Azure

Understanding billing account for Microsoft Customer Agreement (MCA)

by

Let’s be honest—cloud billing isn’t exactly the most exciting topic. But do you know what’s worse? Opening your Azure bill and feeling like you need a detective’s magnifying glass to figure out what’s going on. 🤯

If you’ve got a Microsoft Customer Agreement (MCA), understanding your billing account is key to keeping your cloud costs in check and avoiding any surprise charges. So, grab a coffee, and let’s break it down in a way that actually makes sense. ☕

What is an MCA Billing Account (And Why Should You Care)?

Think of your MCA billing account as the command center for all your Azure charges. It’s where you manage invoices, payments, and who gets to see (or mess with) your billing details. If Azure billing were a Netflix account, your billing account would be the primary profile—the one that controls everything.

Key Things Your MCA Billing Account Lets You Do:

  • View and manage invoices and payment methods 🧾
  • Set up multiple billing profiles for different teams or departments 🏢
  • Assign roles and permissions (so not everyone can max out the budget!)
  • Track spending across subscriptions 💰

If you’re managing an MCA billing account, congrats! You’ve got the keys to the financial kingdom—use them wisely.

Azure Billing Account: The Big Picture 🎯

Your Azure Billing Account is the home base for all things billing-related in your MCA. It’s where invoices, payments, and spending details live. If you think of Azure like a streaming service, your billing account is your main subscription—everything starts from here.

What You Can Do with an Azure Billing Account:

  • View and manage invoices 🧾
  • Set up and control billing profiles 💳
  • Assign billing roles to different users 👥
  • Track spending across all subscriptions 💰

This is your financial cockpit—control it wisely!

Billing Profiles: Keeping Budgets Organized 🏢

A Billing Profile is like a separate tab on your credit card statement for different teams, projects, or departments. Instead of one giant invoice that makes your head spin, you can split up costs for better organization.

Why Billing Profiles Matter:

  • They generate separate invoices for different teams.
  • You can set up different payment methods for each profile.
  • They help track spending more effectively.

So, if your company has an AI research team and a DevOps team, they can each have their own billing profile—no messy financial mix-ups!

Invoice Sections: Breaking Down Costs Clearly 📄

Under each Billing Profile, you have Invoice Sections. Think of these as subfolders inside your billing profiles—perfect for breaking down costs by project, department, or even specific environments (like Dev vs. Production).

How Invoice Sections Help:

  • You can group charges logically (e.g., marketing vs. engineering).
  • It makes cost tracking super clear.
  • Helps with financial reporting—no more guessing where money went!

If Billing Profiles are the different tabs on your statement, Invoice Sections are like itemized charges—they give you a clearer breakdown.

Subscriptions: Where the Magic Happens

Your Azure Subscriptions are where your actual cloud services live—virtual machines, databases, AI services, you name it. But each subscription needs to be linked to a Billing Profile to be paid for.

Key Things to Know About Subscriptions:

  • They inherit billing settings from their assigned billing profile.
  • You can have multiple subscriptions under one billing account.
  • Each subscription can be assigned to an Invoice Section for better tracking.

Think of it like multiple mobile lines on a family plan. Each line (subscription) has its own usage, but they all roll up into the main bill (billing profile).

Optimizing and Tracking Azure Costs

To effectively manage and optimize your Azure expenditures, consider the following practices:

  • Strategic Structuring: Align your billing profiles and invoice sections with your organization’s hierarchy or project structure. This alignment ensures that invoices reflect your internal financial organization, simplifying reconciliation and reporting.
  • Role-Based Access Control: Assign appropriate roles to team members based on their responsibilities. Azure offers various billing roles, such as Billing Account Owner, Billing Profile Owner, and Invoice Section Owner, each with specific permissions. Implementing role-based access ensures that individuals have the necessary access to perform their tasks without compromising security.
    • Billing Account Owner – The supreme leader of the billing universe. Full access.
    • Billing Profile Owner – Controls billing for one profile (but not the entire account).
    • Billing Profile Contributor – Can manage invoices and payments but not assign roles.
    • Billing Reader – Can see invoices but can’t touch them (great for finance teams!).
  • Regular Monitoring: Utilize Azure’s cost management tools to monitor spending across different billing profiles, invoice sections, and subscriptions. Regular analysis helps in identifying trends, detecting anomalies, and making data-driven decisions to optimize costs.
  • Budgeting and Alerts: Set up budgets and configure alerts for your billing profiles and invoice sections. Proactive notifications enable you to address potential overspending promptly, ensuring adherence to financial plans.

