|
| 1 | +--- |
| 2 | +title: Programmatically create MCA subscriptions across Azure Active Directory tenants |
| 3 | +description: Learn how to programmatically create an Azure MCA subscription across Azure Active Directory tenants. |
| 4 | +author: bandersmsft |
| 5 | +ms.service: cost-management-billing |
| 6 | +ms.subservice: billing |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 08/22/2022 |
| 9 | +ms.reviewer: rygraham |
| 10 | +ms.author: banders |
| 11 | +--- |
| 12 | + |
| 13 | +# Programmatically create MCA subscriptions across Azure Active Directory tenants |
| 14 | + |
| 15 | +This article helps you programmatically create a Microsoft Customer Agreement (MCA) subscription across Azure Active Directory tenants. In some situations, you might need to create MCA subscriptions across Azure Active Directory (Azure AD) tenants but have them tied to a single billing account. Examples of such situations include SaaS providers wanting to segregate hosted customer services from internal IT services or internal environments that have strict regulatory compliance requirements, like Payment Card Industry (PCI). |
| 16 | + |
| 17 | +The process to create an MCA subscription across tenants is effectively a two-phase process. It requires actions to be taken in the source and destination Azure AD tenants. This article uses the following terminology: |
| 18 | + |
| 19 | +- Source Azure AD (source.onmicrosoft.com). It represents the source tenant where the MCA billing account exists. |
| 20 | +- Destination Cloud Azure AD (destination.onmicrosoft.com). It represents the destination tenant where the new MCA subscriptions are created. |
| 21 | + |
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +You must you already have the following tenants created: |
| 25 | + |
| 26 | +- A source Azure AD tenant with an active [Microsoft Customer Agreement](create-subscription.md) billing account. If you don't have an active MCA, you can create one. For more information, see [Azure - Sign up](https://signup.azure.com/) |
| 27 | +- A destination Azure AD tenant separate from the tenant where your MCA belongs. To create a new Azure AD tenant, see [Azure AD tenant setup](../../active-directory/develop/quickstart-create-new-tenant.md). |
| 28 | + |
| 29 | +## Application set-up |
| 30 | + |
| 31 | +Use the information in the following sections to set up and configure the needed applications in the source and destination tenants. |
| 32 | + |
| 33 | +### Register an application in the source tenant |
| 34 | + |
| 35 | +To programmatically create an MCA subscription, an Azure AD application must be registered and granted the appropriate Azure RBAC permission. For this step, ensure you're signed into the source tenant (source.onmicrosoft.com) with an account that has permissions to register Azure AD applications. |
| 36 | + |
| 37 | +Following the steps in [Quickstart: Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). |
| 38 | + |
| 39 | +For the purposes of this process, you only need to follow the [Register an application](../../active-directory/develop/quickstart-register-app.md#register-an-application) and [Add credentials](../../active-directory/develop/quickstart-register-app.md#add-credentials) sections. |
| 40 | + |
| 41 | +Save the following information to test and configure your environment: |
| 42 | + |
| 43 | +- Directory (tenant) ID |
| 44 | +- Application (client) ID |
| 45 | +- Object ID |
| 46 | +- App secret value that was generated. The value is only visible at the time of creation. |
| 47 | + |
| 48 | +### Create a billing role assignment for the application in the source tenant |
| 49 | + |
| 50 | +Review the information at [Understand Microsoft Customer Agreement administrative roles in Azure](understand-mca-roles.md) to determine the appropriate scope and [billing role](understand-mca-roles.md#subscription-billing-roles-and-tasks) for the application. |
| 51 | + |
| 52 | +After you determine the scope and role, use the information at [Manage billing roles in the Azure portal](understand-mca-roles.md#manage-billing-roles-in-the-azure-portal) to create the role assignment for the application. Search for the application by using the name that you used when you registered the application in the preceding section. |
| 53 | + |
| 54 | +### Register an application in the destination tenant |
