Before You Start
During the activation process, you will require two pieces of information:
- The Tenant ID or Tenant Domain of your Microsoft Tenant.
This relates to the tenant containing the Azure or Office 365 subscriptions you wish to add to PyraCloud. For more information, see the section below: Locating your Tenant ID or Tenant Domain. - A person within your organization with sufficient permissions to perform the onboarding process:
- Azure: The user should be assigned the “Owner” role in the Azure subscriptions you wish to add to PyraCloud.
- Microsoft 365: The user should be a “Global Admin” in the Microsoft Tenant containing the Office 365 subscriptions you wish to add to PyraCloud.
Activate your EA Cloud Account
To complete the activation experience, follow the steps below.
Navigate to Cloud Tenant Setup
Sign in to PyraCloud at https://portal.softwareone.com/.
Once the PyraCloud dashboard has loaded, click on Setup in the navigation menu and click Cloud Tenant Setup.
Add your EA Cloud Account
On the Cloud Tenant Setup page, click the Add Cloud Account tile.
On the Add Cloud Account page, select either Azure or Office 365. Enter a “Friendly Name” for your Microsoft tenant and then provide the Tenant ID or Tenant Domain.
Click Add Cloud Account.
Log in to the Microsoft portal using the credentials of a user who has Owner permissions to the Azure subscription(s) you wish to add to PyraCloud.
Note: If you wish to add more Azure subscriptions owned by other users, you can do this later. See the Add more Subscriptions section later in this document.
On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.
Note: When you return to PyraCloud, you may see a blank screen for a few seconds. Please be patient while PyraCloud activates your tenant. For more information, see the What happens when I perform consent? section later in this document.
When you return to PyraCloud, you will be presented with the Cloud Tenant Setup details page for the tenant you’ve just added. A progress bar will show you the progress of the activation process.
Once complete you will see your new tenant and its subscriptions. If the subscriptions are not immediately visible, wait a few minutes and refresh the page.
Important – For Azure Only: You must now add your EA access token. Follow the steps in the section Add an Access Token below.
Next Steps
Now that you’ve completed the activation of your tenant, you may wish to perform some further steps to help PyraCloud build a more complete view of your cloud spend by adding more subscriptions and allow PyraCloud to write tags back to your Azure resources.
The next section describes those steps, and covers why you might want to complete them.
Take Full Advantage of PyraCloud Spend Management
Once your Microsoft Tenant is activated, there are further steps you can take to ensure that PyraCloud provides a more complete view of your cloud spend.
Add an Access Token
To add an access token, follow the steps below:
Note: if you need to generate a new Access Token please follow the steps in the “Generating your EA Access Token” section below.
Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant in question and click on the Access Tokens tab. Click Add Access Token.
In the Add Access Token dialog, paste your new access token in the Token field. Click Save.
Delete an Access Token
To delete an access token, follow the steps below:
Sign in to PyraCloud and navigate to Cloud Tenant Setup. Expand the tenant in question and click on the Access Tokens tab. Click Delete next to the access token you wish to remove.
Click Delete again.
Add More Azure Subscriptions
Many organizations have several Azure subscriptions in a single Microsoft tenant. In some cases, it is not always the same person who has Owner permissions on all those subscriptions. In such a case, it is necessary for each subscription owner to activate the subscriptions they own.
To activate more subscriptions, follow the steps below:
Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant you want add more subscriptions from and click on Add Existing Subscriptions.
In the Add New Subscription dialog, select the type of subscriptions you wish to add and click Add.
Note: If Azure is selected, then the user performing consent should be the Owner of the Azure subscriptions being added. If Office 365 is selected, then the user performing consent should be a Global Admin of the tenant.
Log in to the Microsoft portal using the credentials of the user who has Owner permissions to the Azure subscriptions you wish to add to PyraCloud.
On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.
Note: When you return to PyraCloud, you may see a blank screen for a few seconds. PyraCloud is adding your subscriptions. Please be patient. For more information, see the What happens when I perform consent? section later in this document.
On your return to PyraCloud, you will see the subscriptions owned by the user added to PyraCloud.
Sync Your Tags to Azure
When you activate your Azure subscriptions for the first time, PyraCloud assigns the Reader role by default. This means that the Tags and Resources feature can import your resources and tags from Azure, but it cannot synchronize any tag changes you make in PyraCloud back to Azure.
If you would like Tags and Resources to synchronize tags back to Azure, you need to change the level of access PyraCloud has for your Azure subscription.
The following access levels are available:
- Sync resources only, no tags – write back of tags disabled
Tags and Resources will download your resources to PyraCloud without the tags currently assigned in Azure. Any changes to tags will be stored in PyraCloud only. This setting requires the “Reader” role in your Azure subscription and will not make any changes to resources or tags in your Azure subscription. - Sync resources and tags – write back of tags disabled
Tags and Resources will download your resources to PyraCloud including the tags currently assigned in Azure. Any changes to tags will be stored in PyraCloud only. Any tags assigned to resources in Azure will overwrite the tags for the corresponding resource in PyraCloud. This setting requires the “Reader” role in your Azure subscription and will not make any changes to resources or tags in your Azure subscription. - Sync resources and tags – write back of tags enabled
Tags and Resources will download your resources to PyraCloud including the tags currently assigned in Azure. Any changes to tags will be synchronized back to your resources in Azure. This setting requires the “Tag Contributor” role in your Azure subscription and will only make changes to tags.