Pro Tips to Avoid Billing Headaches

  1. Assign Roles Wisely – Not everyone needs full access! Keep spending power in the right hands.
  2. Use Billing Profiles for Better Organization – Split billing by department or project to track spending easily.
  3. Enable Cost Management Tools – Azure has built-in cost tracking to help you avoid end-of-month surprises.
  4. Regularly Review Invoices – Set up a habit of checking your invoices to catch any unexpected charges.

Final Thoughts: Take Control of Your Azure Billing 💡

Understanding your MCA Billing Account isn’t just about paying bills—it’s about controlling costs, organizing expenses, and making sure your finance team doesn’t hunt you down. 😅

So next time you log into Azure, don’t panic at your invoice. Instead, think:

  • Is my billing organized?
  • Am I using Billing Profiles and Invoice Sections properly?
  • Do I need to adjust roles to keep spending in check?

Thanks for stopping by. ✌

Guide to Azure Private Endpoint vs Service Endpoint

by

In the realm of Azure networking, two pivotal features enhance the security and accessibility of your resources: Azure Private Endpoints and Azure Service Endpoints. Understanding their functionalities and differences is crucial for architecting secure and efficient cloud solutions.

Azure Service Endpoints

Azure Service Endpoints extend your virtual network’s identity to Azure services over the Azure backbone network. When a service endpoint is enabled on a subnet, traffic from that subnet to the Azure service remains within Microsoft’s network, reducing exposure to the public internet.

Key Features:

  • Simplified Security: Service endpoints allow you to secure Azure resources to specific virtual networks, enhancing control over which subnets can access particular services.
  • Optimized Routing: Traffic is routed directly through the Azure backbone, potentially reducing latency compared to routes over the public internet.
  • Integration with Network Security Groups (NSGs): You can leverage NSGs to control access, ensuring that only designated subnets or virtual networks can communicate with specific services.

Considerations:

  • Public Endpoint Usage: Despite routing over the Azure backbone, service endpoints connect to the service’s public endpoint, which may not meet stringent security requirements.
  • Azure-Only Access: Service endpoints are designed for traffic originating within Azure. On-premises resources cannot utilize service endpoints and must access services over the public internet.

Azure Private Endpoints

Azure Private Endpoints assign a private IP address from your virtual network to an Azure service, effectively bringing the service into your private address space. This setup ensures that traffic between your virtual network and the service remains entirely within the Azure network, eliminating exposure to the public internet.

Key Features:

  • Private IP Connectivity: Services are accessible via a private IP address within your virtual network, ensuring that all traffic stays within the private network.
  • Enhanced Security: By eliminating public internet exposure, private endpoints are ideal for sensitive data and applications requiring stringent security measures.
  • DNS Integration: Private endpoints require proper DNS configuration to resolve the service’s private IP address. Azure provides automatic DNS resolution, but custom configurations are also supported.

Considerations:

  • Complexity and Cost: Implementing private endpoints can be more complex and may incur additional costs due to the need for DNS configuration and management of private IP addresses.
  • Broader Access: Private endpoints allow access from on-premises networks and other virtual networks, provided they are connected, facilitating hybrid cloud architectures.

Comparison of Azure Service Endpoints and Private Endpoints

FeatureService EndpointsPrivate Endpoints
Connection TypeExtends VNet identity to the service’s public endpoint over Azure backboneAssigns a private IP from your VNet to the service
Security LevelEnhanced security by restricting access to specific VNets; still uses public endpointHighest security with no exposure to public internet
DNS ConfigurationNo changes required; uses public DNSRequires DNS updates to resolve private IPs
Access ScopeOnly from within Azure VNetsAccessible from on-premises and other VNets via private IP
Supported ServicesLimited to specific Azure servicesSupported by a broader range of Azure and third-party services
Use CaseSuitable for scenarios where enhanced security is needed without complex setupIdeal for sensitive data and applications requiring complete isolation

Choosing Between Service Endpoints and Private Endpoints

  • Opt for Service Endpoints if:
    • You need a straightforward way to enhance security for Azure services accessed from within Azure.
    • Your applications do not require complete isolation from the public internet.
    • You prefer minimal configuration without the need for DNS management.
  • Opt for Private Endpoints if:
    • Your applications handle sensitive data necessitating complete isolation from the public internet.
    • You require secure access from on-premises networks or other virtual networks.
    • You are prepared to manage the additional complexity and costs associated with private IP configurations and DNS management.

