1. Home
  2. Setup
  3. Activate your EA Cloud Account

Activate your EA Cloud Account

Before You Start

During the activation process, you will require two pieces of information:

  1. The Tenant ID or Tenant Domain of your Microsoft Tenant.
    This relates to the tenant containing the Azure or Office 365 subscriptions you wish to add to PyraCloud. For more information, see the section below: Locating your Tenant ID or Tenant Domain.
  2. A person within your organization with sufficient permissions to perform the onboarding process:
    1. Azure: The user should be assigned the “Owner” role in the Azure subscriptions you wish to add to PyraCloud.
    2. Office 365: The user should be a “Global Admin” in the Microsoft Tenant containing the Office 365 subscriptions you wish to add to PyraCloud.

Activate your EA Cloud Account

To complete the activation experience, follow the steps below.

Sign in to PyraCloud at https://portal.softwareone.com/.

Figure 1 – Sign in to the PyraCloud

Once the PyraCloud dashboard has loaded, click on Manage in the navigation menu and click Cloud Tenant Setup.

Figure 2 – Navigating to Cloud Tenant Setup

Add your EA Cloud Account

On the Cloud Tenant Setup page, click the Add Cloud Account tile.

Figure 3 – Add Cloud Account

On the Add Cloud Account page, select either Azure or Office 365. Enter a “Friendly Name” for your Microsoft tenant and then provide the Tenant ID or Tenant Domain.

Click Add Cloud Account.

Figure 4 – Enter Details for Cloud Account

Log in to the Microsoft portal using the credentials of a user who has Owner permissions to the Azure subscription(s) you wish to add to PyraCloud.

Note: If you wish to add more Azure subscriptions owned by other users, you can do this later. See the Add more Subscriptions section later in this document.

Figure 5 – Sign in to the Microsoft Portal

On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.

Note: When you return to PyraCloud, you may see a blank screen for a few seconds. Please be patient while PyraCloud activates your tenant. For more information, see the What happens when I perform consent? section later in this document.

Figure 6 – Consent Page

When you return to PyraCloud, you will be presented with the Cloud Tenant Setup details page for the tenant you’ve just added. A progress bar will show you the progress of the activation process.

Once complete you will see your new tenant and its subscriptions. If the subscriptions are not immediately visible, wait a few minutes and refresh the page.

Figure 7 – Cloud Tenant Setup Page

Important: You must now add your EA access token. Follow the steps in the section Add an Access Token below.

Next Steps

Now that you’ve completed the activation of your tenant, you may wish to perform some further steps to help PyraCloud build a more complete view of your cloud spend by adding more subscriptions and allow PyraCloud to write tags back to your Azure resources.

The next section describes those steps, and covers why you might want to complete them.

Take full advantage of PyraCloud Spend Management

Once your Microsoft Tenant is activated, there are further steps you can take to ensure that PyraCloud provides a more complete view of your cloud spend.

Add an Access Token

To add an access token, follow the steps below:

Note: if you need to generate a new Access Token please follow the steps in the “Generating your EA Access Token” section below.

Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant in question and click on the Access Tokens tab. Click Add Access Token.

Figure 8 – Add Access Token

In the Add Access Token dialog, paste your new access token in the Token field. Click Save.

Figure 9 – Token Field

Remove an Access Token

To remove an access token, follow the steps below:

Sign in to PyraCloud and navigate to Cloud Tenant Setup. Expand the tenant in question and click on the Access Tokens tab. Click Remove next to the access token you wish to remove.

Figure 10 – Remove Access Token

Click Remove again.

Figure 11 – Remove Access Token Window

Add More Subscriptions

Many organizations have several Azure subscriptions in a single Microsoft tenant. In some cases, it is not always the same person who has Owner permissions on all those subscriptions. In such a case, it is necessary for each subscription owner to activate the subscriptions they own.

To activate more subscriptions, follow the steps below:

Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant you want add more subscriptions from and click on Add More Subscriptions.