To change the level of access PyraCloud has for an Azure subscription, follow the steps below:
Sign in to PyraCloud and navigate to Cloud Tenant Setup. Click Manage next to the tenant in question and click on Change Access next to the subscription you wish to modify.
In the Change PyraCloud Access Level select your desired access level and click Change. You will be redirected to Microsoft for consent.
Log in to the Microsoft portal using the credentials of the user who has Owner permissions to the Azure subscriptions for which you wish to modify the PyraCloud access level.
On the consent page, review the permissions required by PyraCloud and click Accept if you wish to proceed. You will be redirected back to PyraCloud.
Note: When you return to PyraCloud, you may see a blank screen for a few seconds. PyraCloud is updating the access level. Please be patient. For more information, see the What happens when I perform consent? section later in this document.
On your return to PyraCloud, you will see the updated access level for the subscription.
Generating your EA Access Token
Access tokens are generated through the Microsoft Azure Portal. Since tokens expire on a regular basis, you may need to follow this process to regenerate a new token if your current token has expired.
To generate your access token, follow the steps in the following KB article: How to Generate your Azure EA Access Token.
Save this access token for use during cloud account activation.
Activating Azure Microsoft Customer Agreement (MCA)
You can learn more about Microsoft Customer Agreements (MCA) on the Microsoft
website here.
PyraCloud supports both legacy EA and modern MCA models. Before reading further please make sure you have followed Activating EA Account guidance.
How to Onboard MCA Tenant
First, make sure your account has the proper billing account type set up. To do that:
- Open https://portal.azure.com
- In the left pane select: Cost Management + Billing
- In the Settings section select Properties
Adding Billing Reader Role to PyraCloud
PyraCloud uses Billing Account Reader role to access billing API’s. To learn more about roles, you can view Azure documentation here.
- In the left pane select: Cost Management + Billing
- Select your MCA Billing Scope
3. Open IAM section to assign permissions
4. In IAM section click “Add” and assign “Billing Account Reader” role to SP
5. Select Service Principle in the select section of the panel
6. Save changes and after 24-hours MCA billing data should be synchronized with PyraCloud.
Locating your Tenant ID or Tenant Domain
To locate your Tenant ID or Tenant Domain, please follow the steps below:
Sign in to the Azure Portal
Sign in to the Azure Portal at https://portal.azure.com. In the left navigation bar, click the Azure Active Directory menu item.
Note: If you cannot see the Azure Active Directory menu item, then click All Services at the top-left, and locate the Azure Active Directory item under the Security + Identity heading.
In the Azure Active Directory blade, click the Properties menu item. Your Tenant ID is shown in the Directory ID field. Copy or make a note of this ID for later use.
In the Azure Active Directory blade, click the Custom domain names menu item. Your domains are shown in a list. The required domain is the one marked primary. Copy or make a note of this for later use.
Frequently Asked Questions
Why is my access token invalid?
An access token may be invalid for a few reasons:
- The token is not complete.
- The token is complete, but has expired
- The token is complete, but has been revoked
The access token is incomplete
If your access token is incomplete, log in to the Azure EA Portal and copy your access token again. To do this, follow steps 1 -6 and 9 and 10 in the Generating your EA Access Token section of this document.
The access token is complete, but has expired or has been revoked
If your access token has expired or has been revoked, follow all the steps in the Generating your EA Access Token section of this document to generate a new access token.
What happens when I perform consent?
When you perform consent, you are redirect to Microsoft to accept permissions required by PyraCloud. As part of this process, PyraCloud is able to “impersonate” the consenting user for a short period (1 hour).
PyraCloud uses this impersonation to perform actions on behalf of the consenting user. This includes:
- Assigning the Reader role to the PyraCloud application for subscriptions owned by the consenting user during onboarding. This is outlined in the Add your EA Microsoft Tenant and Subscriptions section of this document.
- Assigning the Reader role to the PyraCloud application for subscriptions owned by the consenting user during the addition of more subscriptions to PyraCloud. This is outlined in the Add more subscriptions section of this document.
- Modify the default Reader role to the Tag Contributor role (and vice versa) during the Change Access process. This is outlined in the Sync your tags to Azure section of this document.
What are the security implications of activating my tenant in PyraCloud?
When the consent process is performed, a “service principal” is created in your tenant. This is conceptually similar to adding a user dedicated to PyraCloud for the purposes of accessing your tenant and subscriptions.
Azure Subscriptions
When adding Azure subscriptions, the service principal is granted “Reader” access to those subscriptions. This is a built-in role in your Microsoft tenant that allows read only access to your resources. PyraCloud uses this access to retrieve a list of your resources (virtual machines, websites, etc.) and the tags assigned to them.
If you change the level of access to a setting that allows write back of tags, PyraCloud requires the “Tag Contributor” role. This level of access allows full access to your subscription with the notable exception of managing security settings in the subscription. PyraCloud uses this access to retrieve a list of your resources (virtual machines, websites, etc.) and the tags assigned to them. It also requires this level of access to synchronise the tags you assign in PyraCloud back to the resources your Azure subscription.
For more information, see the Azure built-on roles reference.
Office 365 Subscriptions
When adding Office 365 subscriptions, the service principal is granted permissions to the Microsoft Graph API in your Microsoft tenant. Those permissions include:
- Read all usage reports
Microsoft Description: Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
- Read all groups
Microsoft Description: Allows the app to read memberships for all groups without a signed-in user. Note that not all group API supports access using app-only permissions.
- Read all user’s full profiles
Microsoft Description: Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.
For more information, see the Microsoft Graph API permissions reference.