In summary, both Azure Service Endpoints and Private Endpoints serve to secure access to Azure services, but they cater to different security requirements and use cases. Assess your application’s specific needs to determine the most appropriate solution.

Azure – Using KeyVault with PowerShell – Updated

by

Azure Key Vault is used to safely manage Secrets, Certificates and Crytographic Keys used by cloud and on-premise applications. After the secrets are stored in Azure Key Vault, we can assign access policies to user accounts or SPNs to retrieve and use them.

In this post, I will cover,

  • How to create Azure Key Vault
    • Create and update secrets in Azure Key Vault
  • Create a new Azure AD application and SPN
    • Create a client Secret
  • Assign a policy in Azure Key Vault to allow access to the SPN we create
  • Store the Azure AD application ID and client secret in the SecretStore vault
  • Retrieve Secret from Azure Key vault using credentials stored in SecretStore vault

I’ll go through the steps in both the portal and via PowerShell.

Before proceeding further, make sure you are connected to Azure AD and Azure via PowerShell. You may or may not use the same global admin account to connect to both Azure AD and Azure, either way you can use the below cmdlets and adjust it accordingly where necessary.

$AzureADcred = Get-Credential
Connect-AzureAD -credential $AzureADcred
$Azcred = Get-Credential
$SubsName = Read-Host "Enter Azure Subscription Name"
Connect-AzAccount -Credential $Azcred -Subscription $SubsName

Azure Key Vault

Register Resource Provider

Using PowerShell

Use below cmdlet to register ‘Microsoft.KeyVault‘ as a resource provider in the subscription,

Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"

To confirm the registration is successful,

Get-AzResourceProvider | Where-Object {$_.ProviderNamespace -contains "Microsoft.KeyVault"} | select ProviderNamespace, RegistrationState

Using Azure Portal

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Navigate to Subscriptions
  3. Click to select the desired Subscription
  4. In the left navigation menu, click on Resource providers
  5. Search for Microsoft.KeyVault
  6. Click on Microsoft.KeyVault
  7. Click Register
  8. Once complete, Status column for Microsoft.KeyVault will show Registered
Register Resource provider – Microsoft.KeyVault

Create Azure Key Vault

Using PowerShell

To proceed further, launch PowerShell as admin and install the Az.KeyVault PowerShell Module

Install-Module -Name Az.KeyVault

The New-AzKeyVault can be used to create a new Key Vault in Azure. To determine the locations where Key Vault is offered, use the below cmdlet,

Get-AzLocation | Where-Object {$_.Providers -contains "Microsoft.KeyVault"} | ft

Use the below cmdlets to create a new Key Vault,

$kvName = Read-Host "Enter a name for Key Vault"
$rg = Read-Host "Enter Resource Group Name"
$loc = Read-Host "Enter Azure location"
New-AzKeyVault -VaultName $kvName -ResourceGroupName $rg -Location $loc

To confirm Key Vault creation,

Get-AzKeyVault

Using Azure Portal

To cerate a new Key Vault from the Azure portal,

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Search for key vault
  3. Click Create or Create key vault
  4. Provide below information,
    • Subscription
    • Resource group
    • Key vault name
    • Region
    • Pricing tier
  5. Leave the other options default and click Review + create
    • The other options in the creation steps,
      • Access policy = I’ll go through it later in this post
      • Networking = All networks to make it publicly accessible
      • Tags = As necessary

Below are my settings,

Create a key vault

Create SPN in Azure AD

In this step, we’re creating a service principal in Azure AD. We will assign permissions for this SP to retrieve secrets from the Azure Key vault in later step.

In Azure AD, the application registration is the template used to create the SP. Also, the SP is what can be authenticated and authorized. Application and SP are associated by Application ID and they differ in it Object ID.

To create a new Azure AD application,

$appname = Read-Host "Enter a name for the Azure AD application"
New-AzureADApplication -DisplayName $appname

To create a service principal,

$appname = Read-Host "Enter name of Azure AD application"
$AppId = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").AppId
New-AzureADServicePrincipal -AccountEnabled $true -AppId $AppId -DisplayName $appname

Create Client Secret

Next, we create a new client secret using the Get-AzureADApplicationPasswordCredential cmdlet,

$appname = Read-Host "Enter Azure AD application name to determine Object ID"
$appObjID = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").Objectid
$KeyId = Read-Host "Enter value for secret identifier"
New-AzureADApplicationPasswordCredential -ObjectId $appObjID -CustomKeyIdentifier $KeyId

Copy the value in the output to a notepad as I have highlighted above. This value will not be available to copy later.

