Connections are how CloudZero manages the various Cost Sources that bring Billing, Resource, and other types of data into the platform.

How the Azure Connection Works

Connecting to an Azure account will show Azure cost data alongside other Cost Sources in the Explorer, as well as enable anomaly alerts on Azure spend.

The CloudZero platform will ingest Azure Cost data by using the Azure Cost Management + Billing Reports API. The CloudZero platform will need to connect to your Azure Active Directory and make calls to the Billing Reports API and other billing related APIs to get daily and monthly usage data as well as data from invoices and balances in order to get taxes and information on any discounts applied. All access is done through the CLoudZero multi-tenant application service principal.

In the following steps, you will find instructions on how to enable the CloudZero multi-tenant service principal and grant it permissions to the required APIs.

📘

About CloudZero's Access to your Azure Accounts

All of CloudZero's permissions are Read-Only
We have no access to data except where explicitly authorized (for example, the billing reader roles give us access to read usage and billing data, but not to query resource configurations).

Summary of Permissions:

• For Microsoft Customer Agreement (MCA) Accounts:
  • Billing account reader / Billing profile reader / Invoice section reader / Billing reader role: Grants read access only, to usage data as well as other billing and invoice data. Billing data availability will depend on the billing scope used for a CloudZero connection.
• For Enterprise Agreement (EA) Accounts:
  • Enrollment reader role: Can view usage and charges across all accounts and subscriptions. Can view the Azure Prepayment (previously called monetary commitment) balance associated with the enrollment.
• For subscriptions acquired through a Cloud Solution Provider (CSP):
  • Billing reader role: Grants read access only, to billing and usage data fora specific subscription. This role must granted to each subscription being connected to CloudZero.

Azure Agreement Types and CloudZero Connections

Microsoft Azure accounts can have different agreement types which affect how usage and billing data can be collected. CloudZero supports three different agreement types: Microsoft Customer Agreement (MCA), Enterprise Agreement (EA), and Cloud Service Provider (CSP). Accounts obtained through other agreements such as the Microsoft Online Services Program, or other MSDN based agreements do not support exporting usage data and cannot be connected to CloudZero. MCA customer agreement types also support collecting usage and billing data at different billing scopes.

MCA Accounts

Connections to MCA accounts can be made at different billing scopes. The billing scope will determine the type of usage and billing data that can be collected, and which subscriptions and Marketplace purchases will be included in that data.

Billing Account

Connecting at the billing account scope will allow CloudZero to collect usage and billing data, including taxes and fees from invoices, for all subscriptions associated with the billing account and any purchases, such as support, that are associated to the billing account itself. The Billing account reader role for the connected billing account must be applied to the CloudZero service principal when connecting at this scope.

Billing Profile

A billing account can be subdivided into billing profiles that allow subscriptions, marketplace purchases, and other Azure services to be billed directly to different parts of your organization. Connections made at the billing profile scope will allow CloudZero to collect usage and billing data for only those subscriptions, Marketplace purchases, and invoice related charges that are managed by that billing profile. The Billing profile reader role for the connected profile must be applied to the CloudZero service principal when connecting at this scope.

Invoice Section

A billing profile can be further subdivided into invoice sections that allow subscriptions and marketplace purchases to be associated with different groups within a billing profile. For example, if a billing profile was created for a specific department within your organization, the invoice sections may be used to represent different groups within the department. Connections made at the invoice section scope will allow CloudZero to collect usage data for only those subscriptions and Marketplace purchases associated with that invoice section. The Invoice section reader role for the connected invoice section must be applied to the CloudZero service principal when connecting at this scope.

Subscription

Connections to MCA accounts can also be made directly to subscriptions. This will allow CloudZero to collect usage data only for those subscriptions that are added. For each subscription you want to add, you will need to create a CloudZero connection and assign the Billing reader role to the CloudZero service principal. Only usage data and Marketplace purchases associated with a connected subscription can be collected.

