To allow the connector to retrieve usage Microsoft uses the secure application model for authentication. This means that a partner gives consent for an application to interact with services on their behalf. This consent flow is implemented in CloudBilling on the Connector Settings page. There is a “Login with your Microsoft account” button there which will take you through the consent flow.
Once you click this button, you will be redirected to Microsoft and asked to login with your account. At this point the application will ask for a set of permissions, after you consent you will be redirected to CloudBilling where a connector account will be created. At this point the connector will use the granted consent to interact with the partner center API every day to retrieve usage.
A user needs to have either “Admin Agent” permissions, or a combination of “Billing Admin” and “Sales Agent” permissions. These will suffice to provide the consent as well as allowing the connector to impersonate the user and retrieve the required usage. The user that has provided consent has to constantly have these permissions while the connector is to continue functioning. If the user is disabled, or leaves the organisation, etc. A different user will have to provide consent. It is therefore encouraged to use a “service account” to provide account as that will provide the most stable base for retrieving usage.
Note that the combination of “Global Admin” and “Sales Agent” is not sufficient to retrieve usage. Even though intuition would suggest that this role should grant a superset of permissions compared to Billing Admin, it does not.