normalian blog

Let's talk about Microsoft Azure, ASP.NET and Java!

How to get started with Azure Lighthouse to manage Azure resources across Azure AD tenants

Windows Azure Azure EA Portal

I believe some of Azure users might worry about how to manage Azure resources across Azure AD tenants. It should be an important topic especially Azure CSP users, because CSP subscription management is on the assumption of Azure AD tenants per customer.
Today, you can retrieve Azure resources across Azure AD tenants by using Azure Lighthouse.

Overview to enable Azure Lighthouse

Here are steps to enable Azure Lighthouse

  • Common Azure AD Tenant Owner:
    • Step1 : Create common Azure AD tenant – optional
    • Step2 : Create user group on common Azure AD tenant and add user accounts into the user group
  • Subscription Owner:
    • Step3 : modify ARM Template
    • Step4 : Run PowerShell command to enable Azure Lighthouse
  • Common Azure AD Tenant Owner:
    • Step 5: Retrieve Azure resources across Azure AD tenants
  • Subscription Owner:
    • Step 6 : Delete offer

f:id:waritohutsu:20191002022252p:plain

You," Common Azure AD Tenant Owner", need to create a user group into the "common Azure AD tenant" - most of cases this Azure AD tenant should be owned by System Integrators or others. User accounts in the user group can retrieve Azure resources across Azure AD tenants via common Azure AD tenant.
In next, you, Subscription Owner, need to update an ARM template and execute powershell commands to enable Azure Lighthouse.
Let's get into details each steps.

Step1 : Create common Azure AD tenant – optional

This step is optional if you want to utilize existing Azure AD tenant as common Azure AD tenant. Refer to
Create an Azure Active Directory tenant | Microsoft Docs to create new Azure AD tenant.
You need to pick up "Directory ID" by reference to an image below.
f:id:waritohutsu:20190922091703p:plain

Step2 : Create user group on common Azure AD tenant and add user accounts into the user group

Open your common Azure AD tenant on Azure portal. Choose "Groups" from left side menus and push create "New group" button. Now, you can create new user group on Azure AD tenant by reference below.
f:id:waritohutsu:20190922090826p:plain
You need to pick up "Object ID" of this user group by following below. This ID will be used to enable Azure Lighthouse.
f:id:waritohutsu:20190922091036p:plain

You can complete this step by adding users to relish Azure Lighthouse like below.
f:id:waritohutsu:20190922091423p:plain

Step3 : modify ARM Template

You need to update an ARM Template file with picked up IDs in previous steps - Object ID and Directory ID like below. You can find RBAC Role IDs with Built-in roles for Azure resources | Microsoft Docs. You can choose "Contributor", "Reader" or others depending on requirements of subscription owners.
f:id:waritohutsu:20190922092544p:plain

Save texts below as a JSON file and update parameters by following instructions above.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mspName": {
            "type": "string",
            "metadata": {
                "description": "Specify the Managed Service Provider name"
            }
        }        
    },
    "variables": {
        "mspRegistrationName": "[guid(parameters('mspName'))]",
        "mspAssignmentName": "[guid(parameters('mspName'))]",
        "mspOfferDescription": "Field Test Offer",
        "managedByTenantId": "<common Azure AD tenant ID>",
        "authorizations": [
                {
                    "principalId": "<user group ID in your common Azure AD tenant ID>",
                    "roleDefinitionId": "<RBAC role ID>",
		    "principalIdDisplayName": "My auth"
                },
            ]
    },
    "resources": [
        {
            "type": "Microsoft.ManagedServices/registrationDefinitions",
            "apiVersion": "2019-06-01",
            "name": "[variables('mspRegistrationName')]",
            "properties": {
                "registrationDefinitionName": "[parameters('mspName')]",
                "description": "[variables('mspOfferDescription')]",
                "managedByTenantId": "[variables('managedByTenantId')]",
                "authorizations": "[variables('authorizations')]"
            }
        },
        {
            "type": "Microsoft.ManagedServices/registrationAssignments",
            "apiVersion": "2019-06-01",
            "name": "[variables('mspAssignmentName')]",
            "dependsOn": [
                "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
            ],
            "properties": {
                "registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
            }
        }
    ],
    "outputs": {
        "mspName": {
            "type": "string",
            "value": "[concat('Managed by', ' ', parameters('mspName'))]"
        },
        "authorizations": {
            "type": "array",
            "value": "[variables('authorizations')]"
        }
    }
}

Step4 : Run PowerShell command to enable Azure Lighthouse

Make sure that you have already installed "Azure PowerShell module". Install "Azure PowerShell module" with reference to Install Azure PowerShell with PowerShellGet | Microsoft Docs if you haven't installed it.