Figure 12 – Add Existing Subscription

In the Add New Subscription dialog, select the type of subscriptions you wish to add and click Add.

Note: If Azure is selected, then the user performing consent should be the Owner of the Azure subscriptions being added. If Office 365 is selected, then the user performing consent should be a Global Admin of the tenant.

Figure 13 – Add Existing Subscription Window

Log in to the Microsoft portal using the credentials of the user who has Owner permissions to the Azure subscriptions you wish to add to PyraCloud.

Figure 14 – Sign in to the Microsoft Portal

On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.

Note: When you return to PyraCloud, you may see a blank screen for a few seconds. PyraCloud is adding your subscriptions. Please be patient. For more information, see the What happens when I perform consent? section later in this document.

Figure 15 – Consent Page

On your return to PyraCloud, you will see the subscriptions owned by the user added to PyraCloud.

Sync Your Tags to Azure

When you activate your Azure subscriptions for the first time, PyraCloud assigns the Reader role by default. This means that the Tag and Resource Manager feature can import your resources and tags from Azure, but it cannot synchronise any tag changes you make in PyraCloud back to Azure.

If you would like Tag and Resource Manager to synchronise tags back to Azure, you need to change the level of access PyraCloud has for your Azure subscription.

The following access levels are available:

  1. Sync resources only, no tags – write back of tags disabled
    Tag and Resource Manager will download your resources to PyraCloud without the tags currently assigned in Azure. Any changes to tags will be stored in PyraCloud only. This setting requires the “Reader” role in your Azure subscription and will not make any changes to resources or tags in your Azure subscription.
  2. Sync resources and tags – write back of tags disabled
    Tag and Resource Manager will download your resources to PyraCloud including the tags currently assigned in Azure. Any changes to tags will be stored in PyraCloud only. Any tags assigned to resources in Azure will overwrite the tags for the corresponding resource in PyraCloud. This setting requires the “Reader” role in your Azure subscription and will not make any changes to resources or tags in your Azure subscription.
  3. Sync resources and tags – write back of tags enabled
    Tag and Resource Manager will download your resources to PyraCloud including the tags currently assigned in Azure. Any changes to tags will be synchronized back to your resources in Azure. This setting requires the “Tag Contributor” role in your Azure subscription and will only make changes to tags.

To change the level of access PyraCloud has for an Azure subscription, follow the steps below:

Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant in question and click on Change Access next to the subscription you wish to modify.

Figure 16 – Change Access Level

In the Change PyraCloud Access Level select your desired access level and click Change. You will be redirected to Microsoft for consent.

Figure 17 – Change Access Level Consent Window

Log in to the Microsoft portal using the credentials of the user who has Owner permissions to the Azure subscriptions for which you wish to modify the PyraCloud access level.

Figure 18 – Sign in to the Microsoft Portal

On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.

Note: When you return to PyraCloud, you may see a blank screen for a few seconds. PyraCloud is updating the access level. Please be patient. For more information, see the What happens when I perform consent? section later in this document.

Figure 19 – Access Level Consent Window

On your return to PyraCloud, you will see the updated access level for the subscription.

Figure 20 – Updated Access Level

Generating your EA Access Token

Access tokens are generated through the Azure EA Portal. Since tokens expire on a regular basis, you may need to follow this process to regenerate a new token if your current token has expired.

To generate your access token, follow the steps below:

Sign in to the Azure EA Portal at https://ea.azure.com/.

Figure 21 – Sign in to the Microsoft Portal

When the portal has opened, click the Enrollment link at the top of the screen.

Figure 22 – Click on Enrollment

On the enrollment screen, enter your enrollment number in the Search box, and click on the tile for your enrollment.

Figure 23 – Enter Enrollment Number

On the Enrollment Detail page, click on Reports in the left navigation bar.

Figure 24 – Click on Reports

On the Usage Summary page, click the Download Usage link at the top

Figure 25 – Download Usage

On the Download Usage page, click the API Access Key link at the top

Figure 26 – Click on API Access Key

On the API Access Key page, click generate.

