How to Onboard an Azure Enrollment (EA) Parent Account

This user guide will show you how to onboard an Azure Enrollment (EA) Parent Account into CoreStack.

πŸ“˜

Note:

  • If the Azure subscription's value is $0, this will not be displayed under the Azure EA Parent Account in CoreStack for onboarding. However, this will start listing after the cost data is available in the subscription.
  • This kind of account is used for Billing Purposes only. No resources will be associated.

Pre-onboarding

There are certain pre-requisites that need to be set up in your Azure Subscription before it can be onboarded into CoreStack.

CoreStack uses the Daemon Application scenario with Client Credentials flow for OAuth2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.

There are two authentication options available to onboard an Azure EA account to CoreStack, with two options to choose from:

  1. Application Method
  2. API Key Method

Prerequisites for Application Method of Onboarding

  • The resource provider Microsoft.CostManagementExports should be registered in the subscription level (it is part of the script in step 1).
  • The storage account is needed to store the exported cost data under the same tenant subscription.
  • Run the script in the billing scope level to export the last three months cost and daily month-to-date cost (script available in step 1).

Application Method

To onboard your Azure Enrollment subscriptions into CoreStack, the following values must be generated/copied from your Azure console and configured in CoreStack:

  1. Tenant ID
  2. Application ID
  3. Application Secret

As you retrieve each of these values, keep them ready in a notepad to be able to copy and paste into CoreStack during the onboarding steps.

Step 1: Fetch Storage Account and Report Path

A data export must be created to export cost data of the subscription. To configure the data export and retrieve its storage account and report path information, perform the following steps:

  1. Login to the Azure portal: https://portal.azure.com/

  2. Open the CloudShell on the top.

  1. Run the below script to create required cost exports automatically. Some of the fields are explained below:

    πŸ“˜

    Note:

    • The script will create a new export along with the new storage blob container and directory. It will also create an export for the last three months and store it in a storage blob container for each and every month and month-to-date costs.
    • The below script will take 15 - 20 minutes to completet the cost export. Meanwhile, proceed with "Step 2: Fetch Storage Account and Report Path".
    • {billingAccountId} = Azure EA Enrollment ID
    • {subscription_id} = Subscription ID of where the storage account was created.
    • {storageAccount_name} = Name of the storage account that is created for cost export.
    • {resourcegroup_name} = Mention the resource group name where the storage account is created.
    • {TimePeriodFrom} = Mention the start date of the previous three month to export (for example, February '2023-02-01T00:00:00Z').
    • {TimePeriodTo} = Mention the end date of previous three month to export (for example, February '2023-02-28T00:00:00Z').
    Register-AzResourceProvider -ProviderNamespace Microsoft.CostManagementExports
    Start-Sleep -Seconds 100
    Install-Module Az.CostManagement
    Start-Sleep -Seconds 90
    $Params = @{
      Name = 'cscostexport'
      DefinitionType = 'ActualCost'
      Scope = 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
      DestinationResourceId = '/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Storage/storageAccounts/{storageAccount_name}'
      DestinationContainer = 'cscostcontainer'
      DefinitionTimeframe = 'Custom'
      TimePeriodFrom = '2023-02-01T00:00:00Z'
      TimePeriodTo = '2023-02-28T00:00:00Z'
      DestinationRootFolderPath = 'csdirectory'
      Format = 'Csv'
    }
    New-AzCostManagementExport @Params
    Invoke-AzCostManagementExecuteExport -ExportName cscostexport -Scope 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
    Start-Sleep -Seconds 120
    $Params = @{
      Name = 'cscostexport'
      DefinitionType = 'ActualCost'
      Scope = 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
      DestinationResourceId = '/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Storage/storageAccounts/{storageAccount_name}'
      DestinationContainer = 'cscostcontainer'
      DefinitionTimeframe = 'Custom'
      TimePeriodFrom = '2023-03-01T00:00:00Z'
      TimePeriodTo = '2023-03-31T00:00:00Z'
      DestinationRootFolderPath = 'csdirectory'
      Format = 'Csv'
    }
    New-AzCostManagementExport @Params
    Invoke-AzCostManagementExecuteExport -ExportName cscostexport  -Scope 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
    Start-Sleep -Seconds 120
    $Params = @{
      Name = 'cscostexport'
      DefinitionType = 'ActualCost'
      Scope = 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
      DestinationResourceId = '/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Storage/storageAccounts/{storageAccount_name}'
      DestinationContainer = 'cscostcontainer'
      DefinitionTimeframe = 'Custom'
      TimePeriodFrom = '2023-04-01T00:00:00Z'
      TimePeriodTo = '2023-04-30T00:00:00Z'
      DestinationRootFolderPath = 'csdirectory'
      Format = 'Csv'
    }
    New-AzCostManagementExport @Params
    Invoke-AzCostManagementExecuteExport -ExportName cscostexport  -Scope 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
    Start-Sleep -Seconds 120
    $Params = @{
      Name = 'cscostexport'
      DefinitionType = 'ActualCost'
      Scope = 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
      DestinationResourceId = '/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Storage/storageAccounts/{storageAccount_name}'
      DestinationContainer = 'cscostcontainer'
      DefinitionTimeframe = 'MonthToDate'
      DestinationRootFolderPath = 'csdirectory'
      Format = 'Csv'
    }
    New-AzCostManagementExport @Params
    Invoke-AzCostManagementExecuteExport -ExportName cscostexport -Scope 'providers/Microsoft.Billing/billingAccounts/{billingAccountId}'
    Start-Sleep -Seconds 10
    Exit
    
