.0 and higher: An indicator shows whether the tenant connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
  10. In the Billing Start Date field, enter the date when you would like financial to be available. This date should not be before the creation of the customer.
  11. In the CSP Customer ID field, enter the Microsoft ID of the customer (you can get this within the  Azure Portal: under Azure Services, click Azure Active Directory. In the Tenant Information section, find the Tenant ID. This is the same as the CSP Customer ID).
  12. In the Azure CSP field, select the Azure CSP that this customer purchases subscriptions from.
  13. Click the Test Billing Credentials button to test the billing credentials you entered.
    • This tests whether the credentials you've entered are valid to connect cloudtamer.io with Azure's billing management API. Without a connection, financial data may fall out of date.
    •  Version 2.28.0 and higher: An indicator shows whether the billing connection is active (green) or inactive (red) and the date that its status was last updated. For inactive connections, click Troubleshoot to visit the Troubleshooting Your Azure Connection page.
  14.  Version 2.28.0 and higher: Click Skip Billing Source Validation to create the billing source without an active connection. This allows you to create the billing source even if you don't have all the credentials you need at this time.
  15. Click the Create Billing Source button.

Create-Billing-Source-cloudtamer-io.png

Once these steps are completed, you should be able to add existing Azure subscriptions to cloudtamer.io. Your Azure customer credentials will be scanned once a day to confirm that cloudtamer.io still has access. If we lose or re-gain access to Azure's API using these credentials, we'll send you a digest email outlining what has changed.

 

 

Was this article helpful?
0 out of 0 found this helpful