Microsoft Azure cloud connector

Use the Microsoft Azure cloud connector to collect the cost and usage data of the virtual machines that are provisioned in the Azure cloud. BMC Helix Cloud Cost uses this resource usage and cost data to provide forecasting, cost estimations, and to optimize your cloud costs by using recommendations. 

You can configure the connector to collect data from the following types of Azure subscriptions:

  • Azure Government 
  • Enterprise Agreement (EA)
  • Microsoft Customer Agreement (MCA)
  • Pay-As-You-Go (Web Direct)

All communication between BMC Helix Cloud Cost and Microsoft Azure is secure over HTTPS. The connector uses the following APIs to collect data from Azure:

  • Azure WD usage Open link
  • Azure EA usage Open link
  • Subscriptions Open link
  • Resources Open link
  • Metrics Open link
  • Metric definitions Open link

License utilization

A product license gets consumed when the connector is used to collect data from the following asset types:

  • Microsoft Azure Virtual Machine
  • Microsoft Azure SQL Database

  • Microsoft Azure Database for MySQL

  • Microsoft Azure Database for PostgreSQL

  • Microsoft Azure Cache for Redis

  • Microsoft Azure Kubernetes Service

  • Microsoft Azure API Apps

  • Microsoft Azure App Services

  • Microsoft Azure Web Apps

Collecting data by using the Microsoft Azure cloud connector

To collect data by using the Microsoft Azure cloud connector, do the following tasks:

I. Complete the preconfiguration tasks.

II. Configure the connector.

Step I. Complete the preconfiguration tasks

For the Pay-As-You-Go Azure subscription

To collect the billing details of your Azure resources, the connector needs to make the REST API calls to Azure services. To authenticate with these APIs, you must specify the following details during the connector configuration:

  • Azure subscription ID
  • Azure Active Directory (AAD) tenant ID
  • Application ID
  • Authentication key

To fetch these details, complete the following preconfiguration tasks.

StepDetails

Get your Azure subscription ID.

The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.

  1. Log in to the Azure portal.
  2. From the Azure Portal menu, select Subscriptions.

  3. Locate the required subscription from the list of subscriptions, and note down the Azure subscription GUID.
Ensure that you have the required permissions to create an application in Azure Active Directory (AAD).
  1. Log in to the Azure portal.
  2. From the Azure Portal menu, select Azure Active Directory. The Overview page is displayed.
  3. In the left pane of Azure Active Directory, click User Settings.

  4. In the right pane, review the App registrations setting.
    1. Yes - Allows any user in the Azure AD tenant to register AD apps.
    2. No - Only admin users can register AD apps.
      Select Overview and review your user information to verify whether your account is an admin account. If your account is assigned to the User role, contact your administrator to select Yes or assign you an administrator role.



      For more information about checking the Azure Active Directory permissions, see  Check Azure Active Directory permissions Open link .
Create an AAD application to gain access to Azure resources.
  1. Log in to the Azure portal.
  2. In the left pane, select Azure Active Directory. The Overview page is displayed.

  3. In the left pane of Azure Active Directory, click App Registrations, and click New registration.

  4. Specify the following details and click Register.
    1. Name and redirect URI for the application.
    2. Supported account types as Accounts in this organizational directory only.

For more information about creating the Azure Active Directory application, see  Create an Azure Active Directory application Open link .

Obtain the Application ID and generate an authentication key for the application.

In a text editor (such as Notepad), copy the name of the Application ID and label it as Client ID. Copy the authentication key string to the text editor, and label the string as Azure Client Secret.



  1. Log in to the Azure portal.
  2. In the left pane, select Azure Active Directory. The Overview page is displayed.

  3. In the left pane of Azure Active Directory, click App Registrations, and in the right pane, select the application that you created in AAD.

  4. Note down the application (client) ID.
  5. To generate an authentication key, click Certificates & secrets > Client secrets > New client secret.
  6. Provide a description and expiry duration for the key and click Add.
    Note down the generated authentication key value.

For more information about obtaining the application ID and generating the authentication key, see  Get application ID and authentication key Open link .

Obtain the Tenant ID, which is the ID of the AAD directory where you created the application.

A Tenant is a representative of an organization within the Azure Active Directory. It is a dedicated instance of the Azure AD service. An AAD tenant is required for defining an application and assigning permissions to use REST APIs of other Azure services.

