Connecting to an Azure CSP Account
To connect CloudZero to an Azure subscription acquired through a Cloud Solution Provider (CSP) agreement, you must enable the CloudZero multi-tenant service principal in your tenant and grant it read-only permissions to Azure's APIs.
CSP Subscription Permissions
For CSP subscriptions, the CloudZero service principal requires the Billing Reader role, which grants read-only permission to view usage and billing data for a single subscription and any Marketplace purchases directly associated with it.
Note that the CSP agreement type does not enable the collection of invoice data, such as taxes and fees. Additionally, Marketplace purchases that are not directly tied to the subscription cannot be collected.
All of CloudZero's Azure Permissions are Read-Only
CloudZero has no access to read data except where explicitly authorized. For example, the Billing Reader role grants CloudZero permission to read usage and billing data for a specific subscription, but not to query resource configurations.
You only need to create the CloudZero service principal once per tenant. However, if you have multiple subscriptions obtained through a CSP agreement, you must create a separate CloudZero connection for each subscription you plan to connect. You must also assign the service principal roles that grant access to each subscription.
Connect an Azure CSP Subscription
Prerequisites:
- In CloudZero, you must have the Organizer role to create a new connection.
- In Azure, you must have the Owner role on the subscription you plan to connect so you can assign permissions to the service principal.
To connect an Azure CSP subscription to CloudZero, complete the following steps:
- Retrieve IDs from Azure.
- Configure the connection in CloudZero.
- Authorize the CloudZero service principal in Azure.
- Grant the service principal access to the Azure Billing API.
- View the Azure connection details in CloudZero.
Step 1: Retrieve IDs from Azure
First, you must retrieve your tenant ID and subscription ID from Azure.
To locate the tenant ID:
- Log in to the Azure Portal and navigate to Microsoft Entra ID (formerly Azure Active Directory).
- Copy the Tenant ID for use in the next step.
To locate the subscription ID:
- Navigate to Subscriptions and select the subscription you plan to connect.
- In the Overview, copy the Subscription ID for use in the next step.
Step 2: Configure the Connection in CloudZero
- In CloudZero, navigate to Settings by selecting the gear icon in the top navigation bar.
-
Select the Add Connection button.
-
Enter a Connection Name. This is the name you will see alongside the Azure subscription ID in the CloudZero UI. It cannot contain spaces, periods, or special characters (except for hyphens and underscores).
-
Select Cloud Solution Provider from the Azure Agreement Type drop-down menu.
-
Paste the tenant ID you copied in Step 1 into the Tenant ID field.
-
Paste the subscription ID you copied in Step 1 into the Billing Account ID field.
-
Select Continue.
Step 3: Authorize CloudZero Service Principal in Azure
If you have not connected the selected tenant to CloudZero before, CloudZero redirects you to Azure and asks you for permission to create the CloudZeroPlatform service principal in your tenant.
If you have already granted CloudZero this consent, proceed to Step 4: Grant Access to the Azure Billing API.
- In Azure, check the Consent on behalf of your organization box.
- Select Accept.
Azure starts the process of creating the service principal in your tenant and redirects you to CloudZero. Note that it can take an hour or more for Azure to complete creating the service principal.
Step 4: Grant Access to the Azure Billing API
The CloudZero service principal requires read permissions to access Azure's Cost Management & Billing APIs. This allows CloudZero to generate usage reports and retrieve other billing-related information.
You must have the ownership role on the selected subscription to assign reader permissions to the CloudZero service principal.
-
In the Azure Portal, navigate to Subscriptions and select the subscription you have connected to CloudZero.
-
Select Access control (IAM).
-
Select Add > Add role assignment.
-
On the Role tab, search for and select the Billing reader role.
-
Select Next.
-
On the Members tab, select User, group, or service principal.
-
Click Select members.
-
Search for and select the CloudZeroPlatform service principal that was created in Step 3. Note that it can take an hour or more for Azure to create the service principal, so if you don't see it in the search results, wait a while and try again.
-
Select Next.
-
Select Review + assign to assign the role.
Step 5: View the Azure Connection in CloudZero
-
In CloudZero, navigate to Settings by selecting the gear icon in the top navigation bar.
-
Select the newly created Azure connection in the Billing Connections table.
On the Azure Connection Details page, you can find the following information:
- Status
- Connection Name
- Connection ID
- Billing Account ID
- Agreement Type
- Timestamps for connection creation, ingestion, and more
The following image shows an example Azure MCA connection, but your CSP connection will look similar:
After CloudZero has processed the first ingest of billing and/or usage data, the Status changes from Pending Data to Healthy. This can take several hours.
If CloudZero can no longer use the role you assigned it, the Status is updated with details about why CloudZero cannot connect.
Note that it can take up to a day to synchronize new accounts before you see cost data in the Explorer.
USD is Currently the Only Supported Currency
Reach out to your CloudZero representative if your Azure cost is billed in a different currency.
Updated 4 months ago