About Microsoft Azure accounts
Microsoft Azure Enterprise Agreement and Identity and Access Management (IAM) subscriptions
HPE OneSphere interacts with Microsoft Azure through two separate accounts:
|HPE OneSphere account||Relationship||Microsoft Azure account|
|Azure Public Billing Account||connects to||Azure Enterprise Agreement account|
|Azure provider public account||connects to||Azure IAM subscriptions|
You must have an Azure IAM subscription before connecting an HPE OneSphere individual provider public account. Connecting a provider public account to an Azure subscription allows HPE OneSphere to display cost information about Azure services on the Insights screen.
For each new provider public account you connect to an Azure subscription, it will take approximately 24 hours to populate all relevant cost data to reflect the most recent changes to any Azure services.
Azure subscriptions have a 1-to-1-to-1 relationship with public accounts and projects in HPE OneSphere (similar to AWS). One project can be associated with only one of each type of provider public account. For example, you can associate a single project with one AWS public account and one Azure subscription account.
For each new Azure subscription added to HPE OneSphere, a new "Reader" role is granted to the HPE OneSphere application. If this new role is deleted in Azure, you must add a new provider public account in HPE OneSphere. The HPE OneSphere "Reader" role in Azure is read-only.
HPE OneSphere uses the standard Microsoft role based consent framework for adding Azure subscriptions to public provider accounts. The specific Azure permission that allows HPE OneSphere to onboard an Azure subscription is
Microsoft.Authorization/roleAssignments/Write. This is the default permission in accounts where the user role is listed as "Owner."
Adding Public Billing Accounts requires HPE OneSphere administrator privileges. Provider public accounts can be added by HPE OneSphere administrators or project owners that have been enabled to connect providers to Azure subscriptions. This person must have his or her own account in Microsoft Azure.
The Azure subscription owner must grant the HPE OneSphere administrator or enabled project owner's account in Azure the proper permissions. If the HPE OneSphere administrator or enabled project owner does not already have the "Owner" role for the subscription in Azure, they will need the specific
Microsoft.Authorization/roleAssignments/Write permission before adding that subscription to a provider public account in HPE OneSphere. The current subscription owner can grant this role or privilege from the Access control (IAM) screen in the Azure subscription.