Adding your account
Pre-requisites
Secure Application Model
Microsoft uses the secure application model as its authentication solution for CSP Partners and Control Panel Vendors. This model helps to elevate the security measures in place to safeguard customer data and infrastructure. CSP partners are required to provide consent for CloudBilling to interact with services on their behalf.
Microsoft describes the “Secure application model” in more detail in Secure application model framework. Unfortunately, not all operations on the Partner Center API that CloudBilling uses are available through the app-only method (see further documentation). Therefore, CloudBilling is using the delegated permissions methodology.
Service Account
We highly recommend creating a new “service account” to provide consent to CloudBilling. This will avoid any disruption to the flow of usage data through the CSP connector if a user is disabled or leaves the organization in the future.
Required Partner Center Permissions
The Microsoft Partner Center user needs to have “Billing admin” and “Sales agent” permissions, or alternatively “Global admin” and “Admin agent”. Note that the combination of “Global Admin” and “Sales agent” is not sufficient to retrieve usage. Even though intuition would suggest that this role should grant a superset of permissions compared to “Billing admin”, it does not.
Connect to Partner Center
- Login to CloudBilling
- In the top menu, click on ‘Connectors’.
- In the menu on the left under ‘Microsoft CSP’ click on ‘Settings’.
- Click on ‘Login with your Microsoft Account’
- Follow the steps that are outlined by Microsoft
Once consent has been given CloudBilling will retrieve usage from Microsoft on a daily basis. The connector starts to send usage information to CloudBilling every day at 19:00 CET. The imported usage will become visible in CloudBilling as Purchases.
Further Configuration
Configure the product language
It is possible to select the language used for the Microsoft resources that are loaded from the Microsoft Ratecard API. You can select the language after consent has been provided. To change the language, navigate to the connector settings and press the edit button next to the account. Now you can change the language by clicking on Locale and selecting one of the options.
Common Issues
- The permission request might fail when you are (also) signed in with your personal Microsoft account. Sign out of your personal account before requesting permission, or use your browser’s private browsing-mode.
- Microsoft Entra Privileged Identity Management (PIM) is not supported and needs to be disabled temporarily while going through the permission request.
- Multifactor authentication needs to be enabled on the user account. However, as explained in the second point, not the two-step authentication service through PIM.
- When tenant-wide user consent is not set to ‘Allow user consent for apps’ the permission request will fail with the error “AADSTS65004: User declined to consent to access the app”. After admin approval has been given, restart the permission request.