  2. In the search bar at the top of the screen, search for Cost Management + Billing.

  1. In the Billing scopes field, ensure that the required enrollment account is selected.
  1. Select Settings > Exports and select the export that is created using the above script. For example, cscostexport.
  1. Verify the exports execution run history; count should be 4.
  1. Select the storage account used for cscostexport.
  2. Copy the values from the Export name, Storage account, Container, and Directory fields that were used while creating the data export.
  • The Storage account name will be used in the Storage Account field in CoreStack.
  • The Export name, Container, and Directory values will be used for the Report Path field in CoreStack. The Report Path must be entered in this format: <container name>/<directory path>/<export name>

Copy all the details from the above step in a safe location and provide them while onboarding your Azure Subscription account in CoreStack.

πŸ“˜

Note:

The last three months export and daily export data will be available for reference.

For example: in the location costexport/costdataexport/cscostexport.

Step 2: Fetch Application ID and Tenant ID

  1. In the Azure Portal, navigate to Azure Active Directory > App registrations > New registration. The Register an application screen appears.
  1. On the left pane, click App registration and click + New registration.
  1. In the Name box, type a name for the application, for example, CoreStack.App.

The other fields can be left with the default options.

  • The value of the Supported account types field can be Single Tenant.
  • The value of the Redirect URI field can be blank.
  1. Click Register.

The application will be registered, and the Application (client) ID and Directory (tenant) ID will be displayed on the Overview screen. Copy the Application ID and the Tenant ID and paste the details in a notepad.

Step 3: Fetch Application Secret

The Application Secret is the password or key that you need to provide for the specific app that was just created.

  1. On the Overview screen, click Certificates & secrets.
  2. Click + New client secret.
  3. Provide a description and expiry duration for the secret. You can leave the duration with the default value of 1 year. You can revoke this anytime later, if required.
  4. Click Add. The Client secret will be created and displayed.

πŸ“˜

Note:

Ensure that you copy this secret value and paste it in a notepad, since you cannot retrieve this later.

Step 4: IAM Access for App

The app that is created in Step 1 must have the required access within the subscription. To provide that access, follow the below steps:

  1. In the Azure Portal, navigate to Subscriptions .

  2. Select the Subscription that will be used for onboarding into CoreStack. The Overview screen appears.

  3. Click Access Control (IAM).

  4. Click + Add and then click to select Add role assignment. The Add role assignment screen appears.

  1. Select Job function roles for Assessment Only.
  1. Select the Reader role for Assessment Only.
  1. Select the privileged administrator roles for Assessment + Governance.
  2. Select Contributor for Assessment + Governance.
  1. Select job function roles for Assessment + Governance.
  1. Select the Resource Policy Contributor for Assessment + Governance.
  1. Ensure that the User, group, or service principal option is selected in the Assign access to field.
  2. Click + Select members and in the Select field, search and select the app that was created earlier. In this example, select CoreStack.App.
  1. Click the Save button to assign the role.

