Configuring an Enterprise Agreement Azure Account

1. Log in to the Azure portal.
2. Navigate to Cost Management + Billing, and select your Enterprise Agreement billing account.
3. From the left pane, select Credits + Commitments, then select the Microsoft Azure Consumption Commitment (MACC) tab.
4. Copy the commitment Start Date and Commitment Amount into a text document.

1. Log in to the CloudHealth platform and go to Setup > Accounts > Azure Enrollment.
2. Click Add Enrollment.

3. Enter the Enrollment ID and give your enrollment a friendly name (e.g., Company EA).
4. Select the required Service Principal from the dropdown.
5. In the Commitment section, select the Commitment Term.
6. Optionally, provide Commitment Amount and Commitment Start Date.
7. Click Save Enrollment.

The API Access Key is not required to connect the enrollment.

Prerequisite- You must have global administrator privileges to register an App. While the connection between CloudHealth and Azure is read-only, a global administrator must register the App to ensure that there are no errors.

1. In the Azure Portal, select Azure Active Directory.

2. From the left menu, select the App Registrations and click New App Registration.

3. Fill out the following fields in the form and then click Register:

• Name: Enter the name of the service principal
• Supported Account Types: Select Accounts in this organizational directory only.
• Redirect URI: Select Web from the dropdown and enter https://apps.cloudhealthtech.com

4. Open the Application Registration you just created.

   • Copy the Display Name into the text document.
   • Copy the Application ID into the text document.

   

   Due to a a rare issue in the Azure Portal, creating a new app registration might fail to create a new service principal as expected. If this occurs, click the Create Service Principal link in App Registrations > Overview.

5. Go to Certificates & Secrets in the left menu. Click New Client Secret.

   • Add a key description. Make sure there are no spaces.
   • Select a duration. It is recommended that you set the expiration to at least one year.

6. Click Save. A value is generated.

7. Copy the key description and value into the text document.

8. Close the App Registration blade and return to the Active Directory menu.

9. Under the Manage header, select Properties.

   

10. Locate the directory ID. Select the Copy icon to copy the ID and then paste it into the text document.

    

11. Repeat steps 1-10 for each directory you manage.

Checkpoint: At this point, you have this information in the text document.

• Display Name
• Application ID
• Key Description
• Key Value
• Directory ID/Tenant ID

You can only create or update this billing role using the API.

1. Use your account credentials as an Enterprise Admin or Global Admin to sign in to the tenant with the enrollment access that you want to assign.

2. Open the Role Assignments - Put REST API article. Click Try it.

3. Provide the following parameters as a part of the API request.

   • Object ID
   • Azure Tenant ID
   • BillingAccountID
   • Role definition (already pre-filled with correct role ID).

For help locating these values, see Find API Parameters topic. For more information, see Find your SPN and tenant ID.

4. Update the following API request body with required details and run the API.

API Request Body:

{ 
   "properties": { 
     "principalId": "REPLACE WITH OBJECT ID", 
     "principalTenantId": "REPLACE WITH TENANT ID", 
     "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/REPLACE WITH BillingAccountID/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" 
   } 
 } 

5. Generate the GUID billingRoleAssignmentName. Generate a unique GUID using either the New-Guid PowerShell command or using the Online GUID / UUID Generator website. Note down the GUID for later use.
6. Repeat steps 1 to 6 for other Service Principals.

Mapping Multiple Enrollments to the Same Service Principal

If you have multiple enrollments mapped to the same service principals, you will need to run the Role Assignments - Put - REST API (Azure Billing) command for each enrollment.

1. Open the Role Assignments - Put REST API article, and click Try it.

2. Sign in to the tenant as an Enterprise Admin with the enrollment access.

3. Provide the following parameters as a part of the API request.

   • Object ID
   • Azure Tenant ID
   • Enrollment Id
   • Role definition (already pre-filled with correct role ID)

For help locating these values, see Find API Parameters topic. For more information, see Find your SPN and tenant ID.

4. Update the following API request body with required details and run the API.

{  
  “properties”: {  
    “principalId”: “SPN ID OR OBJECT ID”,  
    “principalTenantId”: “ADtenant ID OR Azure Tenant ID”,  
    “roleDefinitionId”: “/providers/Microsoft.Billing/billingAccounts/EnrollmentID/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e”  
  }  
 } 

Configuring GovCloud Subscriptions

When configuring the Service Principals with the enrollmentReader permission, change the API endpoint URL in the Role Assignments - Put API from https://management.azure.com to https://management.usgovcloudapi.net to grant the SPN the new permission.

Find API Parameters

Object ID

1. In the CloudHealth platform, navigate to Setup > Accounts > Azure Enrollment. Click View the Enrollment you configured and verify the Service Principal ID.
2. In the Azure portal, navigate to Azure Active Directory. From the left menu, select Enterprise applications.
3. Select Service Principal you configured with CloudHealth, and copy the Object ID.

