Skip to main content
With the Azure EA integration, you allow the service principal to have access at the billing scope level.
When you configure this integration, the Vantage service principal is granted enrollment reader permissions. The service principal does not have permissions—nor will it ever attempt—to make any changes to your infrastructure.
To integrate your Azure EA account with Vantage, follow the below steps:

Create a new application registration

Generate a client secret

Obtain your billing account ID

Assign Enrollment Reader permission to the service principal

Add app registration credentials to Vantage

Step 1 - Create a New Application Registration

1
From the main page of the Azure portal, search for and navigate to Microsoft Entra ID.
2
In the left navigation, under Manage, select App registrations.
3
Click + New registration.
Azure portal with App Registration menu option selected
4
The Register an application screen is displayed. For Name, enter vantage.
5
Leave all other settings as their defaults and click Register.
Azure portal the Register an application screen and vantage entered as app name
6
The app details are displayed. Record the Application (client) ID and Directory (tenant) ID to use later.
Azure portal with the client ID and tenant ID displayed and highlighted

Step 2 - Generate a Client Secret

1
On the same page, next to the Client credentials field, click Add a certificate or secret. (You can also access the Certificates and secrets screen from the left navigation menu.)
2
Click + New client secret.
3
The Add a client secret pane is displayed. For Description, enter a description, such as vantage-secret.
Azure portal with the Azure client secret window open and a new secreted created called vantage-secret
4
For Expires, select an expiration option for the secret.
If this secret expires, you will need to supply Vantage with a new secret before the expiration date.
5
Click Add.
6
The newly created secret is displayed. Copy the secret’s Value to add to the Vantage console later. This value will be displayed only one time.

Step 3 - Obtain Your Billing Account ID

1
Navigate to Cost Management + Billing.
2
On the left menu, click Billing scopes and select your EA Billing Account from the list.
3
On the left menu, click Settings > Properties.
4
Copy your Billing Account Id to add to the Vantage console later.

Step 4 - Assign Enrollment Reader Permission to the Service Principal

You need to have the billing account owner role permissions to assign enrollment reader permissions to the service principal. The below steps are based on the Azure documentation.
1
Navigate to Microsoft Entra ID, then select Enterprise applications.
2
From the All applications list, select the vantage application you previously created.
Azure portal with all apps listed in Enterprise Applications Source: Microsoft
3
Under Properties, copy the Application ID and Object ID.
Azure portal with App and Object ID listed Source: Microsoft
4
Open the Role Assignments - Put article from the Microsoft documentation in a new tab.
5
Next to the Create or update a billing role assignment step, click Try It.
Azure API role assignment sample call Source: Microsoft
6
A login in screen is displayed on the right. Using your account credentials, log in to the tenant that you want to assign enrollment reader access.
7
An API request form is displayed. In the Parameters section add the following values:
  • billingAccountName: Add the billing account ID you obtained in step 3.
  • billingRoleAssignmentName: Generate a unique GUID using the a GUID generator, as suggested by Microsoft.
  • api-version: Use 2019-10-01-preview.
8
In the Body section, copy and paste the request body below.
{"properties": {   "principalId": "<YOUR_OBJECT_ID>",   "principalTenantId": "<YOUR_TENANT_ID>",   "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<YOUR_BILLING_ACCOUNT_ID>/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"}}
9
Update placeholders in the Body as follows:
  • principalId: The Object ID you copied at the beginning of this section.
  • principalTenantId: Your Directory (tenant) ID that you copied in step 1.
  • roleDefinitionId: Replace <YOUR_BILLING_ACCOUNT_ID> with the Billing account id you copied in step 3.
    • Note that 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e is the billing role definition ID for an EnrollmentReader.
    Azure API role assignment parameters filled in Source: Microsoft
10
Click Run. You should see a 200 OK response, indicating that the request was successful.
If you receive an error, see the Troubleshoot section of the Microsoft article these instructions were based on.

Step 5 - Add App Registration Credentials to Vantage

1
Navigate to the Integrations page in the Vantage console, and add an Azure EA integration.
2
On the Azure EA integration page, click Add Credentials.
3
Add the following credentials:
  • For Azure AD Tenant ID, add the Directory (tenant) ID you obtained in step 1.
  • For Service Principal App ID, add the Application (client) ID you obtained in step 1.
  • For Service Principal Password, add the client secret you obtained in step 2.
  • For Billing Account Id, add the Billing Account Id you obtained in step 3.
4
Click Connect Account.
After completing the connection, you will see the status of your integration change to Importing within the Vantage console. This status indicates that Vantage is actively importing your Azure cost data. See the Integration Status documentation for details on integration statuses.

Update Your Client Secret

If you need to update your Azure EA integration’s client secret, see the Update Your Client Secret section in the main Azure connection documentation for detailed instructions.

Next Steps - Workspace Access

Once the import is complete and the integration status changes to Stable, you can select which workspaces this integration is associated with. See the Workspaces documentation for information.