  1. Log in to the Azure portal and select Azure Active Directory.
  2. In Azure Active Directory, click Properties.
  3. Note down the value of the Directory ID, which is your tenant ID.

For more information about obtaining the tenant ID, see  Get tenant ID Open link .

Grant API access to the application.
  1. Log on to the Azure portal.
  2. In the left pane, select Azure Active Directory. The Overview page is displayed.
  3. In the left pane of Azure Active Directory, click App Registrations, and in the right pane, select the application that you created in AAD.
  4. In the left pane of Azure Active Directory, click API permissions Add.
  5. On the Add permissions page, click Add a permission.
    1. On the Request API permissions page, select the Azure Service Management API.
    2. Permissions as user_impersonation (Access Azure Service Management as organization users (preview)).
      Note: If you select the DELEGATE PERMISSIONS check box before selecting the permission, the Select button is not enabled.
  6. Click Add permission.

Grant the Reader role to the application.

Ensure that the account in your Azure subscription has the Owner or User Access Administration role to manage access to Azure resources. If your account is assigned the Contributor role, you cannot grant roles.

  1. Log on to the Azure portal.
  2. In the left pane, select Subscriptions.

  3. Locate the required subscription and click Access Control (IAM).
  4. Click Add > Add role assignment, and select the role as Reader.
  5. In Assign access to, select Azure AD user, group, or service principal.
  6. Type your application in the search field.
  7. Click Save.

For more information about granting the Reader role to the application, see  Assign application to role Open link .

For the Enterprise Agreement Azure subscription

To collect the billing details of your Azure resources, the connector needs to access the billing API. To authenticate with the billing API, you must specify the Service Principal details or the Enrollment details during the connector configuration.

Service Principal details

Perform step 2 to 7 in the preconfiguration tasks section and obtain the following details.

  • Azure Tenant ID
  • Azure Client Secret
  • Client ID

Enrollment details

  • Enrollment number
  • API access key

To fetch enrollment details, complete the following preconfiguration tasks:

StepDetails

Obtain your enrollment number.

An enrollment is like a master account that is associated with your organization's EA. All your Azure subscriptions and bills are associated with this enrollment number. When enterprise administrators first sign up for Azure, they receive an enrollment number and an access key from Microsoft. Administrators can then sign in to the Azure EA portal and start performing the admin tasks.

  1. Log in to the Azure EA portal as an enterprise administrator.
    https://ea.azure.com
  2. Click Manage.
    The enrollment number is listed in the Enrollment Detail section.
Obtain the API access key that is required for authentication.
  1. Log in to the Azure EA portal as an enterprise administrator.
    https://ea.azure.com
  2. Click Reports > Download Usage > API Access Key.
  3. Perform one of the following steps:
    • If the primary key is available, click expand key and copy it.
    • If the primary key is not available, click Generate key, and copy the key.
Grant rights to the account owners and department administrators for viewing cost data.
  1. Log in to the Azure EA portal as an enterprise administrator.
    https://ea.azure.com
  2. Click Manage.
  3. Under Enrollment, enable the following:
    • DA view changes
    • AO view changes

Step II. Configure the connector

You must configure the connector to connect to Microsoft Azure for collecting the cost and usage data of Azure entities.

To configure the connector:

  1. In the BMC Helix Cloud Cost dashboard, navigate to Connectors Add a Connector > and select Azure Cloud Connector from the cloud based connectors.
  2. On the Configure Connector page, configure the following properties:

    PropertyDescription
    Connector nameA unique name for the connector.
    Azure environment
    Specify whether you want to import data from the Global Azure, Azure Government, or Azure Enterprise account. The default selection is a Global Azure account.
    • Global Azure
    • Azure Government (available only if you are licensed to use BMC Helix Cloud Security) For details, see BMC Helix Cloud Security documentation. Open link
    • Azure Enterprise

    Note: To collect data for the Microsoft Customer Agreement (MCA) type of subscriptions, select the Azure Enterprise option and provide the Service Principal details in the connector configuration.

    Select the type of data that you want to collect

    Depending on your Azure subscription, select the type of data that you want to collect:

    • Security & Compliance: Collect resource usage data to evaluate it for compliance and security. This option is available only if you are licensed to use BMC Helix Cloud Security.
    • Billing & Usage: Collect billing information to manage and optimize cost
    • Utilization: Collect resource usage data to monitor performance and generate recommendations

    Note: Recommendations are displayed only if you have configured the connector to collect both cost and utilization data.

