Version: 0.7

Azure Subscription Automation

Overview#

To enable Kore's Azure Subscription Automation feature, we need to create a service principal in Azure Active Directory and give it contributor access to an invoice section (if you have an Microsoft Customer Agreement) or enrollment account (if you have a Microsoft Enterprise Agreement for Azure).

This service principal can be used by Kore to create subscriptions on demand.

Pre-requisites#

In order to use Azure Subscription Automation, you must have an Enterprise Agreement (EA) or Microsoft Customer Agreement (MCA) in place with Microsoft for Azure in your organisation. You cannot use Azure Subscription Automation with a standard (pay as you go) Azure subscription.

Service Principal#

Kore uses an Azure Active Directory Service Principal to access Azure. To create one with no privileges, install the Azure CLI then run the following, replacing kore-org-manager with a name of your choosing:

az login
az ad sp create-for-rbac -n "kore-org-manager" --skip-assignment

This will output a client ID and client secret which you will need shortly, so keep note of them.

Allow service principal to create Microsoft Customer Agreement (MCA) subscriptions#

If you have an MCA agreement with Microsoft, perform this step. This is not required for Enterprise Agreements.

In order to create subscriptions under an MCA, you must grant the above service principal either 'Contributor' or 'Invoice Section Contributor' role on the Invoice Section you wish the subscriptions to be placed within. From the Azure web console:

  1. Open 'Cost Management + Billing'
  2. Select the relevant billing scope
  3. Select 'Billing Profiles' and choose the relevant billing profile
  4. Select 'Invoice Sections' and choose the relevant invoice section
  5. Select 'Access Control (IAM)' and add the service principal created above (e.g. 'kore-org-manager') as either a Contributor or Invoice Section Contributor.

In order to perform these steps, you will need to have Owner permission on the Invoice Section, its parent billing profile or the billing scope. If you do not see the options for one or more of the above steps, you do not have the required permissions so you may need to talk to your Azure administrators who have access to the billing scope, billing profile or invoice section in question.

Allow service principal to create Enterprise Agreement subscriptions#

If you have an Enterprise Agreement with Microsoft, perform this step. This is not required for MCA agreements.

In order to create subscriptions under an Enterprise Agreement, you must grant the above service principal 'Owner' role on the Enrollment Account you wish the subscriptions to be placed within. The Microsoft documentation explains the steps required to perform this.

Configuring Azure Organization in Kore#

To configure using the UI, enter the Admin section and choose Configure > Cloud > Microsoft Azure > Organization. Select + Add organization (for Azure Subscription automation).

To configure using the CLI, use kore create cloudcredentials to add the key for the service principal created above then kore create cloudaccount to add the Azure organization.

The key pieces of information you need to provide are detailed in the below tables.

All organizations#

OptionDescription
Tenant IDAzure ID for your tenant - this identifies your Azure Active Directory instance, select 'Azure Active Directory' on the Azure Portal and the Tenant ID is displayed on the Overview page
Subscription IDAzure Subscription ID in your tenant to use for org-wide resources, such as DNS root zones
Agreement TypeChoose whether you have an EA or MCA with Microsoft for Azure - see below tables for details specific to these agreement types
Management GroupChoose whether to nest created subscriptions in an Azure Management Group (best practice, but you must pre-create this group) or to place them at the tenant root level
OwnerYou are required to specify the ID of an Azure Active Directory object (typically a group) that will be the owner of all created subscriptions. Members of this group will have full access to these subscriptions, including the ability to grant access to others and de-activate or close them
ContributorOptionally, you can also specify the ID of a second Azure Active Directory object (typically a group) that has Contributor access to all created subscriptions. Members of this group can create and manage all resources within the subscription but cannot delegate permissions or de-active / close the subscription

Microsoft Customeer Agreement specific fields#

OptionDescription
Billing accountThis can be found in the Cost Management + Billing section of the Azure web console by selecting the relevant 'Billing Scope' then choosing 'Properties'. It has the rather verbose format aaa111b-abcd-ef01-2345-bcdabc123fed:1234aaab-0100-1234-abcd-abcd0123abcd_2019-05-31 for MCA billing accounts.
Billing profile IDContinuing from the Billing Scope as above, select 'Billing Profiles' and choose the relevant profile, then choose 'Properties' to find the ID. It has the format AW4F-APQW-0AH-ABC
Invoice section IDContinuing from the Billing Profile as above, select 'Invoice Sections' and choose the relevant invoice section, then choose 'Properties' to find the ID. It has the format PQRS-ALDS-012-DEF

Enterprise Agreement specific fields#

OptionDescription
Billing accountThis is typically a numeric value for EA billing accounts, such as 7654321
Enrollment account IDThis is a second numeric identifier, specific to the Enrollment Account, such as 13245364
note

Once the organization is created, an administrator should test account creation before handing it over to teams.

Closing Azure Subscriptions created by Kore#

If an Azure Subscription is no longer in use, it has to be removed manually using the process below.

warning

Do not close a subscription before it has been removed from Kore else it may be re-created

Discovering unused Kore created Azure Subscriptions#

Use the UI (Admin > Configure > Cloud > Microsoft Azure > Managed Subscriptions) or the CLI (kore get cloudaccounts --all-managed --cloud azure) to see all cloud accounts which have been provisioned for your teams. If you are removing a team from Kore and want to close their cloud account entirely, follow the steps below.

Removing the subscription from Kore#

Follow these steps only if you intend to remove the team from Kore, or remove their ability to use your Azure organization for subscription automation. If you wish to retain the team or keep their ability to use Azure subscription automation, you should not close their subscription.

  1. From the UI, select 'Remove from Kore', or from the CLI run kore delete cloudaccount -t teamname cloud-account-name.

  2. This will attempt to remove the subscription from Kore's management. If the subscription is in use by any team clusters, you will be informed of this and the removal will not succeed. Ensure the clusters are deleted first.

  3. Delete the team from Kore, or de-allocate the Azure organization from the team so they cannot request a new Azure cluster using subscription automation. If you do not prevent the team using Azure, when a new cluster is requested the now-closed subscription will be used and this will fail as it has been closed and cannot be used.

Closing an Azure Subscription with Microsoft#

Closure Permissions

In order to close a subscription, you must have Owner privileges on it, granted via the Owner group configured in the Azure organisation in Kore, or via the Azure Management Group that you asked Kore to nest the subscription in.

Once you have successfully removed the subscription from Kore you can proceed to close the subscription in Azure. Open the 'Subscriptions' section of the Azure web console] then find the subscription you wish to close. Select it, choose 'Cancel subscription', then follow the steps to verify any remaining resources in the subscription can be destroyed and confirm closure.

After several minutes the subscription should show as state 'Disabled' in the portal. Subscriptions closed in this manner can be re-activated from the Azure portal after a few hours.