After the role is assigned, it will be listed in the Role Assignments tab.

πŸ“˜

Note:

The "Resource Policy Contributor" role assignment is required only if you intend to use CoreStack to create policies for your Azure subscription.

Step 5: Reservation Reader Role

πŸ“˜

Note:

You can skip this step if you don’t have any reserved instances in your subscription.

CoreStack requires the Reservation Reader role for the CoreStack.App to fetch the reserved instances in the subscription.

  1. Navigate to Virtual machines > Reservations > View.

You can now see all the reserved instances in your subscription.

  1. Click Role Assignment.
  1. Click +Add and then click Add role assignment.
  1. In the Assignment type field, select Job function roles.
  1. In the Search box, type Reservations Reader and select it from the search result and then click Next.
  1. Ensure that the User, group, or service principal option is selected in the Assign access to field.

  2. Search and select the app that was created earlier. In this example, select CoreStack.App in the Select field.

  3. Click Save button to assign the role.

Onboarding Steps for Application Method

The following steps need to be performed to onboard an Azure subscription account:

  1. Login to the CoreStack portal.

  2. Click ADD NEW > Single Account > Start Now. The onboarding screen displays.

  1. In the Enterprise Agreement field, click to select Azure EA.
  1. Click Get Started.

  2. In the Access Type field, click to select either Assessment or Assessment + Governance.

  3. In the Azure Environment field, click to select one option among Azure Global, Azure China, and Azure Government.

  4. In the Authentication Protocol field, click to select either API Key or Application.

  5. In the Currency list, click to select an appropriate currency.

  1. Click Next.

  2. If the account is going to be onboarded using the application authentication method, type the appropriate details in the Enrollment ID, Tenant ID, Application ID, and Application Secret boxes. These values can be retrieved as explained in the Pre-Onboarding section.

  1. Click Validate.

    The Advanced Settings section will be displayed with Name, Subscription, Storage Account, and Report Path fields.

  2. Modify the pre-populated name of the account in the Name field, if required.

  3. In the Subscription list, select the required subscription that will be used for onboarding the account in CoreStack.

  4. In the Storage Account box, type the storage account name where costexport was created. (Refer to Step-5: Fetch Storage Account and Report Path)

  5. In the Report Path field, enter the correct value in the following format:

    <container name>/<directory path>/<export name>
    
  1. Click I’m Done.

The Azure subscription account should now be onboarded successfully in CoreStack. Any relevant insights and information about the resources available in the account will be populated under each of the cloud governance pillars in CoreStack.

EA Scope for API Key Method

There are multiple scopes in the Azure EA level:

  • Billing Account level: If you create an API key with EA administrator privileges, CoreStack can fetch all the departments, accounts, and subscriptions under the Azure Enrollment (EA) Parent Account.
  • Department level: If you create an API key with department level administrator privileges, CoreStack can fetch only the subscriptions under that specific department in the Azure Enrollment (EA) Parent Account.
  • Account level: If you create an API key with account administrator privileges, then CoreStack can fetch only the subscriptions under that specific account in the Azure Enrollment (EA) Parent Account.

API Key Method

For onboarding an Azure EA account into CoreStack, the following steps need to be performed:

Step 1: Fetch Enrollment ID

To retrieve the Enrollment ID of the subscription, perform the following steps:

  1. Login to the Azure EA portal: https://ea.azure.com/
  2. On the left-side menu, click Manage.
  3. Select the Enrollment tab at the top of the page. The Enrollment screen appears.
  4. Copy the Enrollment Number from the Enrollment screen.

Step 2: Fetch API Key

To generate and retrieve the API Key from the subscription, perform the following steps:

πŸ“˜

Note:

Azure EA is read-only and all operations are moved to the Azure portal.

  1. Login to the Azure portal: https://portal.azure.com/
  2. Navigate to Cost Management + Billing > select Billing Scope > Billing > select the Usage + charges > select Manage API Access Keys on the top > perform the appropriate action:
    • To copy the existing primary or secondary key, click Copy in the Primary Key or Secondary Key section.
    • To regenerate a new key, click Regenerate in the Primary Key or Secondary Key section.