Now, you can enable Azure Lighthouse by execution commands below. Please change "subscription id" and ARM Template json file name depending on your environments.

Connect-AzAccount
Get-AzSubscription 

$subscription = Get-AzSubscription -SubscriptionId "your subscription ID"
Select-AzSubscription -Subscription $subscription

New-AzDeployment -name "Towboat" -mspName "$env:USERNAME TowboatProj" -Location EastUS -TemplateUri C:\Users\myuser\Desktop\azurelighthousesetup.JSON -Verbose

Here is an image when I have tried to run the commands. It takes a few minutes to complete the command and it takes about 10 or 20 minutes to enable Azure Lighthouse on Azure Portal.
f:id:waritohutsu:20190922093533p:plain

Step 5: Retrieve Azure resources across Azure AD tenants

Find "My customers (Azure Lighthouse)" menu on Azure Portal and choose "customers" from left side menu. Now, you can find subscriptions in other Azure AD tenants like below.
f:id:waritohutsu:20190922093950p:plain

As an example to enjoy an feature of Azure Lighthouse, you can enable to retrieve Azure VMs across Azure AD tenants like below.
f:id:waritohutsu:20190922094308p:plain

Step 6: Delete offer

Choose "Service providers (Azure Lighthouse) " on Azure Portal with "Subscription owner" account. Select "Service provider offers" from left side menus. Delete offers by clicking trash box icons.
f:id:waritohutsu:20191002023110p:plain

Reference

Whose accounts you can invite into EA Portal as administrator role?

Windows Azure Azure EA Portal

As you know, you can utilize Azure EA Portal to create new Azure subscriptions to charge from your EA contract. Microsoft will send an invitation mail to an account which your company has own. The account will be invited as Enterprise Administrator. Refer to an article below if you need to confirm each role on EA Portal.
normalian.hatenablog.com

Next, you need to invite accounts as new administrator roles. You have to confirm which account types are available to be invited, because there are two account types below.

  • Microsoft Account
    • This account type is also called as "Personal Account"
    • Microsoft manages this account type
    • This account type isn't one of Microsoft Azure resources
    • You could create Microsoft Account by using your corporate mail address such like yyyy@normalian.xyz in past, but you can do that no longer
  • Work or School Account

You need to utilize these accounts on EA Portal. You can find "Auth Level" menu on EA Portal below and choose a proper option to invite new administrators.
f:id:waritohutsu:20190602074000p:plain

Difference of Auth Level on EA Portal

There are four types of "Auth Level" you can choose. Assume your organization has "normalian.xyz" Azure Active Direcotry tenant and here are diagrams which account types you can invite.
f:id:waritohutsu:20190602074345p:plain

f:id:waritohutsu:20190602074450p:plain

f:id:waritohutsu:20190602074608p:plain

f:id:waritohutsu:20190602074640p:plain

Other tips

#1 You will find error messages below if you choose wrong Auth Level. Change proper Auth Level option to invite your accounts.
f:id:waritohutsu:20190602080002p:plain

#2 Wizard to add new administrators will be changed like below.
f:id:waritohutsu:20190602080152p:plain

#3 There is no effect for your existing administrator accounts even if you will change "Auth Level" after inviting the accounts.

#4 It seems to take a little bit time to reflect change of Auth Level, because it sometimes failed to invite new accounts just after changing Auth Level.