Figure 27 – Click on Generate

Click Yes.

Figure 28 – Click on Yes

Click expand key

Figure 29 – Click on Expand Key

Click Copy.

Figure 30 – Click on Copy

Save this access token for use during cloud account activation.

Locating your Tenant ID or Tenant Domain

To locate your Tenant ID or Tenant Domain, please follow the steps below:

Sign in to the Azure Portal

Sign in to the Azure Portal at https://portal.azure.com. In the left navigation bar, click the Azure Active Directory menu item.

Note: If you cannot see the Azure Active Directory menu item, then click All Services at the top-left, and locate the Azure Active Directory item under the Security + Identity heading.

Figure 31 – Click Azure Active Directory

In the Azure Active Directory blade, click the Properties menu item. Your Tenant ID is shown in the Directory ID field. Copy or make a note of this ID for later use.

Figure 32 – Add Properties

In the Azure Active Directory blade, click the Custom domain names menu item. Your domains are shown in a list. The required domain is the one marked primary. Copy or make a note of this for later use.

Figure 33 – Custom Domain Names

Frequently Asked Questions

Why is my access token invalid?

An access token may be invalid for a few reasons:

  • The token is not complete.
  • The token is complete, but has expired
  • The token is complete, but has been revoked

The access token is incomplete

If your access token is incomplete, log in to the Azure EA Portal and copy your access token again. To do this, follow steps 1 -6 and 9 and 10 in the Generating your EA Access Token section of this document.

The access token is complete, but has expired or has been revoked

If your access token has expired or has been revoked, follow all the steps in the Generating your EA Access Token section of this document to generate a new access token.

When you perform consent, you are redirect to Microsoft to accept permissions required by PyraCloud. As part of this process, PyraCloud is able to “impersonate” the consenting user for a short period (1 hour).

PyraCloud uses this impersonation to perform actions on behalf of the consenting user. This includes:

  1. Assigning the Reader role to the PyraCloud application for subscriptions owned by the consenting user during onboarding. This is outlined in the Add your EA Microsoft Tenant and Subscriptions section of this document.
  2. Assigning the Reader role to the PyraCloud application for subscriptions owned by the consenting user during the addition of more subscriptions to PyraCloud. This is outlined in the Add more subscriptions section of this document.
  3. Modify the default Reader role to the Tag Contributor role (and vice versa) during the Change Access process. This is outlined in the Sync your tags to Azure section of this document.

What are the security implications of activating my tenant in PyraCloud?

When the consent process is performed, a “service principal” is created in your tenant. This is conceptually similar to adding a user dedicated to PyraCloud for the purposes of accessing your tenant and subscriptions.

Azure Subscriptions

When adding Azure subscriptions, the service principal is granted “Reader” access to those subscriptions. This is a built-in role in your Microsoft tenant that allows read only access to your resources. PyraCloud uses this access to retrieve a list of your resources (virtual machines, websites, etc.) and the tags assigned to them.

If you change the level of access to a setting that allows write back of tags, PyraCloud requires the “Tag Contributor” role. This level of access allows full access to your subscription with the notable exception of managing security settings in the subscription. PyraCloud uses this access to retrieve a list of your resources (virtual machines, websites, etc.) and the tags assigned to them. It also requires this level of access to synchronise the tags you assign in PyraCloud back to the resources your Azure subscription.

For more information, see the Azure built-on roles reference.

Office 365 Subscriptions

When adding Office 365 subscriptions, the service principal is granted permissions to the Microsoft Graph API in your Microsoft tenant. Those permissions include:

  • Read all usage reports
    Microsoft Description: Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
  • Read all groups
    Microsoft Description: Allows the app to read memberships for all groups without a signed-in user. Note that not all group API supports access using app-only permissions.
  • Read all user’s full profiles
    Microsoft Description: Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.

For more information, see the Microsoft Graph API permissions reference.

Updated on June 10, 2020

Was this article helpful?

Related Articles