Assign Permissions

Using PowerShell

We can assign necessary permissions to the Azure AD application we created in above step, using the Set-AzKeyVaultAccessPolicy cmdlet,

$appname = Read-Host "Enter Azure AD application name to determine Object ID"
$Appid = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").AppId
$kvName = Read-Host "Enter a name for Key Vault"
Set-AzKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $Appid -PermissionsToSecrets list,get

Using Azure Portal

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Search for Key vault
  3. Click on the Key Vault we created earlier
  4. In the left navigation menu, click on Access policies
  5. Select Permission model as Vault access policy
  6. Click +Add Access Policy
  7. In the Add access policy window
    • For Secret permissions, select Get and List
    • For Select principal, select the SPN we created earlier
  8. Click Add
  9. Click Save to save policy

Manage Secrets in Key Vault

Applications, scripts or users can create, update, delete and retrieve secrets if they have the necessary policy assigned to them

Creating/Updating Secrets

To create a new secret, we can use the Set-AzureKeyVaultSecret cmdlet,

$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
Set-AzKeyVaultSecret -VaultName $kvName -Name $SecName -SecretValue $Secret

The secret can be updated to a new value using the same Set-AzureKeyVaultSecret cmdlet,

$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
$Expires = (Get-Date).AddYears(2).ToUniversalTime()
$NBF =(Get-Date).ToUniversalTime()
$Tags = @{ 'Department' = 'IT'; 'Environment' = 'Production'}
Set-AzKeyVaultSecret -VaultName $kvName -Name $SecName -SecretValue $Secret -Expires $Expires -NotBefore $NBF -Tags $Tags

Retrieving Secrets

To retrieve the current version of a secret, we use the Get-AzureKeyVaultSecret cmdlet,

$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
$secruretext = (Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName).SecretValue

This will assign the stored secret to the $secruretext variable as a SecureString. We can now pass this to any other cmdlets that require a SecureString.

As I’ve already covered the Microsoft.PowerShell.SecretManagement and Microsoft.PowerShell.SecretStore PS modules in an earlier post, I’ll follow on the premise and store the client secret we created in the local vault. This way, I don’t have to save the client secret in the code as plaintext. To do this, we can store the Application ID and Client secret in a PSCredential object to the store,

$credential = Get-Credential
Set-Secret -Name azkv-01 -Secret $credential

In the Windows PowerShell Credential request window, for User Name input the Application (client) ID of the Azure AD application and for password input the Client Secret value we copied into a notepad earlier.

I’ve also created another secret as string in the local vault with my tenant ID value.

Putting this all together, we can use these below lines in PowerShell automation scripts,

$vpwd = (Import-CliXml "C:\Scripts\vpd.xml").Password
Unlock-SecretStore -Password $vpwd
$TenantId = Get-Secret -Vault CredsDB -Name TenantId -AsPlainText
$credential = Get-Secret -Vault CredsDB -Name azkv-01
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $TenantId

To retrieve the secure string stored in the Azure Key vault, I’m using these lines below. Also for demo purposes, I’m including the -AsPlainText to the Get-AzKeyVaultSecret cmdlet but as I mentioned earlier, we can store this secure string to a variable and pass it on to other cmdlets.

$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName -AsPlainText
#or
$secruretext = (Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName).SecretValue

I know this was a lengthy post and it may have gotten a little confusing right at the end with too many things named vault🤷‍♂️

Hope this helped you out in figuring out in including Azure Key Vault in your PowerShell automations.

Thank you for stopping by ✌

Azure – Integrate Azure AD B2C with ServiceNow

by

If you aren’t familiar with Azure AD B2C, it is a customer identity access management (CIAM) solution and is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign up into those applications with no restrictions on user account. Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML.

In an earlier post, I detailed steps on how to configure ServiceNow with Azure AD SSO. In this post, I will go through steps on how to integrate Azure AD B2C with ServiceNow.

Below is a diagram show the high level implementation steps on how to do this integration,

OpenID Connect (OIDC) is an identity layer built on top of the OAuth protocol, which provides a modern and intuitive Single Sign-on (SSO) experience. ServiceNow supports OIDC to authenticate users in Azure B2C.

I will not cover the Azure AD B2C tenant creation steps in this post.

Create new user flow

A user flow lets us determine how users interact with our application when they do things like sign-in, sign-up, edit a profile, or reset a password.

