Troubleshooting Your Azure Connection

Follow

Troubleshooting an Azure EA Connection

Here are some common issues and solutions for Azure billing connection failure when adding an Azure EA billing source:

  • Ensure the account issuing your EA token has Enrollment Administrator permissions in the EA portal. To check this, go to ea.azure.com and check the Administrator list under Enrollment.
  • Verify that the EA token has not expired. To check this:
    1. Sign in to the EA portal with the account with which you issued the API key.
    2. Go to Reporting > Download Usage > API Access Key.
    3. Under the API key you've generated, ensure the end date in the Effective Date field is in the future.

Troubleshooting an Azure CSP Connection

Here are some common issues and solutions for Azure billing connection failure when adding an Azure CSP billing source:

  • Ensure you've selected the correct Azure CSP type on the Create Azure CSP form in cloudtamer.io. For example, if you've selected Government CSP on the CSP creation form and enter billing credentials for a commercial CSP account on the Add Billing Source form, it will not work.
  • Have your CSP perform partner consent again. You can generate a partner consent link by clicking the ellipsis menu next to the CSP at Accounts > Azure CSPs in cloudtamer.io and choosing Generate Partner Consent Link.
  • Make sure your CSP has the correct configurations for partner consent:
    • Their app should have the following delegated permissions: Directory.AccessAsUser.All, User.Read, and user_impersonation for the partner center. Directory.AccessAsUser.All and User.Read are part of the Azure Active Directory permissions for the app registration, and user_impersonation is part of the Microsoft Partner Center permissions. 
    • Their service user should have the Billing Administrator Azure AD role. To check this, they can go to Users in the Azure portal, click the user's name, and click Assigned Roles on the left.
    • They should double-check the redirect URI on the app registration. To check this, they can go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Redirect URIs. The appropriate redirect URI can be found in the partner consent instructions.
    • If they generated an expiring client secret, they should check if the client secret has expired (the client secret should be set to non-expiring, but this may be the issue if it was configured incorrectly).
    • They should make sure the app registration is in their Azure tenant.
    • They should confirm that the app registration is in their partner center.
    • They should have signed in as their service user when authenticating.

Troubleshooting an Azure Tenant Connection

Here are some common issues and solutions for Azure tenant connection failure when adding a billing source:

  • Ensure you've selected the correct account type on the Add Billing Source form in cloudtamer.io. For example, if you've selected a Microsoft Azure Government (MAG) account type (either Azure CSP Government or Azure EA Government in the Account Type drop-down menu), credentials for a public cloud tenant will not work.
  • Make sure the caps lock isn't on when pasting your client secret into the Add Billing Source form.
  • Double-check the spelling of your domain name and app ID in the Add Billing Source form.
  • Ensure that no one has deleted your client secret for the app registration within the Azure portal. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Certificates and Secrets on the left. 
  • If you've granted the cloudtamer.io app registration permissions to perform key rotation, check the name of the cloudtamer.io rotated key to see if it has been rotated recently; if the last rotation time is older than 2-3 days, you may need to generate a new client secret and update the billing source in cloudtamer.io. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Certificates and Secrets on the left. The rotated key secret will have the last date of rotation in the Description field.
  • Double-check that the redirect URI in your cloudtamer.io app registration is correct. This may change if you recently added an HTTPS certificate or changed the domain name for your cloudtamer.io instance. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click Redirect URIs.
  • Make sure that your app registration has been granted both Application and Delegated permissions for Microsoft Graph, not just one or the other. User.Read and Directory.Read.All must be granted as Delegated permissions and User.Read.All must be granted as an Application permission. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click API Permissions. If you need to grant these permissions, see step 2 ("Assign API Permissions to the App Registration") in the Azure EA Setup Guide or the Azure CSP Setup Guide.
  • Ensure that you have granted admin consent on the app registration for the Microsoft graph permissions. To check this, go to App Registrations > All Applications in the Azure portal, click the app registration name, and click API Permissions.
  • Make sure the cloudtamer.io app registration still has the Owner role on at least one management group containing subscriptions. You should also ensure that the Owner role has not been directly granted to the app registration on two management groups where one is a parent of the other (either directly or indirectly) in the management group hierarchy. To check these:
    • Go to Management Groups.
    • Select a management group that the app registration should own.
    • Click Details next to the name of the management group.
    • Click Access Control (IAM) in the left sidebar.
    • Click the Role Assignments tab. The role assignments should be listed here, and cloudtamer.io App Registration should be listed as an owner.
Was this article helpful?
0 out of 0 found this helpful