Generating Credentials for MCA CSP Partner Billing Configurations

In this step, you will create an app registration in Microsoft Entra ID to serve as the service principal for Flexera One to call in to Azure to retrieve your organization's Modern Commerce billing data.

To create App registration in Microsoft Entra ID:

1. Sign in to the Azure portal (portal.azure.com) with your Azure account.
2. In the upper-left corner of the Web page, click the Show portal menu icon, and then click Microsoft Entra ID. The Microsoft Entra ID page opens.
3. In the left pane, click App registrations, and then click New registration. The Register an application page opens.
4. In the Name field, enter a name for the application (for example, ‘Cloud Billing Integration’).
5. From the Supported account types option, select one of the following:
Single-tenant, and then click Register.
Multi-tenant, enter the Optional Redirect URI as https://www.microsoft.com and then click Register.

Note:If using multi-tenant account type, add the Entra ID App to Target Azure Tenant. For more information, see Add the Entra ID App to Target Azure Tenant.

6. Hover over the Application (client) ID and click the Copy to clipboard button to record the ID as your Application ID.
7. Hover over the Directory (tenant) ID and click the Copy to clipboard button to record the ID as your Directory ID.
8. In the left pane, click Certificates & secrets, and then click New client secret. The Add a client secret dialog box opens.
9. In the Description field, enter a name for the client secret (for example, ‘Counsellings’) and from the Expires dropdown list, select your preferred expiration time.

Note:If you enter 1 year or 2 years, after this time your secret will expire and you will need to update it in Flexera One to continue importing billing data.

10. Click Add.
11. Hover over the secret Value and click the Copy to clipboard button to record the value as your Application Secret. (Also, for your records, note down the Expires date so you know when you will need to create a new secret and update your Flexera One Bill Connect.)

Add the Entra ID App to Target Azure Tenant

You must add the previously created Entra App to the target Azure tenant.

To add the Entra ID App to Target Azure Tenant:

1. Use the admin consent URL. This URL enables administrators to grant the necessary permissions to the App within the Azure environment.

https://login.microsoftonline.com/{{TargetAzureTenantId}}

/oauth2/authorize?client_id={{applicationId}}&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

2. Replace TargetAzureTenantId with Storage Azure Tenant Id and applicationId with Entra App ID.
3. Open the above URL in a private browser window to add the App to another tenant. You will see a prompt asking for authorization on behalf of the organization, click Accept.
4. Once the earlier steps are completed, you can log in to the portal of that tenant. Navigate to the enterprise applications section, where you will see the relevant information.

Granting Required Permissions to Your App in Microsoft Entra ID

This section describes how to grant the required permissions to your App in Microsoft Entra ID.

To grant billing account reader permission to your App in the Microsoft Entra ID:

1. Sign in to Azure Portal (portal.azure.com).
2. In the upper- left corner of the page, click the hamburger menu, and select Cost Management + Billing.

The Cost Management + Billing page opens.

3. Click the Access control (IAM) menu item, or if the menu item does not appear go to https://portal.azure.com/#blade/Microsoft_Azure_CostManagement/Menu/access

The Access control (IAM) page that corresponds to your Billing account appears.

4. Click Add to add a new permission on the Billing Account. The Add permission dialog box appears. Do the following:
a. In the Role dropdown list, select Billing account reader.
b. In the Select field, type the name of the App (that you copied in Step 4 when you created App registration in Microsoft Entra ID). App names do not appear in the list by default.

Important:You must type the actual App name in the Select field because, by default, Azure assumes you are granting permission to a list of users. However, you are instead granting permissions to the App itself and not a list of users.

5. Click the Save button.

To grant storage blob data reader permission to your App in the Microsoft Entra ID:

1. Sign in to Azure Portal (portal.azure.com) using your Azure account (Storage Azure Tenant).
2. Navigate to your storage account.
3. Click Access Control (IAM). The Access control (IAM) page opens.
4. Click Add to add the permission to the storage account. The Add role assignment page opens.
5. Search for the Storage Blob Data Reader role and assign it to the storage account.