| 55 | + |
| 56 | +To accept the MCA subscription from the destination tenant (destination.onmicrosoft.com), an Azure AD application must be registered and added to the Billing administrator Azure AD role. For this step, ensure you're signed in to the destination tenant (destination.onmicrosoft.com) with an account that has permissions to register Azure AD applications. It must also have billing administrator role permission. |
| 57 | + |
| 58 | +Follow the same steps used above to register an application in the source tenant. Save the following information to test and configure your environment: |
| 59 | + |
| 60 | +- Directory (tenant) ID |
| 61 | +- Application (client) ID |
| 62 | +- Object ID |
| 63 | +- App secret value that was generated. The value is only visible at the time of creation. |
| 64 | + |
| 65 | +### Add the destination application to the Billing administrator Azure AD role |
| 66 | + |
| 67 | +Use the information at [Assign administrator and non-administrator roles to users with Azure AD](../../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) to add the destination application created in the preceding section to the Billing administrator Azure AD role in the destination tenant. |
| 68 | + |
| 69 | +## Programmatically create a subscription |
| 70 | + |
| 71 | +With the applications and permissions already set up, use the following information to programmatically create subscriptions. |
| 72 | + |
| 73 | +### Get the ID of the destination application service principal |
| 74 | + |
| 75 | +When you create an MCA subscription in the source tenant, you must specify the service principal or SPN of the application in the destination tenant as the owner. Use one of the following methods to get the ID. In both methods, the value to use for the empty GUID is the application (client) ID of the destination tenant application created previously. |
| 76 | + |
| 77 | +#### Azure CLI |
| 78 | + |
| 79 | +Sign in to Azure CLI and use the [az ad sp show](/cli/azure/ad/sp#az-ad-sp-show) command: |
| 80 | + |
| 81 | +```sh |
| 82 | +az ad sp show --id 00000000-0000-0000-0000-000000000000 --query 'id' |
| 83 | +``` |
| 84 | + |
| 85 | +#### Azure PowerShell |
| 86 | + |
| 87 | +Sign in to Azure PowerShell and use the [Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal) cmdlet: |
| 88 | + |
| 89 | +```sh |
| 90 | +Get-AzADServicePrincipal -ApplicationId 00000000-0000-0000-0000-000000000000 | Select-Object -Property Id |
| 91 | +``` |
| 92 | + |
| 93 | +Save the `Id` value returned by the command. |
| 94 | + |
| 95 | +### Create the subscription |
| 96 | + |
| 97 | +Use the following information to create a subscription in the source tenant. |
| 98 | + |
| 99 | +#### Get a source application access token |
| 100 | + |
| 101 | +Replace the `{{placeholders}}` with the actual tenant ID, application (client) ID, and the app secret values that you saved when you created the source tenant application previously. |
| 102 | + |
| 103 | +Invoke the request and save the `access_token` value from the response for use in the next step. |
| 104 | + |
| 105 | +```http |
| 106 | +POST https://login.microsoftonline.com/{{tenant_id}}/oauth2/token |
| 107 | +Content-Type: application/x-www-form-urlencoded |
| 108 | +
|
| 109 | +grant_type=client_credentials&client_id={{client_id}}&client_secret={{app_secret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F |
| 110 | +``` |
| 111 | + |
| 112 | +#### Get the billing account, profile, and invoice section IDs |
| 113 | + |
| 114 | +Use the information at [Find billing accounts that you have access to](programmatically-create-subscription-microsoft-customer-agreement.md?tabs=rest#find-billing-accounts-that-you-have-access-to) and [Find billing profiles & invoice sections to create subscriptions](programmatically-create-subscription-microsoft-customer-agreement.md?tabs=rest#find-billing-profiles--invoice-sections-to-create-subscriptions) sections to get the billing account, profile, and invoice section IDs. |
| 115 | + |
| 116 | +> [!NOTE] |
| 117 | +> We recommend using the REST method with the access token obtained previously to verify that the application billing role assignment was created successfully in the [Application Setup](#application-set-up) section. |
| 118 | +
|
| 119 | +#### Create a subscription alias |
