Configure a EA or MCA Account with a Service Principal

Create an Account in CloudCheckr

  1. Launch CloudCheckr.
  2. On the Home page, type Account Hierarchy in the Search bar at the top of the screen.
    The Accout Hierarchy page opens with the Accounts tab displayed by default.
  3. On the Accounts page, click the + NEW button.
  4. Select Account from the fly-out menu.
    The Create Account sub-drawer opens.
  5. Type a name for your account.
  6. Select Azure as your cloud provider from the drop-down menu.
  7. From the Location drop-down menu, select an option if you want to put your account within an existing folder.
  8. If you have a Payer account, select an option from the Payee Organizations drop-down menu that best fits how you want to create any future Payee accounts:
    • Place new payees at hierarchy root (default): CloudCheckr automatically places auto-created Payee accounts at the root (no parent group)
    • Place new payees in same parent group as payer: CloudCheckr automatically places any newly created Payee accounts within the same group as the Payer account
    • Place new payees in a specific location: CloudCheckr allows you to select an account group where it to place all auto-created Payee accounts
  9. From the Attributes drop-down menu, select attributes that you want to apply to your account. Attributes are key/value pairs that help your organize and categorize your accounts in CloudCheckr CMx — similar to how account-level tags work currently in CloudCheckr. For the purposes of this procedure, we won't add any attributes during our initial configuration.
  10. Click SAVE. CloudCheckr CMx saves your new account and the page now displays the Edit Account sub-drawer.
  11. From the Edit Account sub-drawer, click on Manage Credentials.
  12. Select MCA or Enterprise Agreement Account (Using Service Principal).
  13. On the following page, select Collect billing data from my Microsoft Customer Agreement. Then, select the Use Service Principal with Secret Key tab.

Three parameters are required: your Directory/Tenant ID, App Registration ID, and Secret Key. Open a new tab and proceed to step 2.

  1. Login to the Azure Portal
  2. Navigate to Microsoft Entra ID > App Registrations.
  3. Click + New registration.
  4. Create your application:
    1. Type a name for your application
    2. Select Accounts in this organizational directory only for supported accounts
    3. Under Redirect URI (optional), select Web, and in the URI field, type https://localhost
    4. Click Register
  5. Once the application is created, you will need to collect the Application ID and the Directory (tenant) ID. Use a program like NotePad to copy/paste these parameters as they will be needed later.
  6. In the Manage section of the application blade, click Certificates & secrets.
  7. Under Certificates & secrets, click + New client secret.
  8. Type a name for the client secret, select a timeframe when you want it to expire, and click Add.
    Copy the client secret and save it immediately since you will not be able to view it again.

In order to add the Enrollment Reader role to the Service Principal, you will need to use the Role Assignments - Put API call.

Sign in as an Enterprise Administrator, then click the green 'try it' button to open the API testing screen.

  1. In the Azure portal, navigate to Cost Management + Billing
  2. Select the billing scope.
  3. Navigate to Access control (IAM)
  4. Click + Add
  5. For role, select Billing account reader. Search for the service principal you created.
  6. Click Add

Back in CloudCheckr:

  1. Input the Directory/Tenant ID, Application ID, and the Secret Key.
  2. Select the Azure account type (Commercial or Government).
  3. Click the green Update button.

How did we do?