- Login to CloudBilling
- In the top menu, hover your mouse over ‘Connectors’ and click on ‘Microsoft CSP’
- Click on ‘Connector Settings’
- Click on ‘Login with your Microsoft Account’
- Follow the steps that are outlined by Microsoft
The Microsoft Partner Center user needs to have either “Admin Agent” permissions, or a combination of “Billing Admin” and “Sales Agent” permissions.
Note that the combination of “Global Admin” and “Sales Agent” is not sufficient to retrieve usage. Even though intuition would suggest that this role should grant a superset of permissions compared to Billing Admin, it does not.
We highly recommend creating a new “service account” to provide consent to CloudBilling. This will avoid any disruption to the flow of usage data through the CSP connector if a user is disabled or leaves the organization in the future.
Once consent has been given CloudBilling will retrieve usage from Microsoft on a daily basis. The connector starts to send usage information to CloudBilling every day at 19:00 CET. The imported usage will become visible in CloudBilling as Purchases.
Microsoft uses the secure application model as its authentication solution for CSP Partners and Control Panel Vendors. This model helps to elevate the security measures in place to safeguard customer data and infrastructure. CSP partners are required to provide consent for CloudBilling to interact with services on their behalf.
Microsoft describes the “Secure application model” in more detail in this PDF:
Secure application model documentation
It is possible to select the language used for the Microsoft resources that are loaded from the Microsoft Ratecard API. You can select the language after consent has been provided. To change the language, navigate to the connector settings and press the edit button next to the account. Now you can change the language by clicking on Locale and selecting one of the options.
A user needs to have both “Admin Agent” permissions, and ”Global Admin” right, or a combination of “Billing Admin” and “Sales Agent” permissions.
The user that has provided consent has to keep these permissions for the connector to continue functioning. If the user is disabled or leaves the organisation, a different user with the appropriate permissions will have to provide consent. It is therefore encouraged to use a “service account” to provide consent as that will provide the most stable base for retrieving usage.
Unfortunately, not all operations on the Partner Center API that CloudBilling requires to gather usage and license information are available through the app-only method (see further documentation). Therefore, CloudBilling is using the delegated permissions methodology.
If you have setup your browser to ‘stay logged in’ or automatically login to your Microsoft 365 account, the switch between your personal user and the Partner Center account can give issues. It is recommended to either use a different browser or use ‘incognito mode’ from Chrome or a similar function in your browser.
A user attempting to give consent while having PIM (Privileged Identity Management) configuration through a separate person/account.
MFA (Multi-factor authentication) needs to be enabled on the consenting account. However, as explained in the second point, not the two-step authentication service PIM.