  3. Depending on your Azure environment, select one of the following tabs for configuring the connector properties:

    Property Description
    Service Principal or App Registration credentials
    Azure Tenant ID

    Specify the tenant ID from your Azure Active Directory properties.

    Azure Client Secret Specify the authentication key that you generated from Certificates & secrets properties.
    Client ID Specify the application ID from the App registrations in the Azure Active Directory.
    Property Description
    Service Principal or App Registration credentials
    Azure Tenant ID

    Specify the tenant ID from your Azure Active Directory properties.

    Azure Client Secret

    Specify the authentication key that you generated from Certificates & secrets properties.
    Client ID Specify the application ID from the App registrations in the Azure Active Directory.
    Billing and Usage

    Specify whether you want to collect billing and usage data for all the subscriptions or only for the subscriptions that use Service Principal based authentication.

    • Collect Billing and Usage data for subscriptions associated with the Service Principal/App Registration credentials: To collect the billing and usage data from the subscriptions that use the Service Principal credentials, enter the tenant ID, client secret, and client ID.
    • Collect Billing and Usage data for all subscriptions: To collect billing and usage data from all subscriptions, enter the app registration credentials along with the enrollment ID, and API access key details.
      Note: Service Principal details are not used if you want to collect the billing and usage data of all the subscriptions. However, these details are required if you want to collect Security & Compliance or Utilization data.

    Required only if you want to collect billing data for all subscriptions
    Enrollment ID (Only for EA Azure environment)

    Specify the enrollment number that you obtained from Microsoft. Only cost data is imported from the subscriptions with this information.

    For importing utilization data, enter the Service Principal or App Registration credentials.

    Both the options can work together.

    Microsoft Azure API consistently generates a throttling error if the enrollment ID is 86182016. BMC Helix Cloud Costuses an auto-retry mechanism to try to collect data from the provider. If the error persists after the auto retries, you might still see the throttling error.

    API Access Key (Only for EA Azure environment) Specify the API access key that you obtained during the preconfiguration tasks. This information is required to import the cost details from the subscriptions.

  4. Collection mode: By default, the data collection cycle is set to On Demand collection. You can select an appropriate unit of time (days, minutes, hours) to schedule the data collection frequency.
  5. On the Select Policies page, select the policies that you want to import from the policy library. This option is available only if you are licensed to use BMC Helix Cloud Securityand choose to collect Security & Compliance data. For more information, see Managing policies Open link .
  6. Click Continue. A confirmation message about the request for data collection processing is displayed.
    The Manage Connectors page shows the details of the newly configured Azure Cloud Connector.

Step III. Verify data collection

Verify that the connector ran successfully and check whether the Azure data is refreshed on the Dashboard.

To verify whether the connector ran successfully:

  1. On the Manage Connectors page, the state of the newly configured connector is updated to Running.
    When you run the connector for the first time, the connector recovers data for the past 6 months, and the data collection completes in approximately an hour.
  2. On the BMC Helix Cloud Cost dashboard, the Azure tab is displayed.
  3. Select the Azure tab from the Dashboard.
  4. In the Summary tab, verify that the total cost, historical cost, and total resources are displayed. Also, recommendations are displayed if you have configured the connector to collect both utilization and cost data; and you have efficiency issues in your infrastructure. Recommendations are not generated if all the resources are utilized efficiently.
  5. Resource pool information is not available by default. You must create a resource pool to view the resource pool details like name, resource count, budget, actual cost, and the projected cost. To create a resource pool, click Resource Pools.
  6. In the Accounts tab, verify that the account details like name, actual cost, change in cost (in US dollars and percent), percent total cost, and number of resources are displayed for the accounts you own.
  7. In the Services tab, verify that the service details like name, actual cost, change in cost (in US dollars and percent), percent total cost, and number of resources are displayed.
  8. In the Explore Bill tab, verify that the resource name, actual cost, resource type, region, account name, and the service name are displayed.

Related topics

Optimizing multi-cloud costs with recommendations

Microsoft Azure API documentation Open link


Was this page helpful? Yes No Submitting... Thank you

Comments