Cloud Services

Cost & Asset Management

Onboarding an Azure EA account in CAM
Published On Aug 26, 2024 - 6:13 PM

Onboarding an Azure EA account in CAM

This page details the steps needed to onboard an Azure EA account into CAM
Kyndryl's Cost and Asset Manager (CAM) offers a robust solution for monitoring and analyzing cost and usage data through Azure Enterprise Agreement (EA) cost management and resource metrics. This guide provides detailed instructions on configuring Azure EA accounts to seamlessly integrate with CAM, ensuring efficient cost and asset management. By leveraging delegated access and role-based access control, you can securely access and manage data while adhering to compliance requirements. Following this guide will enable you to utilize CAM's features effectively to optimize costs and enhance resource utilization in your Azure EA accounts.
Prerequisites
Before starting the onboarding process, ensure you have:
  • Be a CAM Administrator or have the appropriate permissions to perform all steps.
  • An Azure account with the necessary permissions.
  • The billing account number and the subscription details.
  • Details for creating the credentials: Client ID and Secret Key.
  • A service principal who can assume roles in Azure.
  • Admin/Co-admin access to set up the delegated access and run the scripts for implementation and to obtain configuration information.
Overview
This documentation aims to help ingest Azure data into CAM securely using best practices and without asking for customer credentials. The recommendation is to use delegated access and role-based access control to pull Cost Asset Metrics and Recommendation data to support the Inform and Optimize data of the FinOps lifecycle.
Configuration
Steps for Azure Configuration
This section describes obtaining and setting up Azure Resource Manager credentials to configure the Azure provider account on Cost & Asset Management.The credentials required can be divided into two parts:
  • Azure Billing Credentials
  • Azure Subscription Credentials
Azure Billing Credentials:
  1. Master Billing Account (Enrollment Number)
  2. API Key
  3. Application ID
  4. Application Secret
Note
:
  • If using a collector, the Tenant ID must be added to the Azure Billing account onboarding page.
  • On the Billing account credential page, the Application ID and Secret, along with the API key and billing account number, are required.
Steps to Obtain Azure Billing Credentials:
  1. Login to Azure Portal with an Enrollment Admin role.
  2. Go to "Billing Subscription" dashboard and select the EA account.
  3. Click on "Usage Charges" and then "Manage API access keys."
  4. Copy the primary keys.
Azure Subscription Credentials:
  1. Tenant ID
  2. Application ID
  3. Application Secret
  4. Subscription ID
Steps to Generate Azure Subscription Credentials:
  1. Login to Azure Portal.
  2. Navigate to Azure Active Directory properties to find the Tenant ID.
  3. Navigate to Azure Active Directory > App registrations > New registration to create a new application.
  4. Fill in the application name and select the account.
  5. Once registered, note the Application (Client) ID.
  6. Navigate to Certificates & secrets to generate the Client Secret. Provide a description and expiration period, then copy the generated secret.
  7. Grant admin consent in API permissions.
  8. Add the created application to the subscription via Access Control (IAM) by assigning the Reader role.
Assigning Application to EA Account:
  1. Ensure the user has the Enterprise Administrator role.
  2. From the Azure Portal, go to the Enterprise Application tab, search for the created application, and note the Object ID.
  3. Generate a GUID using an online generator like GUID Generator.
  4. Use the API playground service to assign the application with the EnrollmentReader role to the EA account.
Example API Request Body:
 
{
  "properties": {
    "principalId": "{EnterpriseAppObjectID}",
    "principalTenantId": "{TenantID}",
    "roleDefinitionId":
"/providers/Microsoft.Billing/billingAccounts/{BillingAccountID}/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
  }
}
Set Up a Service Account
The Service Account, typically a Kyndryl account, should be separate from Billing or Sub Accounts. Follow these steps to set up the Service Account:
  • Login to your Kyndryl Application console
  • Navigate to
    Admin
     and select
    Provider Account
  • Click on
    New Master Account
     and select
    Azure
  • Enter a
    Name
     and
    Account number
  • Click on
    Add Credentials
  1. Provide the name, purpose, credential values (account number and API key), and context, then save it.
Set Up an Asset Account
  1. Click on Add Asset account
  2. Enter a Name, Subscription, and TenantID
  3. Click on Add Credentials
    • Provide the name, purpose, credential values (client ID and secret key), and context, then save it.
  4. Select
    Test connection
     to ensure is the configuration was successful.
For more detailed guidance, refer to Azure EA and Kyndryl documentation:
Do you have two minutes for a quick survey?
Take Survey