The Azure integration into Finout consists of two simple steps.
First, create a service principal for Finout and then export the billing report and grant Finout read-only access.
Step 1: Create a Service Principal for Finout
The integration to your Azure is achieved by using an Azure service principal.
Create a service principal using the CLI
1. From the CLI, type the following:
az ad sp create-for-rbac -n "finout"
You will receive an output similar to the following:
2. Use the details as input in the Finout console:
appId → Application (client) ID
tenant → Directory (tenant) ID
password → Application password (Client Secret)
Create a service principal using the Azure portal
1. From your Azure portal, search for and select Azure Active Directory.
2. Select App registrations, then click New registration.
3. Name the application ("Finout", for example)
4. Leave the default values in the rest of the parameters and click Register.
5. The Overview page provides two of the credentials required for the Finout console: the Application (client) ID and the Directory (tenant) ID.
Set up the authentication
For the Finout integration, use the password-based authentication (application secret) method by following these steps:
1. On the App registration page, select Certificates & secrets from the left-hand menu. Click + New client secret to create a new client secret. Select a time frame for its expiration, add a description, and then click Add.
2. Copy the Value from the Client secret to the Application secret field in the Finout console.
Step 2: Create the Billing Export and Grant Finout Read-Only Permissions
In this step, create the export for the billing scope and grant Finout read-only access to these export files.
To ensure you're on the billing scope, check the text on your cost management screen that states Billing account as in the image below:
Create the report exports on the billing scope
The reports must be exported twice, once for each of the following cost types:
You can provide a different directory for both exports, however, both exports must be exported to the same container.
In your Azure portal, create an export:
From the Cost management screen, click Export under Setting in the left-hand menu.
From the Export screen, click +Add.
Fill in the required fields:
Name: Enter any name you want for the export.
Metric: Select Actual cost (repeat this process to create another export for Amortized cost).
Export type: Select Daily export of month-to-date costs.
Start date: Select the current date.
File partitioning: Switch this on.
Storage: Choose Use existing or Create new, and fill in the information accordingly.
When the export is created, run the export from the export page by selecting it and clicking Run now.
Grant Finout permission to read from the export storage
Grant permissions using Azure CLI
Type the following command in your CLI and fill in the parameters according to the role and storage details:
az role assignment create --assignee <app_id> --role "Storage Blob Data Reader" --scope /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>/blobServices/default/containers/<container_name>
Grant permissions using the Azure portal
From your Storage account page, click Containers and select the export container.
Select Access control (IAM).
Click +Add and then click Add role assignment.
Search for Storage blob data reader, select it, and then click Next.
Click + Select members and find the Finout service principal.
Select the Finout service principal and click Select.
Click Review + Assign.
In the Finout console, fill in the information for the following fields and then click Continue:
Actual Cost export name & Actual Cost Directory
Amortized Cost export name & Amortized Cost Directory
Still need help? Please feel free to reach out to our team at [email protected].