Connecting to an Azure MCA Account
To connect CloudZero to an Azure Microsoft Customer Agreement (MCA) account, you must enable the CloudZero multi-tenant service principal in your tenant and grant it read-only permissions to Azure's APIs.
MCA Account Billing Scopes and Permissions
Connections to MCA accounts can be made at different billing scopes. The billing scope determines the type of usage and billing data that can be collected, and which subscriptions and Azure Marketplace purchases are included in that data. Each scope requires a different read-only role.
Scope | Data types | Data source | Role |
---|---|---|---|
Billing account | Usage, billing, and invoice data | Subscriptions and Marketplace purchases associated with the billing account | Billing Account Reader role |
Billing profile | Usage, billing, and invoice data | Subscriptions and Marketplace purchases associated with the billing profile | Billing Profile Reader role |
Invoice section | Usage and billing data | Subscriptions and Marketplace purchases associated with the invoice section | Invoice Section Reader role |
Subscription | Usage and billing data | The connected subscription and Marketplace purchases associated with it | Billing Reader role |
Note that the invoice section and subscription scopes do not enable the collection of invoice data, such as taxes and fees. Additionally, Marketplace purchases not directly tied to the subscriptions in the invoice section (for the invoice section scope) or to the selected subscription (for the subscription scope) cannot be collected.
All of CloudZero's Azure Permissions are Read-Only
CloudZero has no access to read data except where explicitly authorized. For example, the Billing Account Reader role grants CloudZero permission to read usage and billing data for a billing account, but not to query resource configurations.
Connect an Azure MCA Account Billing Scope
Prerequisites:
- In CloudZero, you must have the Organizer role to create a new connection.
- In Azure, you must have the Owner role on the billing scope you plan to connect so you can assign permissions to the service principal.
To connect an Azure MCA account billing scope to CloudZero, complete the following steps:
- Retrieve IDs from Azure.
- Configure the connection in CloudZero.
- Authorize the CloudZero service principal in Azure.
- Grant the service principal access to the Azure Billing API.
- View the Azure connection details in CloudZero.
Step 1: Retrieve IDs from Azure
First, you must retrieve your Azure tenant ID and the ID for the billing scope you intend to connect.
To locate the tenant ID:
- Log in to the Azure Portal and navigate to Microsoft Entra ID (formerly Azure Active Directory).
- Copy the Tenant ID for use in the next step.
To locate a billing account, billing profile, or invoice section ID:
- Navigate to Cost Management + Billing and select the billing scope you plan to connect.
- In the left menu, under Settings, select Properties.
- Copy the account, profile, or invoice section ID for use in the next step.
For example, the following image shows where to find a billing account ID:
To locate a subscription ID:
- Navigate to Subscriptions and select the subscription you plan to connect.
- In the Overview, copy the Subscription ID for use in the next step.
Step 2: Configure the Connection in CloudZero
- In CloudZero, navigate to Settings by selecting the gear icon in the top navigation bar.
-
Select the Add Connection button.
-
Enter a Connection Name. This is the name you will see alongside the Azure billing scope ID in the CloudZero UI. It cannot contain spaces, periods, or special characters (except for hyphens and underscores).
-
Select Microsoft Customer Agreement from the Azure Agreement Type drop-down menu.
-
Paste the tenant ID you copied in Step 1 into the Tenant ID field.
-
Paste the billing account, billing profile, invoice section, or subscription ID you copied in Step 1 into the Billing Account ID field.
-
Select Continue.
Step 3: Authorize CloudZero Service Principal in Azure
If you have not connected the selected tenant to CloudZero before, CloudZero redirects you to Azure and asks you for permission to create the CloudZeroPlatform service principal in your tenant.
If you have already granted CloudZero this consent, proceed to Step 4: Grant Access to the Azure Billing API.
- In Azure, check the Consent on behalf of your organization box.
- Select Accept.
Azure starts the process of creating the service principal in your tenant and redirects you to CloudZero. Note that it can take an hour or more for Azure to complete creating the service principal.
Step 4: Grant Access to the Azure Billing API
The CloudZero service principal requires read permissions to access Azure's Cost Management & Billing APIs. This allows CloudZero to generate usage reports, read invoices to determine the taxes assessed when possible, and retrieve other billing-related information, including discounts and balances.
You must have the ownership role on the selected billing scope to assign reader permissions to the CloudZero service principal.
-
In the Azure Portal, select the billing scope you have connected to CloudZero.
- Subscription scope: Navigate to Subscriptions and select the subscription.
- All other scopes: Navigate to Cost Management + Billing and select the billing scope.
-
Select Access control (IAM).
-
Select Add > Add role assignment.
-
On the Role tab, search for and select the required role for your billing scope:
- Billing account: Billing Account Reader role
- Billing profile: Billing Profile Reader role
- Invoice section: Invoice Section Reader role
- Subscription: Billing Reader role
For details about the data each role reads, see MCA Account Billing Scopes and Permissions.
-
Select Next.
-
On the Members tab, select User, group, or service principal.
-
Click Select members.
-
Search for and select the CloudZeroPlatform service principal that was created in Step 3. Note that it can take an hour or more for Azure to create the service principal, so if you don't see it in the search results, wait a while and try again.
-
Select Next.
-
Select Review + assign to assign the role.
Step 5: View the Azure Connection in CloudZero
-
In CloudZero, navigate to Settings by selecting the gear icon in the top navigation bar.
-
Select the newly created Azure connection in the Billing Connections table.
On the Azure Connection Details page, you can find the following information:
- Status
- Connection Name
- Connection ID
- Billing Account ID
- Agreement Type
- Timestamps for connection creation, ingestion, and more
After CloudZero has processed the first ingest of billing and/or usage data, the Status changes from Pending Data to Healthy. This can take several hours.
If CloudZero can no longer use the role you assigned it, the Status is updated with details about why CloudZero cannot connect.
Note that it can take up to a day to synchronize new accounts before you see cost data in the Explorer.
USD is Currently the Only Supported Currency
Reach out to your CloudZero representative if your Azure cost is billed in a different currency.
Updated 4 months ago