  1. Sign in to the Azure portal
  2. Make sure you’re using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch
  4. In the Azure portal, search for and select Azure AD B2C
  5. Under Policies, select User flows, and then select New user flow
  1. On the Create a user flow page, select the Sign up and sign in user flow
  2. Under version, select Recommended, and then select Create
  1. Enter a Name for the user flow. For example, su_si-1
  2. For Identity providers, select Email signup
  3. Under User attributes and token claims, choose the claims and attributes to collect and send from the user during sign-up. Select Show more, and then choose attributes and claims. Click OK. Below screenshot shows the attributes I’m collecting but it is up to you. These attributes can be modified in the user flow at any time
  1. Click Create to add the user flow. A prefix of B2C_1_ is automatically prefixed to the name

Create App Registration

  1. Stay logged into the Azure portal
  2. Make sure you are in the B2C directory
  3. In the left navigation menu, under Manage, Click App registrations, and then select New registration
  4. Enter a Name for the application. For example, ServiceNow
  5. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows)
  6. Under Redirect URI, select Web then enter your ServiceNow instance with /navpage.do in the URL text box
  7. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box
  8. Click Register

Create a client secret

The client secret is also known as an application password. The secret will be used by ServiceNow to exchange an authorization code for an access token

  1. In the left menu, under Manage, select Certificates & secrets
  2. Click New client secret
  3. Enter a description for the client secret in the Description box. For example, SnowSecret
  4. Under Expires, select a duration for which the secret is valid, and then select Add
    • Note down the secret’s Value for use in ServiceNow. This value is never displayed again after you leave this page

Information needed to configure ServiceNow instance

  1. Click on the Overview, copy the Application (client) ID
  2. Next Click Endpoints
  3. Copy the value in Azure AD B2C OpenID Connect metadata document
  4. Replace with the User flow name we created earlier e.g. B2C_1_su_si-1. Browse to the URL in a Web browser to confirm you have the right URL
  5. You should have these 3 values,
    • Application (client) ID
    • Client Secret Value
    • OIDC well-known endpoint

Configure ServiceNow Instance

Hopefully, you already have SSO enabled in your ServiceNow instance. If not, please refer to this earlier post of mine

  1. Search for multi-provider sso and click Properties
  2. Enable multiple provider SSO
    • You’ll be asked to setup a recovery account
  1. Under Multi-Provider SSO and click Identity Providers
  2. Click New
  3. Click OpenID Connect
  4. In the Import OpenID Connect Well Known Configuration window, provide following information
    • Name = Name of the IdP you wish. Example, B2C
    • Client ID = Application (client) ID from Azure B2C application
    • Client Secret = Client Secret Value we created earlier in the application
    • Well Known Configuration URL = URL we constructed earlier with the policy name
  5. Click Import
  1. Make sure the new IdP is marked Active and Show as Login option is checked
  1. Click on the OIDC Entity tab and click to open the OIDC Entity
  2. Click on OAuth Entity Scopes, double-click on OAuth scope and replace openid with the below value
    • Use your Application (client) ID from B2C app registration
<Application (client) ID> openid offline_access profile email

This OAuth Scope value is required to generate an access token and without that ServiceNow will error out with a missing parameter. I realized this later on based on my research. I initially left it at openid and searching with the error, lead me to this.

  1. Click Update to save changes
  2. Click on OIDC Provider Configuration
  3. Click on OIDC provider value
  1. Update the User Claim to emails
  1. Click Update
  2. To keep things simple, I’m not enabling the Automatic user provisioning option
    • You can choose to enable automatic user provisioning during user login. When automatic user provisioning is enabled, a user record is automatically created in the ServiceNow instance if that user record does not exist.
  3. Back in the Identity provider window, Click Update to save the OIDC Identity Provider values
  4. Navigate to the login page of the instance to verify that IdP appears as a login option
  1. Create a test user in ServiceNow and login with the credentials to test if the IdP configuration works
  2. Optionally you can browse to the login page with the URL in following format,
    • To determine the sys_id, open the OIDC Identity provider we created, right-click on the grey bar and click Copy sys_id
    • Replace this sys_id in the URL below
    • This URL will take you directly to the sign-in page
https://<yourinstance>/login_with_sso.do?glide_sso_id=<sys_id>

Hope this post helped you in setting up your ServiceNow instance with Azure AD B2C.

Thank you for stopping by. ✌

Power BI – Analyze Azure Costs

by

Most organizations have Enterprise Agreement (EA) accounts for Azure billing. Microsoft offers the Cost Management App which can be used to view and analyze Azure costs using Power BI. The Cost Management App only works with EA accounts.

