Prerequisites

The following prerequisite topics are covered here:

Confirming Azure Plan and Billing Scopes
Creating App Registration in Microsoft Entra ID
Ability to Create and Manage Azure AD Service Principals
Assigning BillingAccountReader Role to the Service Principal
Access to Azure Cost Management APIs
Access to Azure Storage Account
Assigning Storage Blob Data Reader Role
Seeding Historical Billing Data
Manage Organization Role in Flexera One

Confirming Azure Plan and Billing Scopes

Confirm that you have at least one subscription with the Azure Plan subscription type and that you have a Billing Account billing scope available.

To confirm Azure plan and billing scope:

1. Go to the Cost Management page. In the left pane, click Azure subscriptions.
2. Confirm that you have at least one subscription whose value for Plan is Microsoft Azure Plan.
3. In the left pane, click Cost Management + Billing, and then click Billing scopes.
4. Confirm that you have at least one scope whose value for Billing scope type is Billing account.

If you confirm both Step 2 and Step 4, you have an Azure plan and a Modern Commerce billing account provisioned. Continue to the next section, Creating App Registration in Microsoft Entra ID.

Creating App Registration in Microsoft Entra ID

In this step, you will create an app registration in Microsoft Entra ID to serve as the service principal for Flexera One to call in to Azure to retrieve your organization's Modern Commerce billing data.

To create app registration in Microsoft Entra ID:

1. Sign in to the Azure portal (portal.azure.cn) with your Azure account.
2. In the upper-left corner of the Web page, click the Show portal menu icon, and then click Microsoft Entra ID. The Microsoft Entra ID page opens.
3. In the left pane, click App registrations, and then click New registration. The Register an application page opens.
4. In the Name box, enter a name for the application (for example, 'Cloud Billing Integration'), ensure Single tenant is selected, and then click Register.
5. Hover over the Application (client) ID and click the Copy to clipboard button to record the ID as your Application ID.
6. Hover over the Directory (tenant) ID and click the Copy to clipboard button to record the ID as your Directory ID.
7. In the left pane, click Certificates & secrets, and then click New client secret. The Add a client secret dialog box opens.
8. In the Description box, enter a name for the client secret (for example, 'Counsellings') and from the Expires dropdown list, select your preferred expiration time.

Note:If you enter 1 year or 2 years, after this time your secret will expire and you will need to update it in Flexera One to continue importing billing data.

9. Click Add.
10. Hover over the secret Value and click the Copy to clipboard button to record the value as your Application Secret. (Also, for your record, note down the Expires date so you know when you will need to create a new secret and update your Flexera One Bill Connect.)

Ability to Create and Manage Azure AD Service Principals

A service principal (SPN) is an identity used by applications or services to access Azure resources. You must be able to:

Create a service principal in Azure AD.
Generate and securely store the Client ID, Tenant ID, and Client Secret.
Retrieve your Billing Account ID.

These credentials are used by Flexera One to authenticate and retrieve billing data from Azure.

Assigning BillingAccountReader Role to the Service Principal

To allow the service principal to access billing data, you must assign it the BillingAccountReader role.

To do so, click the Role dropdown list, and select Billing account reader. If you do not see this role, you may be on a scope other than the billing account, or you may not have the required access to view the billing account scope.

Access to Azure Cost Management APIs

Ensure that your Azure environment allows access to the Cost Management APIs, which are used to retrieve RI and SP. This includes:

API endpoint access
Proper authentication via the service principal
Required permissions (BillingAccountReader)

Note:Azure China does not support API streaming for Cost and Billing.

Access to Azure Storage Account

If you plan to use Exports to retrieve billing data, you must have access to an Azure Storage Account where the exported billing files will be stored.

Assigning Storage Blob Data Reader Role

The service principal must be granted the Storage Blob Data Reader role on the storage account. This allows Flexera One to read the exported billing data from the blob containers.

To do this:

1. In the Azure portal, go to Access Control (IAM).
2. Add the Storage Blob Data Reader role to the service principal.

Seeding Historical Billing Data

Before setting up recurring exports, you must manually upload historical billing data (if available) into the storage account. This allows Flexera One to access past billing records for accurate reporting.

Data should be placed in:

/Actual cost/
/Amortized cost/

For more information, see Seeding Historical Data.

Manage Organization Role in Flexera One

You must have the Manage Organization role in Flexera One. This role is required to:

Configure billing connections
Manage credentials and integration settings
View and manage imported billing data