Pre-Onboarding for Azure Microsoft Customer Agreement (MCA)
Introduction
Before onboarding an Azure Microsoft Customer Agreement (MCA) billing account into CoreStack, you must complete several setup tasks in the Azure portal. These steps ensure CoreStack has the correct credentials, permissions, and billing data export configuration needed to successfully connect and manage your MCA account.
This guide is for Azure administrators responsible for setting up the service principal and billing access required by CoreStack. Complete all steps in this guide before starting the MCA onboarding workflow in CoreStack.
Note: Azure MCA accounts support Read-Only access in CoreStack and are used primarily for FinOps capabilities. Ensure your Azure subscription includes MCA billing before proceeding.
Prerequisites
Before you begin, ensure the following:
- Azure Role: You have Global Administrator or Billing Account Owner access in the Azure portal.
- Azure Subscription: Your organization has an active Microsoft Customer Agreement (MCA) with Microsoft.
- CoreStack Access: You have Provider Admin or Account Admin role in CoreStack to perform the onboarding.
- Azure Portal Access: You can access portal.azure.com and the Cost Management + Billing section.
Step 1: Gather Your Billing Account ID
You will need the Billing Account ID to authenticate CoreStack with your MCA account.
- Sign in to the Azure portal.
- In the search bar, type Cost Management + Billing and select it from the results.
- In the left navigation pane, click Billing scopes.
- Select your MCA billing account from the list.
- Click Properties in the left menu.
- Copy the value in the Billing account ID field and save it for later.
Step 2: Register an Azure Active Directory (Azure AD) Application
CoreStack uses an Azure AD App Registration (Service Principal) to authenticate with your Azure environment.
- In the Azure portal, search for Azure Active Directory and open it.
- In the left navigation pane, click App registrations.
- Click + New registration.
- Enter a meaningful name for the application (for example,
CoreStack-MCA-Integration). - Under Supported account types, select Accounts in this organizational directory only.
- Leave the Redirect URI blank.
- Click Register.
Step 3: Copy the Application (Client) ID and Tenant ID
On the app registration Overview page, copy and save the following values:
- Application (client) ID — this is the Application ID required by CoreStack.
- Directory (tenant) ID — this is the Tenant ID required by CoreStack.
Step 4: Create a Client Secret
CoreStack requires a client secret to authenticate using the service principal.
-
In the app registration, click Certificates & secrets in the left navigation pane.
-
Under the Client secrets tab, click + New client secret.
-
Enter a description (for example,
CoreStack MCA Secret) and select an expiration period.Important: Note the expiration date. You must rotate the secret in both Azure and CoreStack before it expires to avoid authentication failures.
-
Click Add.
-
Immediately copy the Value of the newly created secret. This value is only visible once.
Warning: Once you navigate away from this page, the secret value is no longer visible. Store it securely before proceeding.
Step 5: Assign Billing Account Reader Permission to the Service Principal
CoreStack requires the service principal to have Billing Account Reader access at the MCA billing account scope. This allows CoreStack to read billing profiles, invoice sections, and subscription data.
Note: For billing profiles that sync through hierarchy sync, the service principal must also have Billing Admin Reader permissions at the billing account scope. Without this, zero-cost billing profiles may fail to sync, leading to incomplete billing data in CoreStack.
- In the Azure portal, go to Cost Management + Billing.
- Select your MCA Billing account from the Billing scopes list.
- In the left navigation pane, click Access control (IAM).
- Click + Add and select Add role assignment.
- In the Role dropdown, select Billing account reader.
- Under Select members, search for the name of the app registration you created in Step 2 (for example,
CoreStack-MCA-Integration) and select it. - Click Save.
Step 6: Set Up Cost Export to Azure Blob Storage
CoreStack requires billing cost data to be exported to an Azure Blob Storage container. You must configure exports for both Actual Cost and Amortized Cost.
Step 6a: Create or Identify a Storage Account
- In the Azure portal, search for Storage accounts and open it.
- Either select an existing storage account or create a new one in the same region as your billing data.
- Note the Storage account name and Subscription it belongs to — these are required during CoreStack onboarding.
Step 6b: Create a Blob Container
- Open your storage account.
- In the left navigation pane, click Containers.
- Click + Container and provide a name (for example,
corestack-mca-exports). - Set the Public access level to Private (no anonymous access).
- Click Create.
Step 6c: Configure the Actual Cost Export
- In the Azure portal, go to Cost Management + Billing.
- Select your MCA billing account.
- In the left navigation pane, click Cost Management > Exports.
- Click + Add.
- Fill in the following fields:
| Field | Value |
|---|---|
| Export type | Daily export of month-to-date costs |
| Metric | Actual cost (Usage and Purchases) |
| Export name | CoreStack-Actual-Cost (or similar) |
| Storage subscription | Select the subscription with your storage account |
| Storage account | Select the storage account from Step 6a |
| Container | Select the container from Step 6b |
| Directory | Enter a path (for example, actual) |
- Click Create.
- Note the full container path (for example,
corestack-mca-exports/actual) — this is the Actual Cost Path required during CoreStack onboarding.
Step 6d: Configure the Amortized Cost Export
- Repeat the export creation steps above.
- This time, set Metric to Amortized cost (Usage and Purchases).
- Use a different directory path (for example,
amortized). - Click Create.
- Note the full container path (for example,
corestack-mca-exports/amortized) — this is the Amortized Cost Path required during CoreStack onboarding.
Step 7: Grant Storage Blob Data Reader Access to the Service Principal
CoreStack's service principal must be able to read the exported cost files from the Blob Storage container.
- In the Azure portal, open your Storage account.
- In the left navigation pane, click Access control (IAM).
- Click + Add > Add role assignment.
- Select the role Storage Blob Data Reader.
- Under Select members, search for your app registration (for example,
CoreStack-MCA-Integration) and select it. - Click Save.
Summary: Values to Collect for CoreStack Onboarding
Before starting the MCA onboarding workflow in CoreStack, confirm you have collected all of the following values:
| Field Required in CoreStack | Where to Find It |
|---|---|
| Billing Account ID | Azure portal > Cost Management + Billing > Properties |
| Tenant ID | Azure AD > App registrations > Overview |
| Application ID | Azure AD > App registrations > Overview |
| Application Secret | Azure AD > App registrations > Certificates & secrets (copy on creation) |
| Subscription | Azure portal > Subscriptions |
| Storage Account | Azure portal > Storage accounts |
| Actual Cost Path | Container path used when creating the Actual Cost export |
| Amortized Cost Path | Container path used when creating the Amortized Cost export |
Updated about 4 hours ago