CloudZero Academy
Guides
CloudZero Status
  1. Connect Your Cost Data
  2. Cloud Providers
  3. Connecting to Azure

Microsoft Customer Agreement (MCA)

Connect your Microsoft Customer Agreement (MCA) account to CloudZero in five steps and see your Azure costs in a unified view within 24 hours. CloudZero connects through a read-only application registered in your Azure tenant (called a service principal).

For full details on what CloudZero accesses, see Azure Permissions and Security.

Overview

Connecting an MCA account takes five steps:

  1. Choose your billing scope and retrieve IDs from Azure
  2. Configure the connection in CloudZero
  3. Authorize CloudZero in your Azure tenant
  4. Grant CloudZero read access to your billing data
  5. Verify the connection

What you need

  • CloudZero user with data configuration permissions
  • In Azure, the Owner role on the billing scope you plan to connect (required to assign the reader role to the CloudZero application)
ℹ️

CloudZero supports Azure cost data in USD. If your Azure costs are billed in a different currency, reach out to your account manager.

Step 1: Choose your billing scope and retrieve IDs

Choose your billing scope

ScopeData includedRequired IDs
Billing account (recommended)Usage, billing, and invoice data across all subscriptionsTenant ID, Billing account ID
Billing profileUsage, billing, and invoice data for subscriptions in the profileTenant ID, Billing profile ID
Invoice sectionUsage and billing data (no invoice data)Tenant ID, Invoice section ID
SubscriptionUsage and billing data for a single subscription (no invoice data)Tenant ID, Subscription ID

The invoice section and subscription scopes do not include invoice data such as taxes and fees. Marketplace purchases not directly associated with the subscriptions in scope cannot be collected at these levels.

If you are unsure which scope to use, billing account is the right choice for most organizations.

Retrieve your tenant ID

  1. In the Azure Portal, navigate to your tenant directory (Microsoft Entra ID).
  2. Copy the Tenant ID for use in Step 2.
Copy your Tenant ID in the Azure Portal

Retrieve a billing account, billing profile, or invoice section ID

  1. Navigate to Cost Management + Billing and select the billing scope you chose.
  2. In the left menu, under Settings, select Properties.
  3. Copy the ID for use in Step 2.
Example of a Billing Account ID in the Azure Portal

Retrieve a subscription ID

  1. Navigate to Subscriptions and select the subscription you plan to connect.
  2. In the Overview, copy the Subscription ID for use in Step 2.
Example of a Subscription ID in the Azure Portal

Step 2: Configure the connection in CloudZero

  1. In CloudZero, go to Settings > Cloud Connections.
  2. Select Create Connection +.
  3. Select the Azure tile, then choose the Billing tile.
  4. Enter a Connection Name using letters, numbers, hyphens, or underscores only.
  5. Select Microsoft Customer Agreement from the Azure Agreement Type drop-down menu.
  6. Paste the tenant ID you copied in Step 1 into the Tenant ID field.
  7. Paste the billing scope ID you copied in Step 1 into the Billing Account ID field.
  8. Select Create Connection.

Step 3: Authorize CloudZero in your Azure tenant

If you have not connected this tenant to CloudZero before, CloudZero redirects you to Azure to register the CloudZeroPlatform application (service principal) in your tenant.

If you have already granted this authorization, proceed to Step 4.

  1. In Azure, check the Consent on behalf of your organization box.
  2. Select Accept.
Azure Permission Dialog

Azure registers the application in your tenant and redirects you to CloudZero.

ℹ️

It can take an hour or more for Azure to finish registering the application.

If approving the CloudZeroPlatform application through Azure's Admin Consent Requests results in the message Consent for CloudZeroPlatform was cancelled by user, have a user with the Global Administrator role (activated through Azure Privileged Identity Management if your organization uses PIM) perform Step 2 and Step 3.

Step 4: Grant CloudZero read access to your billing data

You must have the Owner role on the billing scope to assign a reader role to the CloudZero application.

Option A: Use the CloudZero PowerShell script

This option is available if you selected the billing account scope in Step 1. The script assigns the Billing Account Reader role automatically. For other billing scopes, use Option B.

  1. Open a PowerShell session. You can use Azure Cloud Shell (select PowerShell if prompted) or run PowerShell locally. If running locally, install the Azure PowerShell module and sign in with Connect-AzAccount.

  2. Download the script:

    • Cloud Shell or command line: Run the following command: 
      Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Cloudzero/provision-account/develop/azure/cz_azure_billing_permissions_setup.ps1" -OutFile "./cz_azure_billing_permissions_setup.ps1"
    • Manual download: Download the script from the CloudZero provision-account repository and place it in your working directory. For full usage details, see the README.

  3. Run the script with the billing account ID you copied in Step 1:

    ./cz_azure_billing_permissions_setup.ps1 -BillingAccountId <your-billing-account-id>

  4. Proceed to Step 5.

Option B: Assign the role through the Azure Portal

  1. In the Azure Portal, navigate to the billing scope you connected to CloudZero:
  2. Select Access control (IAM).
  3. Select Add > Add role assignment.
  4. On the Role tab, search for and select the reader role that matches the billing scope you selected in Step 1:
    • Billing account: Billing Account Reader
    • Billing profile: Billing Profile Reader
    • Invoice section: Invoice Section Reader
    • Subscription: Billing Reader
  5. Select Next.
  6. On the Members tab, select User, group, or service principal.
  7. Choose Select members.
  8. Search for and select CloudZeroPlatform. If you do not see it in the search results, the application may still be registering. Wait an hour and try again.
  9. Select Next.
  10. Select Review + assign.

Step 5: Verify the connection

  1. In CloudZero, go to Settings > Cloud Connections.
  2. Select the newly created Azure connection in the Billing Connections table.
An example Azure connection in the Billing Connections table in CloudZero

On the connection details page, you can see the connection status, tenant ID, billing account ID, agreement type, and ingestion timestamps.

An example Azure Connection Details page in CloudZero

What to expect

After CloudZero processes the first data ingest, the connection status changes from Pending Data to Healthy. This can take several hours. Cost data appears in the Explorer within a day.

You can connect additional Azure accounts at any time by repeating this process. CloudZero supports organizations with multiple tenants.

Once your billing connection is active, you can also connect resource metadata for deeper cost analysis.

Migrating from an Enterprise Agreement

If your organization is moving from an EA to an MCA:

  1. Set up your MCA connection using the steps above.
  2. In CloudZero, go to Settings > Cloud Connections and pause the existing EA connection.

After pausing, data flows through the new MCA connection. Your historical EA data remains available in CloudZero.

ℹ️

Pause the EA connection instead of deleting it to preserve your historical cost data. If the EA connection displays an Error state after the migration, this is expected. Pause the connection to resolve it.

ℹ️

Have questions or feedback? Reach out to your account manager.

Updated 16 days ago