How to get started with Reporting APIs for Enterprise customers of EA Portal

EA Portal Azure Windows Azure

I believe some folks are familiar with Billing API for Microsoft Azure and these APIs can be utilized even you're pay-as-you-go customers. But almost of all folks are unfamiliar with "Reporting APIs for Enterprise customers", because only customers who have EA contract can utilize this APIs.
docs.microsoft.com

I recommend to refer to Azure Billing Enterprise APIs | Microsoft Docs, but here is summary what you can do with the APIs

  • Balance and Summary API - offers a monthly summary of information on balances, new purchases, Azure Marketplace service charges, adjustments and overage charges.
  • Usage Detail API - offers a daily breakdown of consumed quantities and estimated charges by an Enrollment. The result also includes information on instances, meters and departments. The API can be queried by Billing period or by a specified start and end date.
  • Marketplace Store Charge API - returns the usage-based marketplace charges breakdown by day for the specified Billing Period or start and end dates (one time fees are not included).
  • Price Sheet API - provides the applicable rate for each Meter for the given Enrollment and Billing Period.
  • Reserved Instance usage API - returns the usage of the Reserved Instance purchases. The Reserved Instance charges API shows the billing transactions made.

Preparation to use the APIs

You can utilize the APIs to pick up two items below.

It's easy to pick up "Enrollment Number". You just need to visit EA Portal and pick up Enrollment Number like below.

Next, follow an image below and you can generate new API Access Key.

After generating of the key, you can copy the key into your clip board.

Balance and Summary API

You can call this API easily by using script below. 

$AuthorizationKey = "your API Access Key"
$enrollmentNumber = "your enrollment number"

$res = Invoke-WebRequest `
  -Headers @{"Authorization" = "bearer $AuthorizationKey"} -Method GET `
  -Uri https://consumption.azure.com/v2/enrollments/$enrollmentNumber/balancesummary `
  -ContentType "application/json"

# confirm entire response
$res

## confirm response contents
$res.Content | ConvertFrom-Json

You can confirm the response values of "$res" like below. This structure is even similar with other APIs.

StatusCode        : 200
StatusDescription : OK
Content           : {"id":"enrollments/your enrollment number/billingperiods/your billing periods/balancesummaries","billingPeriodId":"your billing periods","currencyCode":"JPY  
                    ","beginningBalance":xxxxx92.00,"endingBalance":xxxxx85.00,"newPurchases":0.00,"adju...
RawContent        : HTTP/1.1 200 OK
                    session-id: a03789eb-9b3d-49dd-8b12-c2dddb07dd62
                    x-ms-request-id: ade0cb92-3a78-4e2f-943f-b5a9bd4d8320
                    x-ms-correlation-request-id: f570130b-21b1-4bef-b1ff-d9e8a8e80e8b
                    x-ms-client...
Forms             : {}
Headers           : {[session-id, a03789eb-9b3d-49dd-8b12-c2dddb07dd62], [x-ms-request-id, ade0cb92-3a78-4e2f-943f-b5a9bd4d8320], [x-ms-correlation-request-id, 
                    f570130b-21b1-4bef-b1ff-d9e8a8e80e8b], [x-ms-client-request-id, c9d7de6c-8937-48b5-a137-3f026d637cc5]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 429

You can confirm the response content values of "$res.Content" like below.

id                             : enrollments/"your enrollment number"/billingperiods/"your billing periods"/balancesummaries
billingPeriodId                :  "your billing periods"
currencyCode                   : JPY  
beginningBalance               : xxxxx92.00
endingBalance                  : xxxxx85.00
newPurchases                   : 0.00
adjustments                    : 0.00
utilized                       : xxxxx7.00
serviceOverage                 : 0.00
chargesBilledSeparately        : 0.00
totalOverage                   : 0.00
totalUsage                     : xxxxx7.00
azureMarketplaceServiceCharges : 0.0000000000
newPurchasesDetails            : 
adjustmentDetails              :

Reserved Instance usage API

You can call this API like below.

$AuthorizationKey = "your API Access Key"
$enrollmentNumber = "your enrollment number"
$startDate = "2019-05-01"
$endDate = "2019-05-10"

$res = Invoke-WebRequest `
  -Headers @{"Authorization" = "bearer $AuthorizationKey"} -Method GET `
  -Uri "https://consumption.azure.com/v2/enrollments/$enrollmentNumber/reservationdetails?startDate=$startDate&endDate=$endDate" `
  -ContentType "application/json"
$res.Content | ConvertFrom-Json

You can confirm the response content values of "$res.Content" like below. 

....

reservationOrderId    : xxxxxxxx-mmmm-yyyy-nnnn-zzzzzzzzzzzz
reservationId         : xxxxxxxx-mmmm-yyyy-nnnn-zzzzzzzzzzzz
usageDate             : 2019-05-04T00:00:00
skuName               : Standard_DS1_v2
instanceId            : /subscriptions/you subscription ID/resourcegroups/your resource group/providers/microsoft.compute/virtualmachines/your vm name
totalReservedQuantity : 8.000000000000000
reservedHours         : 192.000000000000000
usedHours             : 23.950000000000000

....

reservationOrderId    : xxxxxxxx-mmmm-yyyy-nnnn-zzzzzzzzzzzz
reservationId         : xxxxxxxx-mmmm-yyyy-nnnn-zzzzzzzzzzzz
usageDate             : 2019-05-10T00:00:00
skuName               : Standard_B2s
instanceId            : /subscriptions/you subscription ID/resourcegroups/your resource group/providers/microsoft.compute/virtualmachines/your vm name
totalReservedQuantity : 1.000000000000000
reservedHours         : 24.000000000000000
usedHours             : 24.000000000000000

You can retrieve which reserved instance orders have been used up or not. In addition that, you can verify which VMs are running as Reserved Instance by checking "instanceId".

Reference

Why you can't find your new subscriptions on Azure Portal in spite of they has already been created on EA Portal?

Azure EA Portal Windows Azure

You always need to create new Azure subscriptions on EA Portal if you have own EA contract to utilize Microsoft Azure. I have already posted an article how to get started with EA Portal like below.
normalian.hatenablog.com

It's mandatory to create your Azure subscriptions on EA Portal to charge from your monetary commitment of your EA contract. Refer to an article below which roles on EA Portal can create new Azure subscriptions.
normalian.hatenablog.com

But some folks can't find new Azure subscriptions on Azure Portal. Confirm topics below if you can't find new your subscriptions on Azure Portal.

  • Enable check of Global subscription filter for your new Azure subscription
  • Change Azure AD tenant associated with your new Azure subscription

How to create new subscriptions on EA Portal

Before describing the topics, you need to learn again how to create new subscriptions on EA Portal. Note that it's mandatory to have Account Owner role into your account like below.
f:id:waritohutsu:20190526034140p:plain
You can lunch new tab from EA Portal to create new subscription by clicking "Add Subscription" button and redirect into new page like below. Choose "Microsoft Azure Enterprise" to charge from your EA contract.
f:id:waritohutsu:20190526034222p:plain
Check two agreement terms and click "Sign up" to complete new Azure subscription.
f:id:waritohutsu:20190526034340p:plain
You will be redirected into Azure Portal like below after finishing to create the subscription but you might be not possible to find new subscription like below.
f:id:waritohutsu:20190526034517p:plain

Enable check of Global subscription filter for your new Azure subscription

Azure Portal offers "Global subscription filter" to make visible only selected subscriptions, but the new subscriptions are unchecked to visible as default.
Enable the new subscription on Global subscription filter by following like below.
f:id:waritohutsu:20190526035039p:plain

Change Azure AD tenant associated with your new Azure subscription

I believe as you know, all Azure subscriptions are associated into an Azure Active Directory tenant and have one or more subscription owners like below. In addition that, we can't list subscriptions across Azure Active Directory tenants. f:id:waritohutsu:20190526035811p:plain
This should be the cause why you can't find new Azure subscriptions even you have already enabled Global subscription filter.

New Azure subscriptions should be associated into an Azure Active Directory tenant which has your School or Work Account. It depends situations if your account is Microsoft Account. Refer to an article below if you are unfamiliar with School or Work Account and Microsoft Account.
docs.microsoft.com

Go to the new Azure subscription and choose "Change directory" like below.
f:id:waritohutsu:20190526040724p:plain

Note you need to contact Azure Active Directory tenant administrator not EA Portal administrator if you can't move the subscription into proper Azure Active Directory tenant.

What's the difference between Enterprise Administrator, Department Administrator and Account Owner on EA Portal

EA Portal Azure Windows Azure

I believe you might be confused about how to create new Azure subscriptions just after login into EA Portal. As I have illustrated in an article below, EA Portal has some types of roles named Enterprise Administrator, Department Administrator, and Account Owner.
normalian.hatenablog.com
You need to utilize these roles properly to manage your billing and subscriptions on EA Portal.

What's can do by each role?

Here is rough description for each roles, but note that Enterprise Administrator can achieve almost everything except for creating new subscriptions and only Account Owner can do that.

  • Enterprise Administrator
    • Change EA Portal settings
    • Invite new Enterprise Administrators
    • Create new departments
    • Invite new department administrators into all departments
    • Retrieve all departments
    • Retrieve all Account Owners
    • Invite new Account Owners
    • Retrieve all subscriptions
    • Can't create new subscriptions
  • Department Administrator
    • This role is optional
    • Invite new department administrators into own departments
    • Retrieve own departments
    • Retrieve all Account Owners in own departments
    • Invite new Account Owners into own departments
    • Retrieve all subscriptions on own departments
    • Can't create new subscriptions
  • Account Owner
    • Create new subscriptions

How to invite as Enterprise Administrator

Only current Enterprise Administrator can achieve these operations. Open https://ea.azure.com and following an image below.
f:id:waritohutsu:20190524102435p:plain
A wizard will come up from right side and you can invite new Enterprise Administrator by following an image below. Please confirm "Auth Leve" if you can't find your proper Authentication Type on your EA Portal.
f:id:waritohutsu:20190524102611p:plain
New Enterprise Administrator will receive an invitation mail from your EA Portal and activate own account.

How to invite as Department Administrator

Enterprise Administrator and Department Administrator can achieve these operations. Open https://ea.azure.com and following an image below.
f:id:waritohutsu:20190524103314p:plain
These steps are almost the same with Enterprise Administrator. A wizard will come up from right side and you can invite a new Department Administrator by following an image below. Please confirm "Auth Leve" if you can't find your proper Authentication Type on your EA Portal.
f:id:waritohutsu:20190524103422p:plain

How to invite as Account Owner

Enterprise Administrator and Department Administrator can achieve these operations. Open https://ea.azure.com and following an image below.
f:id:waritohutsu:20190524104727p:plain
These steps are almost the same with Enterprise Administrator. A wizard will come up from right side and you can invite a new Department Administrator by following an image below. Please confirm "Auth Leve" if you can't find your proper Authentication Type on your EA Portal. In addtion that, you can put display name for your EA Portal.
f:id:waritohutsu:20190524104741p:plain
You can find your new Account Owner like below at pending status. It will be activated when the invited user of "Account Owner" will log in to your EA Portal.
f:id:waritohutsu:20190524104652p:plain

What's best practice for these EA Portal hierarchies?

In small organizations, it should work by utilizing only Enterprise Administrator and Account Owner. In addition that, you can hold such roles into a user account like below.
f:id:waritohutsu:20190524105436p:plain
In this diagram, xxxx01@hotmail.com can do everything on your EA Portal. You can create such accounts by following "How to invite as Enterprise Administrator" and "How to invite as Account Owner" into the same account, but consider and design proper architecture when your organization is large or users are many.

References

How to get started with EA Portal for Microsoft Azure

EA Portal Azure Windows Azure

I believe most of Azure developers aren't familiar with EA Portal because only Enterprise Agreement contractor can utilize the portal. usage of this EA Portal is completely different from Azure Portal which all Azure developers are familiar like below.
f:id:waritohutsu:20190524095659p:plain

  • EA Portal is utilized to create Azure subscriptions which charge from your EA contract
  • Azure Portal is utilized to create Azure resources and consume from EA contract

As you can imagine, billing owners should use EA Portal and developers should use Azure Portal. But it sometimes difficult how to take knowledge to utilize EA Portal.

How to arrange onboarding meeting for EA Portal

Fortunately, Microsoft offers to arrange onboarding meeting with experts for EA Portal. Reach out Azure EA Portal Support and you can find a page like below.
f:id:waritohutsu:20190523094911p:plain
You can find "issue category" bottom of it. Choose "Onboarding" like below to schedule EA Portal onboarding meeting with the expert.
f:id:waritohutsu:20190523095013p:plain
After choosing them, you need to fill out some details of your status. Now, you can have a great meeting to earn deep knowledge for EA Portal. This onboarding meeting is no charge and I recommend to utilize this as possible.

References