With the Azure MCA integration, you allow the Vantage service principal to have access at the billing scope level.
When you configure this integration, the Vantage service principal is granted billing account reader permissions. The service principal does not have permissions—nor will it ever attempt—to make any changes to your infrastructure.
You must have a Vantage Organization Owner or Integration Owner role to add or remove this integration. See the Role-Based Access Control documentation for details.
To integrate your Azure MCA account with Vantage, follow the below steps:
Create a new application registration
Generate a client secret
Obtain your billing account ID
Assign the billing account reader role to the service principal
Add app registration credentials to the Vantage console
Grant Reader access for Active Resources and recommendations
On the same page, next to the Client credentials field, click Add a certificate or secret. (You can also access the Certificates and secrets screen from the left navigation menu.)
2
Click + New client secret.
3
The Add a client secret pane is displayed. For Description, enter a description, such as vantage-secret.
Click to view example image
4
For Expires, select an expiration option for the secret.
If this secret expires, you will need to supply Vantage with a new secret before the expiration date.
5
Click Add.
6
The newly created secret is displayed. Copy the secret’s Value to add to the Vantage console later. This value will be displayed only one time.
Step 5 - Add App Registration Credentials to Vantage
1
Navigate to the Integrations page in the Vantage console, and add an Azure integration.
2
On the Azure integration page, click Add Credentials.
3
Add the following credentials:
For Azure AD Tenant ID, add the Directory (tenant) ID you obtained in step 1.
For Service Principal App ID, add the Application (client) ID you obtained in step 1.
For Service Principal Password, add the client secret you obtained in step 2.
For Billing Account Id, add the Billing Account Id you obtained in step 3.
4
Click Connect Account.
After completing the connection, you will see the status of your integration change to Importing within the Vantage console. This status indicates that Vantage is actively importing your Azure cost data. See the Integration Status documentation for details on integration statuses.
Step 6 - Grant Reader Access for Active Resources and Recommendations
Steps 1-5 grant billing account reader access, which is sufficient for importing Azure cost data into Cost Reports. Billing account reader does not grant access to your resource inventory, so this step is required to use Active Resources and recommendations.
To populate the Active Resources tab and Azure cost recommendations, the same vantage service principal must also be granted the built-in Reader role at the subscription scope. This is required even when MCA billing access is already configured, because Vantage reads your resource inventory through the Azure Resource Manager APIs, which billing account reader does not cover.Assign the Reader role using the Azure CLI, repeating the command for each subscription you want inventoried:
az role assignment create --assignee <SERVICE_PRINCIPAL_APP_ID> --role Reader --scope "/subscriptions/<SUBSCRIPTION_ID>"
If your subscriptions sit under a management group, you can assign the Reader role once at the management group scope instead of per subscription. The role is inherited by all subscriptions beneath that management group.
You can also assign the Reader role through the Azure portal by following the portal instructions from the standard Azure integration.
After granting the Reader role:
Wait for the next daily sync. Resources can take up to ~24 hours to appear. See the Active Resources documentation for details.
Confirm the Azure integration is assigned to the workspace you’re viewing, as resources only appear in workspaces where the integration is enabled.
Steps 1-5 above are sufficient for importing Azure cost data into Vantage.If you also want Azure Reservations and Azure Savings Plans to appear on the Commitments page, continue to Optional Azure Reservations and Savings Plans and complete the additional permission steps there.
If you need to update your Azure MCA integration’s client secret, see the Update Your Client Secret section in the main Azure connection documentation for detailed instructions.
Once the import is complete and the integration status changes to Stable, you can select which workspaces this integration is associated with. See the Workspaces documentation for information.
