Cloud Services

Cost & Asset Management

Onboarding an Azure MPS-CSP accounts in CAM
Published On Aug 26, 2024 - 6:13 PM

Onboarding an Azure MPS-CSP accounts in CAM

This page details the steps needed to onboard an Azure MPS-CSP account into CAM
Kyndryl's Cost and Asset Manager (CAM) provides a comprehensive solution for monitoring and analyzing cost and usage data through Azure Microsoft Partner Agreement (MPA) and Cloud Solution Provider (CSP) billing and resource metrics. This guide offers detailed instructions for configuring Azure MPA accounts to integrate seamlessly with CAM, ensuring effective cost and asset management.
You can securely manage and access data by leveraging delegated access and role-based access control while adhering to compliance requirements. Following this guide will enable you to utilize CAM's features effectively, optimize costs, and enhance resource utilization across your Azure MPA accounts.

Prerequisites

Before starting the onboarding process, ensure you have:
  • Be a CAM Administrator or have the appropriate permissions to perform all steps.
  • An Azure account with the necessary permissions.
  • The billing account number and the subscription details.
  • Details for creating the credentials: Client ID and Secret Key.
  • A service principal who can assume roles in Azure.
  • Admin/Co-admin access is required to set up the delegated access, run the scripts for implementation, and obtain configuration information.

Overview

This documentation aims to help ingest Azure data into CAM securely using best practices and without asking for customer credentials. The recommendation is to use delegated access and role-based access control to pull Cost Asset Metrics and Recommendation data to support the Inform and Optimize data of the FinOps lifecycle.

Configuration

Set Up a Service Account

The Service Account should be separate from Billing or Asset Accounts. Follow these steps to set up the Service Account:
  1. Login to your Kyndryl application console
  2. Navigate to
    Admin
     -
    Provider
     Account
  3. Click on
    New Master Account
     and select
    Azure
  4. Enter a
    Name
     and
    Account number
  5. Click on
    Add Credentials
    • Provide the name, purpose, credential values (account number and API key), and context, then save it.

Adding Billing Accounts

The supported scopes in the Microsoft Partner Agreement are:
  • BillingAccount (Master CSP Billing account)
  • BillingProfile (Sub Master CSPB Billing Accounts)
  • Customer (Billing account for individual customer cost)
  • Subscriptions (Asset Accounts – used for utilization ingestion and resource provisioning)

Adding Azure MPA Billing Account:

  1. In Admin section, click on IAM.
  2. Click on the Add new button.
  3. Click on Add connection.

Scenario 1: Billing Account as Scope

  1. Add billing account:
    • Connection Name:
       Name of billing account in CAM
    • Description:
       A description for this account
    • Select Technology Category:
       Cloud Provider
    • Select Connection Type:
       Azure MPA
  2. Connection Configuration Details:
    • Tenant ID:
       Tenant ID of partner if its billing Account.
    • Enterprise Agreement Enrollment Number:
       Billing account of CSP under the MPA.
      1. Example: - 50fe1198-xxxx-5d0e-xxxx-85exxxxxx13:15f8e4c1-xxxx-4fae-xxxx-655f2ab0xxxx_2019-05-31
  3. Credential Details:
    • MPA Scope:
       billingAccounts
    • Scope Value:
       Billing account of CSP under MPA
    • Application ID:
       Application (Client) ID of the app registered across the scopes.
    • Application Secret:
       Secret value present in the client credential of the app registered across the scopes.

Scenario 2: Billing Profile as Scope

  1. Add billing profile:
    • Connection Name:
       Name of billing account in CAM
    • Description:
       A description for this account
    • Select Technology Category:
       Cloud Provider
    • Select Connection Type:
       Azure MPA
  2. Connection Configuration Details:
    • Tenant ID:
       Tenant ID of partner if its billing Account.
    • Enterprise Agreement Enrollment Number:
       Billing account of CSP under the MPA.
      1. Example: - 50fe1198-xxxx-5d0e-xxxx-85exxxxxx13:15f8e4c1-xxxx-4fae-xxxx-655f2ab0xxxx_2019-05-31
  3. Credential Details:
    • MPA Scope:
       billingProfiles
    • Scope Value:
       Billing Profile ID
    • Application ID:
       Application (Client) ID of the app registered across the scopes.
    • Application Secret:
       Secret value present in the client credential of the app registered across the scopes.

