In this first blog post I’ll cover a cool topic I did lately: automating the process of creating azure subscriptions under an Azure enterprise agreement.
⚠️ Important: the (Preview) API we are using in this article is exclusively usable for companys that are under an enterprise agreement with microsoft. Pay-as-you-go (PAYG) or Cloud Solution Provider (CSP) subscriptions can’t be automatically created with this.
OVERVIEW
Creating a subscription under an EA in Azure is fairly easy:
1. Logon to ea.azure.com with your EA account
2. Create a new subscription under your account
3. (optionally) re-assign the subscription to a management group
After that, usually, there are a couple of other tasks you should to do:
4. assign the RBAC-Role “Owner” to an UPN in your Azure Active Directory, because its typically not yourself using and managing the subscription, but a project manager, team lead, etc.
5. assign the subscription to a management group
Building the runbook was actually kind of tricky, because the Microsoft Documentation in this case was really misleading.
ATTENTION PLEASE
Creating a subscription requires the identity to be account owner. What does that mean? If you login to the EA portal and are owner to an account, you can create subscriptions. Usually, with Runbooks, you would use its Service Principal (so called “Run-As-Account”) to interact with Azure.
Although Microsoft documented it is possible to set a Service Principal as Account Owner, you can not create Subscriptions with it. The mechanism of doing the role-assignment seems to be not fully implemented – it will show the successful role-assignment and re-doing it is also not possible, but the SP will remain unauthorized to create a subscription.
Workaround:
Create a “Technical User” that you use to login from the runbook. You can do the role-assignment for the technical user and then create subscriptions without any problem.
PREPARE THE RUNBOOK
CODE
Import-Module -Name Az.Billing, Az.Subscription, Az.KeyVault, Az.Resources
$connection = Get-AutomationConnection -Name AzureRunAsConnection
$null = Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationID $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
$SecurePassword = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $TechnicalUserName.Split('@')[0]
$Credential = New-Object System.Management.Automation.PSCredential($TechnicalUserName, $SecurePassword.SecretValue)
$null = Connect-AzAccount -Credential $Credential #-TenantId $TenantId
# this is tricky: the object id is the OID of the user, that is owning the enrollment account.
$EnrollmentAccountObjectId = (Get-AzEnrollmentAccount)[0].ObjectId
$SubscriptionName = Get-SubscriptionName -purpose $purpose -env $environment
$CreatedSub = New-AzSubscription -OfferType "MS-AZR-0017P" -Name $SubscriptionName -EnrollmentAccountObjectId $EnrollmentAccountObjectId -OwnerSignInName $email
USECASE
The manual process itself, although it is fairly straight forward, has a couple of drawbacks.
- you, as an EA account owner, won’t be in office all the year. If people want to start their Azure project but they need to wait for you to come back from vacation, that is expensive time your company is wasting. Your company might even have conditional access enabled for these accounts, so that you won’t be able to logon to EA portal even from your summer cabin.
- everyone is making mistakes, and so are you. Doing things by hand can be tricky, especially when done in a hurry: you forget things and have typos here and mixups there. Doing it automatically takes out a lot of sources of mistakes
- think of integration: that’s the most fascinating thing here: you could facilitate the whole process of subscription creation via a self-service portal or custom solution, with a cost center, team, project responsible etc. behind it. If your project managers, who are accountable for budget in most cases anyway, just get to book their subscriptions on their own, everybody is saving a lot of time.
- combination out of points 1 and 4: people won’t be dependent on you. For one part, this might make a small part of your job obsolete; but for the other: your job is most propably not managing subscriptions only. Having a controlled but automated way of doing things like this can open doors in organizations 😉