Cloud Account Management (CAM) for Azure
Azure offers several agreements, each designed with its own unique hierarchy and management structure. These include the Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), and Microsoft Partner Agreement (MPA) / Microsoft Cloud Solution Provider Agreement (CSPA). Detailed documentation explaining the differences in agreement hierarchies is available in the blog for better understanding.
CAM currently supports Enterprise Agreement (EA) to create and manage subscriptions using Cloud Native Interface (CNI).The following figure outlines the key components or building blocks of CAM-Azure:
To create and manage subscriptions, a Azure Service Principal (SPN) is required to have appropriate permissions. To create a new subscription, CAM needs to provide Billing and Enrollment IDs to. The SPN needs visibility to Billing and Enrollment to create the subscription. ServiceNow can invoke the Billing and Enrollment APIs and store in the tables. These are then provided to provisioner (aka. admin) to choose during the provisioning process. However, some companies are sensitive to give access to these APIs as it is tied to several other entities. Hence, CAM has option to feed only the Billing and Enrollment IDs, so that we will be using these IDs only for subscription creation.
Form to fill in Billing IDs manually
Form to fill in Enrollment ID manually for a given Billing Account
Required API permissions for ServiceNow SPN:
| # | Role | Required | Actions Allowed | Role Definition ID |
| 1 | EnrollmentReader | Optional | Enrollment readers can view data at the enrollment, department, and account scopes. The data contains charges for all of the subscriptions under the scopes, including across tenants. Can view the AzurePrepayment (previously called monetary commitment) balance associated with the enrollment. |
24f8edb6-1668-4659-b5e2-40bb5f3a7d7e |
| 2 | DepartmentReader | Optional | Download the usage details for the department they administer. Can view the usage and charges associated with their department. |
db609904-a47f-4794-9be8-9bd86fbffd8a |
| 3 | SubscriptionCreator | Required | Create new subscriptions in the given scope of Account. |
a0bcee42-bf30-4d1b-926a-48d21664ef71 |
| 4 | Microsoft.Billing/billingAccounts/read |
Optional |
To read the list of billing accounts | |
| 5 |
Microsoft.Management/managementGroups/subscriptions/write
Microsoft.Management/managementGroups/write |
Required |
To move subscription to right location once created |
|
| 6 | Microsoft.Resources/tags/write | Required | Add tags to the subscription | |
| 7 | Microsoft.Billing/billingAccounts/billingSubscriptions/cancel/write | Required | To close / cancel the subscription |
Here is the official documentation from Azure for IAM permissions- Assign Enterprise Agreement roles to service principals
CAM requires several setup steps in the customer environment. Below are the high-level tasks:
-
Configure the IAM Role and ServiceNow SPN user in the Azure Cloud.
-
Set up an email alias for notifications.
-
Configure Service Control Policies (SCPs) to lock and unlock accounts as needed.
-
Share the necessary credentials and configuration details with the ServiceNow administrator for CAM integration.
