PierCloud FinOps Platform - Azure Basic Configurations

Basic Configuration Process for Pier Cloud FinOps Platform

Welcome to Pier Cloud!

This document is intended to be a guide so that you can prepare the environment so that Pier Cloud can install the Platform products in your account.

The process will allow Pier Cloud to read billing information without any possibility of changing or deleting data from your account (Lighthouse). And also, read and edit access to items related to optimization (CCA/Autofix).

The configurations present in this documentation are used to enable the products: Lighthouse, CCA and Autofix for Azure.

Product Settings:

  • Lighthouse

Prerequisite and Configuration - Cost Management API:

This step must be performed by a user with the Enterprise Administrator role.

To check who owns this role, follow the steps below in the Azure console:

  1. Access Cost Management + Billing;

  2. Navigate to Access Control (IAM);

  3. In the user list, identify who has the Enterprise Administrator role.

Note: In the image illustrated below, you can either add an Enterprise Administrator or check which users already have this permission.

  1. Authenticate in the browser with the Enterprise Admin user, through the Azure console;

  2. Access this link: Role Assignments - Put - REST API (Azure Billing) | Microsoft Learn and click on REST API Try It;

  3. When clicking on Try It, if you have previously authenticated, the following screen will be displayed for confirmation. If it is correct, continue.

3.1. To configure step 4, you will need to acquire the information that will be presented in the next step and in the following slides.

  • BillingAccountName: This parameter is the billing account ID. You can find it in the Azure portal on the Cost Management + Billing overview page.

3.2. BillingRoleAssignmentName: This parameter is a unique GUID that you need to provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID. Copy the code as illustrated in the image below.

3.3. PrincipalId: Here we find the MainId, in this case it is identified as Object ID, as illustrated in the image below.

3.4. Tenant ID: Here we can obtain the Tenant ID information, as illustrated in the image below:

  1. When authenticating, you will be directed to the following screen, where you will be asked for information about the Service Principal that will have read access to the Billing API.

  • In the image to the side, the fields highlighted in red and numbered correspond to the previous steps, indicating where to find the ID of each field.

  1. Enter the information below in the corresponding fields:

Parameters:

  • billingAccountName: Your billing account ID can be obtained in the Azure portal under Cost Management + Billing > Properties > Billing Account ID

  • billingRoleAssignmentName: Unique UUID that can be generated programmatically or through a website like https://www.uuidgenerator.net/ for example.

  • api-version: Keep the auto-filled version - At the time of writing this document is version 2019-10-01-preview

  1. Copy the following information and write it down:

  • The principal ID, which will be the Object ID of the Enterprise Application.

  • The Tenant ID, which can be collected on the same Service Principal creation screen.

  • Role Definition Id - Will always be the following: /providers/Microsoft.Billing/billingAccounts/billingAccountName/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e

  1. Enter the information in the corresponding fields as below:

  • Body: replace the values ​​between "double quotes" with the data collected previously.

  • Note: The fields highlighted in red need to be replaced with the indicated values. The numbering refers to the step in which the information was obtained, as illustrated in the image below.

  1. Remove the keys and copy the block into the Body space on the page:

  1. With all fields filled in, click on Run > the return should be an HTTP 200 response informing that the call was successful.

  2. That's it, the setup is complete. Below is a summary of the information you need to send to Pier Cloud.

    • Azure Tenant ID (Link)

    • Billing Account ID - (It can be obtained from the Azure portal under Cost Management + Billing > Properties > Billing Account ID)

    • Service Principal (Application Id, Secret) - Created in the previous step

Access to Reserve Commitments and Savings Plans

Commitment Permissions

We will use the same Service Principal created previously. We will add it to a role with Reader permission on each Reservation/Savings Plans Order ID. This will give us permission to read the usage data for Reservations or Savings Plans.

  • This process needs to be carried out on each of the Reservations or Savings Plans.

Product Settings:

  • CCA - Cloud Compliance Analyzer

  • Autofix

Check your permissions in Azure AD

  • In the Azure Portal, select the Microsoft Entra ID (Azure Active Directory will also be found);

  • Find your role in Overview>My feed. If your role is User, you must ensure that roles other than Administrator can register applications;

  • In the left side panel, select Users and then User Settings;

  • Check the App registrations setting. This value can only be set by the administrator. If set to Yes, any user in the Azure AD tenant can register an app.

Attention: If the settings are set to NO, only someone with the administrator role will be able to make this configuration.

  1. Log in to your account via the Portal and access the Microsoft Entra ID menu. This Service Principal can be used for Lighthouse, CCA, Reservations and Savings Plans.

  1. In the "Microsoft Entra ID" section, select the App Registrations option from the side menu.

  1. Click the + Add button, then select the App Registration option.

  1. Enter the desired name for the Application, in the Supported account types section choose the option Accounts in any organizational directory (Multitenant), finish by clicking on Register.

  1. After creating the application, generate a secret.

  1. Click on the + New client secret button, on the form next to it click on the Add button.

  1. Copy the generated secret value, the expiration date and save it in a notepad.

  1. Click on Overview and copy the Application (client) ID, Directory (tenant) ID values ​​and save them together with the previous information.

  1. Now that we have the "Service Principal" created, to finish the process, it will be necessary to create a Custom role in Tenant Root. In the search bar, look for Management Group and then click on Tenant Root.

  1. Now, click on Access control (IAM) and then on + Add, Add custom role.

  1. Now click on JSON

  1. Here click on Edit.

  1. In this JSON file, add the ID TENANT ROOT GROUP of your account, copy the code and paste it in the next step.

  1. Here paste the code, save the configuration then click on Review + create, as shown in the image below:

  1. To finish, click Create.

  1. Now, click on Access control (IAM) and then on + Add and Add role assignment.

  1. In this step, in the search box, search for the name of the role that was created in the previous step, then select the role created, then click Next.

  1. Click on the Select members option, when opening the search box on the right side, search for the service principal created, then click on Select and Next.

  1. To finish, click on Review + assign.

  1. Below is the information that must be sent to Pier Cloud:

  • ClientID(Application ID);

  • Secret - The Secret value and the Secret ID;

  • Expires - Secret expiration date;

  • TenantID.

PreviousIntegrationsNextPierCloud FinOps Platform - Azure MOSP Basic Configurations

Last updated