| 120 | + |
| 121 | +With the billing account, profile, and invoice section IDs, you have all the information needed to create the subscription: |
| 122 | + |
| 123 | +- `{{guid}}`: Can be a valid GUID. |
| 124 | +- `{{access_token}}`: Access token of the source tenant application obtained previously. |
| 125 | +- `{{billing_account}}`: ID of the billing account obtained previously. |
| 126 | +- `{{billing_profile}}`: ID of the billing profile obtained previously. |
| 127 | +- `{{invoice_section}}`: ID of the invoice section obtained previously. |
| 128 | +- `{{destination_tenant_id}}`: ID of the destination tenant as noted when you previously created the destination tenant application. |
| 129 | +- `{{destination_service_principal_id}}`: ID of the destination tenant service principal that you got from the [Get the ID of the destination application service principal](#get-the-id-of-the-destination-application-service-principal) section previously. |
| 130 | + |
| 131 | +Send the request and note the value of the `Location` header in the response. |
| 132 | + |
| 133 | +```http |
| 134 | +PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01 |
| 135 | +Authorization: Bearer {{access_token}} |
| 136 | +Content-Type: application/json |
| 137 | +
|
| 138 | +{ |
| 139 | + "properties": { |
| 140 | + "displayName": "{{subscription_name}}", |
| 141 | + "workload": "Production", |
| 142 | + "billingScope": "/billingAccounts/{{billing_account}}/billingProfiles/{{billing_profile}}/invoiceSections/{{invoice_section}}", |
| 143 | + "subscriptionId": null, |
| 144 | + "additionalProperties": { |
| 145 | + "managementGroupId": null, |
| 146 | + "subscriptionTenantId": "{{destination_tenant_id}}", |
| 147 | + "subscriptionOwnerId": "{{destination_service_principal_id}}" |
| 148 | + } |
| 149 | + } |
| 150 | +} |
| 151 | +``` |
| 152 | + |
| 153 | +### Accept subscription ownership |
| 154 | + |
| 155 | +The last phase to complete the process is to accept subscription ownership. |
| 156 | + |
| 157 | +#### Get a destination application access token |
| 158 | + |
| 159 | +Replace `{{placeholders}}` with the actual tenant ID, application (client) ID, and app secret values that you saved when you created the destination tenant application previously. |
| 160 | + |
| 161 | +Invoke the request and save the `access_token` value from the response for the next step. |
| 162 | + |
| 163 | +```http |
| 164 | +POST https://login.microsoftonline.com/{{tenant_id}}/oauth2/token |
| 165 | +Content-Type: application/x-www-form-urlencoded |
| 166 | +
|
| 167 | +grant_type=client_credentials&client_id={{client_id}}&client_secret={{app_secret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F |
| 168 | +``` |
| 169 | + |
| 170 | +#### Accept ownership |
| 171 | + |
| 172 | +Use the following information to accept ownership of the subscription in the destination tenant: |
| 173 | + |
| 174 | +- `{{subscription_id}}`: ID of the subscription created in the [Create subscription alias](#create-a-subscription-alias) section. It's contained in the location header that you noted. |
| 175 | +- `{{access_token}}`: Access token created in the previous step. |
| 176 | +- `{{subscription_display_name}}`: Display name for the subscription in your Azure environment. |
| 177 | + |
| 178 | +```http |
| 179 | +POST https://management.azure.com/providers/Microsoft.Subscription/subscriptions/{{subscription_id}}/acceptOwnership?api-version=2021-10-01 |
| 180 | +Authorization: Bearer {{access_token}} |
| 181 | +Content-Type: application/json |
| 182 | +
|
| 183 | +{ |
| 184 | + "properties": { |
| 185 | + "displayName": "{{subscription_display_name}}", |
| 186 | + "managementGroupId": null |
| 187 | + } |
| 188 | +} |
| 189 | +``` |
| 190 | + |
| 191 | +## Next steps |
| 192 | + |
| 193 | +* Now that you've created a subscription, you can grant that ability to other users and service principals. For more information, see [Grant access to create Azure Enterprise subscriptions (preview)](grant-access-to-create-subscription.md). |
| 194 | +* For more information about managing large numbers of subscriptions using management groups, see [Organize your resources with Azure management groups](../../governance/management-groups/overview.md). |
| 195 | +* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-subscriptions). |
0 commit comments