Onboarding Steps for API Key Method

The following steps need to be performed to onboard an Azure subscription account:

  1. Access the CoreStack portal.

  2. Click ADD NEW > Single Account > Start Now. The onboarding screen displays.

  1. In the Enterprise Agreement field, select Azure EA.
  1. Click Get Started.

  2. In the Access Type field, select either Assessment or Assessment + Governance.

  3. In the Azure Environment field, click to select one option among Azure Global, Azure China, and Azure Government.

  4. In the Authentication Protocol field, click to select either API Key or Application.

  5. In the Currency list, click to select an appropriate currency.

  1. Click Next.

  2. If the account is going to be onboarded using the API key method, enter appropriate details in Enrollment ID and API Key boxes.

  1. Click Validate. The Advanced Settings section will be displayed.

  2. In the Name field, modify the pre-populated name of the account, if required.

  3. Click I’m Done.

    The Azure subscription account is now onboarded successfully in CoreStack. Relevant insights and information about the resources available in the account will be populated under each cloud governance pillars in CoreStack.

Why are these Permissions Required?

CoreStack requires \ Contributor \ access to the following Service Providers. However, the account owner can restrict access to specific services that will only be managed through CoreStack.

Following table explains the need for access to the service with the rationale:

Azure ProviderProduct/CategoryReader Access (For Discovery)Contributor Access (For Actions)Remarks
Microsoft.ComputeVirtual Machines

Virtual Machines Scale Sets

Virtual Machines Sizes

Availability Sets

Image Publishers

Images

Disks
MandatoryMandatory
Microsoft.ContainerInstanceContainer GroupsPreferredOptional
Microsoft.ContainerRegistryContainer RegistryPreferredOptional
Microsoft.ContainerServiceContainer Service

Kubernetes
PreferredOptional
Microsoft.StorageStorage accounts

Storage Snapshots
MandatoryMandatory
Microsoft.RecoveryServicesRecovery VaultPreferredOptional
Microsoft.NetworkRoute Tables

Network Security Group

Virtual Networks

Public IP Address

Traffic Manager Profiles

Load Balancer

Express Routes

Application Gateway

Application Gateway

Available SSL Policy
MandatoryMandatory
Microsoft.SqlSQLPreferredOptional
Microsoft.DBforPostgreSQLPGSQLPreferredOptional
Microsoft.DBforMySQLMysqlPreferredOptional
  • Preferable: Access is not mandatory. However, some of the automation features will be not functional without the required access. You can exclude them for β€œAssessment-Only”.
  • Optional: Not mandatory, similar to that of Preferable. Core features will continue to work. Some low-level actions will have an Impact. You can exclude them for β€œAssessment-Only”.
  • Mandatory: Non-negotiable. Even to onboard account with read-only permissions (β€œAssessment-Only”), these access details would be needed.

Impact on the Azure Subscription

If you intend to use CoreStack for remediation and automation, CoreStack creates resources and applies some configurations in Azure while configuring these capabilities in CoreStack.

Alert Rules and Alert Actions:

Alert rules will be created when monitoring thresholds are configured as part of the Operations – Alerts module.

A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.

Azure Policy

CoreStack will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.

Security Center

CoreStack will enable the Free-tier or Standard Tier for the resources based on the security configurations.

Note: (Enabling Standard Tier has cost implications, please exercise caution during configuration).

Billing Impact due to CoreStack Onboarding

There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack.

The following table shows a few areas where there might be cost implications:

FeatureFree Units IncludedPriceCS Remarks
Alert Notifications100,000 web hooks per month$0.60/1,000,000 web hooksN/A
Dynamic ThresholdsNone$0.10β€―per dynamic threshold per monthCoreStack does not create Dynamic Thresholds as part of account onboarding. However, you can configure through an Operations template, if required.
Azure Security CenterFree TierPricing varies per resource type.Standard Tier, if opted into, will have higher cost impact.
Refer to Azure pricing page for more details.
Monitoring Metrics10 monitored metric time-series per month$0.10β€―per metric time-series monitored per monthN/A