EA Accounts

EA accounts must be connected to to the billing account itself, and the Enrollment reader role for that billing account must be assigned to the CloudZero service principal. The connection to the billing account will allow CloudZero to collect all usage data for all subscriptions and Marketplace purchases that are managed through the billing account as well as any discounts applied via the EA agreement.

CSP Accounts

CSP accounts must be connected directly to an Azure subscription. If you have multiple subscriptions obtained through a Cloud Service Provider, you must create a CloudZero connection for each subscription and provide Billing reader permissions for the CloudZero service principal on each subscription. For CSP accounts, only usage data can be ingested. This includes all Azure services usage and Marketplace purchases.

📘

Billing Data Limitations

Some agreement types and billing scopes have limitations on what billing data can be accessed. All agreement types and billing scopes allow the collection of usage data. However, EA accounts, CSP accounts, and MCA accounts connected at either the invoice section scope or the subscription scope do not enable the collection of invoice data. Therefore, costs such as taxes and fees that are not indicated in the usage data, are not collected for these agreement types or billing scopes.

Connect an Azure Billing Account, Billing Scope, or CSP Subscription

Open the Connections page

The Connections page can be found by going to the "gear" on the sidebar and selecting "Connections" or alternatively going to https://app.cloudzero.com/organization/connections

📘

Note: Admin Role Required

You must be a CloudZero Admin to add new Connections to the platform.

Add an Azure Billing Account or CSP Subscription

On the Connections page you can see all of the Connections in your system. To connect an Azure Billing Account or a CSP subscription, click the “Add New Connection” button.

The first step is to fill in some Azure Tenant and Billing Account information on the next page:

• Connection Name: This is the name you will see throughout the CloudZero UI, in addition to the Azure Billing Account ID.
• Tenant ID: This is the ID at the top of your Microsoft Azure account, which can be found here.
• Billing Account ID: This is the Azure ID for the billing account, scope, or subscription you want to connect to. For all three agreement types, this ID can be found in the Azure Portal:

For MCA accounts, this can be the billing account ID, billing profile ID, invoice section ID, or subscription ID. To find this ID:

• Navigate to the billing scope you want to connect.
  • For Billing Account, Billing Profile, or Invoice Section scopes:
    • Go to your Azure home page and select Cost Management + Billing and then navigate to the billing scope you want to connect.
    • Click on Properties in the left navigation panel
    • Find the account, profile, or invoice section ID and click the Copy button (see image below for Billing Account scope)
      
  • For Subscription scope:
    • Navigate to the specific subscription you wish to add.
    • Click on Overview
    • Copy the value from Subscription ID

For EA accounts, this ID is the billing account ID. To find this ID:

• Navigate to Cost Management + Billing
• Click on Properties in the left navigation panel
• The account ID should be an 8 digit number (i.e. 12345678)

For CSP subscriptions, this is the subscription ID. To find this ID:

• Navigate to the specific subscription you wish to add.
• Click on Overview
• Copy the value from Subscription ID

Click the Save button.

📘

Redirect to Azure for Authorization

When you click Save, if you have not added this Tenant ID to CloudZero before, you will be redirected to the Azure and asked to consent to the CloudZero’s multi-tenant app. This is necessary to verify your membership in the Azure Active Directory tenant and will enable you to assign required permissions to the CloudZero service principal in later steps.

Granting this access creates the Azure service principal for the CloudZeroPlatform multi-tenant app. This service principal acts just as a user in your AAD tenant and can be given permissions to interact with resources or read data through Azure APIs.

NOTE: When initially created, the service principal will not actually have any permissions granted to it. You must grant the necessary permissions as noted in later steps. The Scripted option described later will do this for you.

Once you have granted CloudZero's multi-tenant app the necessary access in Azure, you will be redirected back to the Connections screen and the connection to your billing account will be enabled in CloudZero.

Grant Access to the Billing API

In an earlier step, you consented to CloudZero’s multi-tenant app, and will now need to give it read permissions to access “Cost Management & Billing” APIs. CloudZero must be able to generate usage reports, read invoices to determine the taxes assessed when possible, and get other billing related information including discounts and balances.

