Introduction #

In an Azure Account that is part of an Enterprise Agreement (EA), you will need to configure the Cloud8 integration for each Subscription ID that is part of the Tenant ID ( Directory ) and also at the Enterprise Administrator level of the EA.

To connect an Azure account with an Enterprise Agreement (EA) to Cloud8, you need to:

• Create a Service Principal (App Registration)
• Assign the Reader role to each Subscription.
• Assign the Enrollment Reader role to the Service Principal at the Billing Account (EA) level.

To begin, search for Microsoft Entra ID , and access the Overview tab . Note the Tenant ID .

We suggest you leave the notepad open to record the following information:

• SUBSCRIPTION ID (Step 1)
• SECRET VALUE (Step 2)
• APPLICATION ID (Step 2)
• TENANT ID (Step 2) 
• ENTERPRISE APPLICATION ID (Step 4)
• ENTERPRISE APPLICATION OBJECT ID (Step 4)
• BILLING ACCOUNT ID (Step 5)
• GUID (Step 5)

Prerequisites #

• Change the language to English in the top menu by clicking the Settings icon . Then, select Language + Region and choose English under Language .
• The user needs to be a Global Administrator in the tenant where the configuration will be performed. 
• The user must be an Enterprise Administrator on the Enterprise Agreement account .

How to check if a user has the Enterprise Administrator role   #

In the Azure Portal , search for “ Cost Management + Billing ”. In the Billing Scopes tab , verify if the user has access to Billing Account or if the user is an Enterprise Administrator in My role .

To configure Enterprise Administrator access , another user with Enterprise Administrator access needs to grant access. To do this, select Billing Account and click Access Control (IAM).

Click Add and select the Billing Account Administrator role . Under User, groups, or apps, select the user who will receive the role and click Add .

How to check if a user has the Global Administrator role  #

In the top search bar, search for “ Microsoft Login ID ”. In Overview , check if the user has the Global Administrator role in the My Feed section .

To configure Global Administrator access , another user with Global Administrator access needs to grant the role using their Microsoft Login ID . Clicking on Users will take you to the account’s user list.

Select the user who will receive the new role and click on Assigned roles . Then, click on Add assignments , search for Global Administrator , and finish by clicking Add .

Step 1 – Selecting the Subscription #

In the top search bar, search for “ Subscription ”. Select the subscription and note the Subscription ID .

Step 2 – Set up App Registration #

In the top search bar, search for App Registrations . Click on App Registration .

Click on “ New registration ” and set a name.

Select the created App Registration and click on Certificates & Secrets in the left sidebar menu. Then, click on New Client Secret . Choose a name for the key and select an expiration date of 24 months.

After creation, the provider will be configured using the Secret Value . Write it down immediately after creation, as it will no longer be visible.

While still in App Registration , note down the Application ID and the Tenant ID .

Step 3 – Grant the necessary permissions to App Registration. #

Search for Subscription again and click on Access control (IAM) in the left sidebar menu of Subscription , then click on Add > Add role assignment .

Select the roles Reader , Billing Reader , and Reservation Reader , then click Next .

In the Members tab , click Select members , then look for the App Registration that was created. Then click Review + assign .

NOTE : This procedure must be performed for each subscription .

Step 4 – Configure the Enterprise Application (Enterprise Agreement only) #

Next, search for Enterprise Applications in the top search bar. Select the Enterprise Application defined in Step 2. Whenever an App Registration is created, it automatically generates an Enterprise Application .

Write down the Name , Enterprise Application ID , and Enterprise Object ID in a notepad .

Step 5 – Assign Enrollment Reader permissions to the Service Principal only in Enterprise Agreement. #

In the top search bar, search for Cost Management + Billing . Under Overview , note the Billing Account ID .

With the data collected, the next step is to assign the necessary API permissions to the tool. The first step is to generate a GUID , using the New-Guid command in PowerShell or through the Online GUID/UUID Generator website . Using the website, click on Generate some GUIDs !

Note the generated GUID. Let’s call it GUID-NOVAPERMISSAO

The GUID will serve as a unique and immutable identifier to ensure uniqueness within Azure, being vital for access control, automations, logs, and governance.

Next, use the  Role Assignments Put REST API from EnrollmentReader . Click Try it .

Fill in the fields with the following information:

• billingAccountName : BILLING ACCOUNT ID (Step 5)
• billingRoleAssignmentName : GUID_NOVAPERMISSAO
• Body : Fill in according to the model below.

{
  "properties": {
    "principalId": "<ENTERPRISE APPLICATION OBJECT ID>",
    "principalTenantId": "<TENANT ID>",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<BILLING ACCOUNT ID>/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
  }
}

For the body:

• <ENTERPRISE APPLICATION OBJECT ID> => Obtained in Step 4
• <TENANT ID> => Obtained in Step 2
• <BILLING ACCOUNT ID> => Obtained in Step 5

Next, click Run to execute the assignment. Validate the result using Response Code 200 .

Done! You have configured the Service Principal and are ready to associate it with Cloud8 . Fill in the data collected in the previous steps:

• Subscription ID = SUBSCRIPTION ID
• Tenant ID = TENANT ID
• Application ID = APPLICATION ID
• Password = SECRET VALUE

Setting up FinOps Analytics on Cloud8 #

This step is manual and performed by our team. Please send an email to support@cloud8.io informing us that the EA Enrollment Reader configuration processes have been successfully completed ( 200 code ).

Enabling Best Practices on Cloud8 #

After the FinOps Analytics setup is complete and the data is synchronized in Cloud8, you will be able to enable the Best Practices feature in Cloud8.

Best Practices is an advanced advisor that combines over 1,000 unique security, backup, compliance, and cost reduction rules for AWS, Azure, GCP, and OCI with flexible alerts via Teams, Slack, or email.

In the Cloud8 sidebar menu, select Providers . Select your desired provider and click on “ Best Practices ”.

You will need to select the providers for which you want to enable the functionality. To do this, uncheck the ” Disabled on this provider ” checkbox and select the ” Same as main credentials “ option .

Next, click on “ Configure ”.

NOTE: If FinOps Analytics has just been enabled, you will need to wait at least 24 hours before enabling the Best Practices functionality .