But you might have situations where you are managing Azure billing using Customer Agreement. Microsoft has updated the Azure Cost Manager connector in Power BI to support Customer Agreement. The Azure Cost Management connector for Power BI Desktop can be used to build powerful, customized visualizations and report to help us understand Azure spending.

Azure Cost Management allows 3 kinds of connections:

  • Customer Agreement: Common for small business or individual accounts
  • Enterprise Agreement: Accounts used by big organizations where payment goes through via purchase orders and such
  • Billing Profile: This is sort of like a subset of Customer Agreement. Allows us to organize via rules, like, cost-center, department, etc

To proceed further, make sure you have the Power BI desktop App downloaded and installed on your machine.

Determine Billing Information in Azure

To connect to a billing account, we need to retrieve the Billing account ID from Azure portal:

  1. In the Azure portal, search for Cost Management + Billing
  2. Select Billing profile
  3. In the left navigation menu, under Settings in the menu, select Properties
    • Make sure this billing account has a at least Billing account reader assigned to it
    • This can be determined by clicking on Billing scopes in the left navigation menu or in the Properties tab
  4. Under Billing profile, copy ID
Billing Account ID

Connect using Azure Cost Management in Power BI

To use the Azure Cost Management connector in Power BI Desktop:

  1. Launch Power BI Desktop
  2. Click Get data from the splash page or from the Home ribbon
  3. Click Azure from the list of data categories
  4. Select Azure Cost Management
Connect Azure Cost Management
  1. Under Choose Scope,
    • To connect to a Billing Account
      • Select Manually Input Scope and input the connection string in below format, with {billingAccountId} that we determined in the earlier section
        • /providers/Microsoft.Billing/billingAccounts/{billingAccountId}
    • To connect to a Billing profile
      • Select Manually Input Scope and input the connection string in below format, the {billingAccountId} and {billingProfileId} can be determined in the same properties tab as in earlier section
        • /providers/Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId}
    • To connect to an EA account
      • Select Enrollment Number and type the account number
  1. I’m entering 12 months but this is up to you
    • The Advanced Options can be left blank
  2. Click OK
Azure Cost Management
  1. A Navigator window shows all the available data tables
    • Select a table to see a preview dialog
    • One or more tables can be selected by selecting the boxes beside their name and then click Load
      • For the report I have in mind, I only need the Usage details table and I’m selecting it to be loaded
Available Tables
Table Description
Balance summarySummary of the balance for the current billing month for EA
Billing eventsEvent log of new invoices, credit purchases, etc. Microsoft Customer Agreement only
BudgetsBudget details to view actual costs or usage against existing budget targets
ChargesA month-level summary of Azure usage, Marketplace charges, and charges billed separately. Microsoft Customer Agreement only.
Credit lotsAzure credit lot purchase details for the provided billing profile. Microsoft Customer Agreement only.
PricesheetsApplicable meter rates for the provided billing profile or EA enrollment.
RI chargesCharges associated to Reserved Instances over the last 24 months. This table is in the process of being deprecated, please use RI transactions
RI recommendations (shared)Reserved Instance purchase recommendations based on all subscription usage trends for the last 30 days
RI recommendations (single)Reserved Instance purchase recommendations based on single subscription usage trends for the last 30 days
RI transactionsList of transactions for reserved instances on billing account scope
RI usage detailsConsumption details for existing Reserved Instances over the last month
RI usage summaryDaily Azure reservation usage percentage
Usage detailsA breakdown of consumed quantities and estimated charges for the given billing profile on EA enrollment
Usage details amortizedA breakdown of consumed quantities and estimated amortized charges for the given billing profile on EA enrollment
Data available through the connector
  1. When we select Load, the data is loaded into Power BI Desktop
    • Depending on the tables you choose, you may be asked to for authentication
    • When the data we selected is loaded, the data tables and fields are shown in the Fields pane
Loaded fields

I built this visualization below using some of these fields,

Visualization showing Azure cost by ResourceGroup Name, Date, Meter and Meter sub-category

The data is there and you are only limited by the amount on time you have, to spend within Power BI and your imagination.😉

I’m a big fan of Tableau and I love creating visualizations. Now I’ve started using Power BI more and more with Azure related stuff. Plus Power BI Pro comes bundled with Office 365 E5.

Hope this post helped you in setting up your Azure cost reports with Power BI.

Thank you for stopping by. ✌