Scenario 3: Customer as Scope

  1. Add customer:
    • Connection Name:
       Name of billing account in CAM
    • Description:
       A description for this account
    • Select Technology Category:
       Cloud Provider
    • Select Connection Type:
       Azure MPA
  2. Connection Configuration Details:
    • Tenant ID:
       Tenant ID of partner if its billing Account.
    • Enterprise Agreement Enrollment Number:
       Billing account of CSP under the MPA.
      1. Example: - 50fe1198-xxxx-5d0e-xxxx-85exxxxxx13:15f8e4c1-xxxx-4fae-xxxx-655f2ab0xxxx_2019-05-31
  3. Credential Details:
    • MPA Scope:
       customer
    • Scope Value:
       Tenant ID of customer
    • Application ID:
       Application (Client) ID of the app registered across the scopes.
    • Application Secret:
       Secret value present in the client credential of the app registered across the scopes.

Scenario 4: Subscription as Scope

  1. Add subscription:
    • Connection Name:
       Name of billing account in CAM
    • Description:
       A description for this account
    • Select Technology Category:
       Cloud Provider
    • Select Connection Type:
       Azure MPA
  2. Connection Configuration Details:
    • Tenant ID:
       Tenant ID of Customer.
    • Enterprise Agreement Enrollment Number:
       Billing account of CSP under the MPA.
      1. Example: - 50fe1198-xxxx-5d0e-xxxx-85exxxxxx13:15f8e4c1-xxxx-4fae-xxxx-655f2ab0xxxx_2019-05-31
  3. Credential Details:
    • MPA Scope:
       subscriptions
    • Scope Value:
       Subscription ID
    • Application ID:
       Application (Client) ID of the app registered across the scopes.
    • Application Secret:
       Secret value present in the client credential of the app registered across the scopes.

Adding Asset Accounts using IAM Connection in Customer Tenant

  1. In Admin section click on IAM.
  2. Click on the Add new button.
  3. Click on Add connection.
Add Connection Page:
  1. Connection Name:
     Name of billing account in CAM
  2. Description:
     A description for this account
  3. Select Technology Category:
     Cloud Provider
  4. Select Connection Type:
     Azure subscription
Connection Configuration Details:
  • Subscription ID:
     Subscription ID from console
  • Tenant ID:
     Tenant ID of the app created on the subscription account.
Credential Details:
  • Application ID:
     Application (Client) ID of the app registered across the scopes.
  • Application Secret:
     Secret value present in the client credential of the app registered across the scopes.

Adding CSP Accounts

#To configure CSP accounts, follow the steps outlined in the attached CSP documentation. Here are the key details:
  1. Billing Credentials:
    • MPN ID: Account Settings → Organization Profile → Identifiers
    • Domain (Default Domain): Account Settings → Organization Profile → Azure AD Profile
    • CSP App ID: Account Settings → App Management → Use Existing Web App / Add new native App.
      Under App management, you can use an existing registered web app or you can create a new web app.
    • CSP App Key: Account Settings → App Management → Add Key. (While generating a new CSP key, user can choose 1 / 2-year expiry for the key.)
  2. Asset Account Credentials:
    • Tenant-id: Account Settings → App Management → Choose your existing App / Create New App → Account ID / Commerce ID.
Steps for Adding CSP Accounts:
  1. Navigate to
    Admin
     -
    Provider Account
  2. Click on
    New Master Account
     and select
    Azure
  3. Enter a
    Name
     and
    Account number
  4. Click on
    Add Credentials
    • Provide the name, purpose, credential values (account number and API key), and context, then save it.
  5. Configure the connection using the details provided above.
Do you have two minutes for a quick survey?
Take Survey