Create a Microsoft Azure service principal
Give Cloud Cost Management access to Microsoft Azure billing and usage data by creating a Microsoft Azure service principal.
始める前に
Microsoft Azure Role required: Azure Cloud admin
このタスクについて
Cloud Cost Management supports Microsoft Azure billing and cost usage data for multiple types of billing agreements: Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), and Microsoft Partner Agreement (MPA). There are specific roles that you must assign to the service principal depending on your billing agreement type. For more information on agreement types, see Billing information for Microsoft Azure.
手順
- From a web browser, open the App Registrations page of the Microsoft Entra ID portal.
- Log in using your global administrator credentials.
- In the Name field of the Register an application form, enter a name for the application.
- In the Supported account types field, select Accounts in any organizational directory (Any Microsoft Entra ID – Single tenant).
-
Select Register.
The application is registered and you’re redirected to the Overview page of the new application.
-
On the Overview page, copy the values in the Application (client) ID and Directory (tenant) ID fields.
Save them in a secure location for later use.
-
Generate a Client secret for your application.
- From the side navigation menu, navigate to Manage > Certificates & secrets.
- In the Client secrets section, generate a client secret for the application by selecting New client secret.
-
In the dialog box, fill in the fields.
表 : 1. Add a client secret dialog box Field Description Description Description of the client secret. Expires Expiration of the client secret. 注:Your organization might apply policies to restrict client secret durability. Select an appropriate expiration period. - Select Add.
- Copy the client secret that is generated and save at a secure location for later use.
-
Get Subscription ID to enable the service principal to work with various Azure subscriptions.
- Navigate to Subscriptions.
- Select the Subscription ID to which the service principal needs access.
- Copy the Subscription ID from the Subscription Overview page.
-
Assign access roles and permissions to the service principal depending on your billing agreement type.
Refer to the table for required roles and permissions for the service principal.
表 : 2. Roles and permissions for Azure service principal Billing agreement type Role required Permissions Enterprise Agreement (EA) - Enrollment Reader
- Storage Blob Data Reader
These permissions are required for the service principal for all billing agreement types.
- Microsoft.Compute/virtualMachines/instanceView/read
- Microsoft.Compute/virtualMachines/deallocate/action
- Microsoft.Compute/virtualMachines/start/action
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/locations/usages/read
- Microsoft.Advisor/recommendations/read
- Microsoft.Advisor/generateRecommendations/read
- Microsoft.Advisor/generateRecommendations/action
- Microsoft.Compute/disks/delete
- Microsoft.Compute/disks/read
- Microsoft.CostManagement/forecast/read
- Microsoft.Compute/locations/diskOperations/read
- Microsoft.Insights/Metrics/Read
- Microsoft.Compute/locations/operations/read
- Microsoft.Sql
- Microsoft.DBforMariaDB
- Microsoft.DBforMySQL
Microsoft Customer Agreement (MCA) - Billing Account Reader
- Both Billing Profile Reader and Billing Reader
- Storage Blob Data Reader
Microsoft Partner Agreement (MPA) - Billing Reader
- Storage Blob Data Reader
次のタスク
Create a record of Microsoft Azure credentials in Cloud Cost Management