Make sure that you copy and paste the Object ID from Enterprise applications. Do not use Object ID from App Registrations.

Azure Tenant ID

1. In the Azure portal, go to Azure Active Directory.
2. Copy the Tenant ID from the Overview tab.

BillingAccountID

1. In the Azure portal, go to Cost Management + Billing.
2. From the Overview section, copy the Billing Account ID.

Role Definition

Already pre-filled with correct role ID. For example- "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/REPLACE WITH BillingAccountID/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"

Enrollment ID

1. In the CloudHealth platform, navigate to Setup > Accounts > Azure Enrollment.
2. Click the view icon to see the enrollment you configured and copy the Enrollment ID.

Assign a Reader role for subscriptions that are managed in the directory.

For help assigning roles in Azure, see Assign Azure Roles using the Azure Portal.

When assigning the role, make the following selections:

• Role: Reader
• Members: CloudHealth

Repeat this step for each subscription.

Add Permissions to Access Key Vault (Optional)

With the additional get and list permissions, CloudHealth gets access to keys and secrets for each key vault under each subscription. Providing this access offers the following benefits:

• Visibility: Get all keys & secret details under each key vault in Asset reports.
• Policies: Create policies on keys and secrets and get notified if any key/secret doesn’t have an expiry date set.
• Perspectives: Since Key Vault Keys & Secrets are taggable assets, you can create perspective groups based on tags.

Use the following steps to grant additional permissions to the service principal:

1. Log in to the Azure Portal, and click the Cloud Shell icon on the top navigation bar.

2. Enter the following PowerShell script for every active Service Principal that you have added in the CloudHealth platform.

$subs = Get-AzureRmSubscription 
$client_id = 'Application id of service principal' 
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId 
$key_vaults = Get-AzureRmKeyVault 
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } } 

Get the Application id of the service principal from the CloudHealth platform. Go to Setup > Accounts > Azure Service Principal.

The script accesses current key vaults and grant permission to the service principal to retrieve and display key vault keys and secrets.

For a newly-added key vault, you need to separately grant permission to the service principal to retrieve and display keys. You can either run the above PowerShell script or manually add the service principal using following steps:

1. In the Azure Portal, go to the newly added key vault.
2. From the Settings menu, navigate to Access Policies, and click Add Access Policy.
3. Select get, list permissions from the Key permissions and Secret permissions dropdown.
4. Select Service principal.
5. Click Add.

1. Log in to the CloudHealth platform. From the left menu, select Setup > Accounts > Azure Service Principal. Then click New Service Principal.

2. Select Global Azure from the Account Type dropdown.

   

3. Copy the information from the text document into corresponding fields in the setup form.

   Make sure there are no spaces.

4. Optionally, select the Security Asset Collection dropdown if you want to disable asset collection on certain assets for security reasons. CloudHealth recommends enabling asset collection for all assets and does not store sensitive data.

   Disabled assets are marked as inactive in CloudHealth and cannot be used in policies.

   

5. Click Save Service Principal.

1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.

2. Copy the display name of the application you registered for CloudHealth and paste it in a Text file (such as NotePad or TextEdit).

3. Log in to the CloudHealth Platform. Go to Assets > Azure and select Reservation Orders from the Other section.

4. For the first reservation order in the table, select the Azure Portal icon to open that reservation order in the Azure Portal.

   

5. Go to Access Control (IAM) and click Add.

   

6. Fill out the fields as follows:

   • Select Reader from the Role dropdown menu.
   • In the Select field, copy and paste the service principal display name from step 2 that is associated with the reservation order and select the user returned by the search.

   

7. Click Save.

8. Repeat steps 4-7 for each reservation order.

1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.

2. Copy the display name of the application you registered for CloudHealth and paste it in a Text file (such as NotePad or TextEdit).

3. Log in to the CloudHealth Platform. Go to Assets > Azure and select Savings Plans from the Other section.

4. In the Savings Plan table, click the Go to Azure Portal icon to open the savings plan in the Azure portal.

5. From the left pane, go to Access Control (IAM) and click Add role assignment.

6. Fill out the fields as follows:

• Select Reader from the Role dropdown menu.
• In the Select field, copy and paste the service principal display name from step 2 that is associated with the savings plan and select the user returned by the search.

7. Click Save.

8. Repeat steps 4-7 for each Savings Plan.

The CloudHealth platform supports Azure AD User collection through Azure Service Principal. To collect the Azure AD objects, you need to add an additional Graph API permission to the Service Principal.

1. Log in to the Azure Portal, go to Azure Active Directory > App Registrations, and select the CloudHealth app.

2. Click API permissions > Add a permission.

3. Select Microsoft Graph and click Application permissions.

4. Under Select Permissions, expand Users, and select User.Read.All permission.

5. Click Add Permissions.

Once you add the required permissions, click Grant admin consent for Default Directory to allow an admin to grant admin consent to the configured permissions.