Note: Customers with an Enterprise Agreement (EA) or Cloud Service Provider agreement (CSP) currently cannot receive some taxes and fees information through these APIs.

📘

Note: Permissions Required to perform these steps

In order to grant the required permissions, you must have the following roles:

• For MCA accounts, you will need to have the ownership rile on the billing scope (Billing Account, Billing Profile Profile, Invoice Section, or Subscription). This is required so you can assign reader permissions to the CloudZero Service Principal.
• For EA accounts, you will need to have the Billing Account Owner role on your main Billing Account EA agreement types. This is required so you can assign reader permissions to the CloudZero Service Principal.
• For CSP accounts, you will need to have the Subscription Owner role on the subscription being connected to CloudZero. This is required so you can assign reader permissions to the CloudZero Service Principal.

For MCA accounts, perform the following steps:

• Log into the Microsoft Azure portal
• Navigate to the billing scope you want to connect.
  • For Billing Account, Billing Profile, or Invoice Section scopes go to your Azure home page and select Cost Management + Billing and then navigate to the specific billing scope you want to connect.
  • For the Subscription scope, navigate to the specific subscription you want to connect.
• Click Access Control (IAM) » Add role assignment
  
• Select the desired role to grant to the CloudZeroPlatform service principal:
  • For Billing Account scope, the Billing account reader grants read access only to usage and invoice data for all subscriptions and purchases associated with this billing account.
  • For Billing Profile scope, the Billing profile reader grants read access only to usage and invoice data for all subscriptions and purchases associated with this billing profile.
  • For Invoice Section scope, the Invoice section reader grants read access only to usage data for all subscriptions and purchases associated with this invoice section (invoice data is not available).
  • For Subscription scope, the Billing reader grants read access only to usage data for that subscription (invoice data is not available).
• Search for the CloudZeroPlatform service principal
  • It can take an hour or longer for Azure to create the CloudZeroPlatform service principal requested through the Microsoft authorization screen from the earlier step. If the service principal is not available immediately, we recommend waiting an hour or two and then searching again.
  • If you delete the service principal, the CloudZero platform will not be able to provide fully accurate financial reports.
• Click the Save button.

For EA accounts, perform the following steps:

• Log into the Microsoft Azure portal
• Follow the steps in this article: Assign enrollment account role permission to the SPN
  • Ensure that you are granting the Enrollment Account role permission to the CloudZeroPlatform service principal you authorized above.

For CSP subscriptions, perform the following steps:

• Log into the Microsoft Azure portal
• Navigate to the subscription being connected.
• Click Access Control (IAM) » Add role assignment
  
• Select the desired role to grant to the CloudZeroPlatform service principal:
  • Billing account reader grants read access only to billing and invoice data. This allows CloudZero to determine invoice details not found in the exported data from above, like taxes assessed on the usage.
• Search for the CloudZeroPlatform service principal
  • It can take an hour or longer for Azure to create the CloudZeroPlatform service principal requested through the Microsoft authorization screen from the earier step. If the service principal is not available immediately, we recommend waiting an hour or two and then searching again.
  • If you delete the service principal, the CloudZero platform will not be able to provide fully accurate financial reports.
• Click the Save button.

Return to the Connections Page

Once complete, your Azure Connection will appear on the CloudZero Connections page in the Billing Connections table.

CloudZero will then attempt to connect to the Azure Storage Account to verify the connection is working.

Once the connection has been verified, the Health column will update from “Pending Data” to “Healthy”. Discovery can take up to an hour. It can take up to a day to synchronize new accounts before you see cost data in the Explorer.

If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.

You can connect any other Azure Accounts or CSP Subscriptions you want at this point with the same process.

📘

Note: Today USD is the only supported currency

Reach out to your CloudZero representative if your Azure cost is billed in a different currency.

Connecting Other Cost Sources

Additionally, you may want CloudZero to help with your other AWS or Snowflake costs, or the custom costs you can bring in using an AnyCost Adaptor.

Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section below: