To enable Kore's Azure Subscription Automation feature, we need to create a service principal in Azure Active Directory and give it contributor access to an invoice section (if you have an Microsoft Customer Agreement) or enrollment account (if you have a Microsoft Enterprise Agreement for Azure).
This service principal can be used by Kore to create subscriptions on demand.
In order to use Azure Subscription Automation, you must have an Enterprise Agreement (EA) or Microsoft Customer Agreement (MCA) in place with Microsoft for Azure in your organisation. You cannot use Azure Subscription Automation with a standard (pay as you go) Azure subscription.
Kore uses an Azure Active Directory Service Principal to access Azure. To create one with no
privileges, install the Azure CLI
then run the following, replacing
kore-org-manager with a name of your choosing:
az login az ad sp create-for-rbac -n "kore-org-manager" --skip-assignment
This will output a client ID and client secret which you will need shortly, so keep note of them.
If you have an MCA agreement with Microsoft, perform this step. This is not required for Enterprise Agreements.
In order to create subscriptions under an MCA, you must grant the above service principal either 'Contributor' or 'Invoice Section Contributor' role on the Invoice Section you wish the subscriptions to be placed within. From the Azure web console:
- Open 'Cost Management + Billing'
- Select the relevant billing scope
- Select 'Billing Profiles' and choose the relevant billing profile
- Select 'Invoice Sections' and choose the relevant invoice section
- Select 'Access Control (IAM)' and add the service principal created above (e.g. 'kore-org-manager') as either a Contributor or Invoice Section Contributor.
In order to perform these steps, you will need to have Owner permission on the Invoice Section, its parent billing profile or the billing scope. If you do not see the options for one or more of the above steps, you do not have the required permissions so you may need to talk to your Azure administrators who have access to the billing scope, billing profile or invoice section in question.
If you have an Enterprise Agreement with Microsoft, perform this step. This is not required for MCA agreements.
In order to create subscriptions under an Enterprise Agreement, you must grant the above service principal 'Owner' role on the Enrollment Account you wish the subscriptions to be placed within. The Microsoft documentation explains the steps required to perform this.
To configure using the UI, enter the Admin section and choose
Configure > Cloud > Microsoft Azure > Organization. Select
+ Add organization (for Azure Subscription automation).
The key pieces of information you need to provide are detailed in the below tables.
|Tenant ID||Azure ID for your tenant - this identifies your Azure Active Directory instance, select 'Azure Active Directory' on the Azure Portal and the Tenant ID is displayed on the Overview page|
|Subscription ID||Azure Subscription ID in your tenant to use for org-wide resources, such as DNS root zones|
|Agreement Type||Choose whether you have an EA or MCA with Microsoft for Azure - see below tables for details specific to these agreement types|
|Management Group||Choose whether to nest created subscriptions in an Azure Management Group (best practice, but you must pre-create this group) or to place them at the tenant root level|
|Owner||You are required to specify the ID of an Azure Active Directory object (typically a group) that will be the owner of all created subscriptions. Members of this group will have full access to these subscriptions, including the ability to grant access to others and de-activate or close them|
|Contributor||Optionally, you can also specify the ID of a second Azure Active Directory object (typically a group) that has Contributor access to all created subscriptions. Members of this group can create and manage all resources within the subscription but cannot delegate permissions or de-active / close the subscription|
|Billing account||This can be found in the Cost Management + Billing section of the Azure web console by selecting the relevant 'Billing Scope' then choosing 'Properties'. It has the rather verbose format |
|Billing profile ID||Continuing from the Billing Scope as above, select 'Billing Profiles' and choose the relevant profile, then choose 'Properties' to find the ID. It has the format |
|Invoice section ID||Continuing from the Billing Profile as above, select 'Invoice Sections' and choose the relevant invoice section, then choose 'Properties' to find the ID. It has the format |
|Billing account||This is typically a numeric value for EA billing accounts, such as 7654321|
|Enrollment account ID||This is a second numeric identifier, specific to the Enrollment Account, such as 13245364|
Once the organization is created, an administrator should test account creation before handing it over to teams.
If an Azure Subscription is no longer in use, it has to be removed manually using the process below.
Do not close a subscription before it has been removed from Kore else it may be re-created
Use the UI (Admin > Configure > Cloud > Microsoft Azure > Managed Subscriptions) or the CLI
kore get cloudaccounts --all-managed --cloud azure) to
see all cloud accounts which have been provisioned for your teams. If you are removing a team from
Kore and want to close their cloud account entirely, follow the steps below.
Follow these steps only if you intend to remove the team from Kore, or remove their ability to use your Azure organization for subscription automation. If you wish to retain the team or keep their ability to use Azure subscription automation, you should not close their subscription.
From the UI, select 'Remove from Kore', or from the CLI run
kore delete cloudaccount -t teamname cloud-account-name.
This will attempt to remove the subscription from Kore's management. If the subscription is in use by any team clusters, you will be informed of this and the removal will not succeed. Ensure the clusters are deleted first.
Delete the team from Kore, or de-allocate the Azure organization from the team so they cannot request a new Azure cluster using subscription automation. If you do not prevent the team using Azure, when a new cluster is requested the now-closed subscription will be used and this will fail as it has been closed and cannot be used.
In order to close a subscription, you must have Owner privileges on it, granted via the Owner group configured in the Azure organisation in Kore, or via the Azure Management Group that you asked Kore to nest the subscription in.
Once you have successfully removed the subscription from Kore you can proceed to close the subscription in Azure. Open the 'Subscriptions' section of the Azure web console] then find the subscription you wish to close. Select it, choose 'Cancel subscription', then follow the steps to verify any remaining resources in the subscription can be destroyed and confirm closure.
After several minutes the subscription should show as state 'Disabled' in the portal. Subscriptions closed in this manner can be re-activated from the Azure portal after a few hours.