This demonstrates how to read the list of invoices from an Azure subscription
InvoiceMan can be deployed outside the subscription where invoices are read since it uses a Service Principal to retrieve invoices.
The list of invoices retrieved are limited to Azure Web-Direct subscriptions
Download the code and dependencies
git clone [email protected]:jasoncabot-ms/invoiceman.git
npm install
Ensure you have set up a service principal and entered ClientID
and ClientSecret
in the application settings
Create a local.settings.json
file in the root of the project with appropriate values, for example:
{
"IsEncrypted": false,
"Values": {
"FUNCTIONS_WORKER_RUNTIME": "node",
"AzureWebJobsStorage": "{AzureWebJobsStorage}",
"TenantDomain": "******",
"SubscriptionID": "******",
"ClientID": "******",
"ClientSecret": "******"
}
}
Start the development server
npm start
Navigate to http://localhost:7071/api/GetInvoiceStatus
This will attempt to read the list of invoices in the SubscriptionID
authenticated in the TenantDomain
using the Service Principal ClientID
and ClientSecret
The following commands will create a production build
git clone [email protected]:jasoncabot-ms/invoiceman.git
npm install
npm package
This will output the following structure which can be uploaded to a function app in Azure Functions
./dist/
└── GetInvoiceStatus
├── function.json
└── index.js
InvoiceMan consists of two (or more) subscriptions.
The first owns the resources used to read the invoice data from multiple other subscriptions and is known as the Reader
The second is the subscription that owns the invoices that will be read and is known as the Generator
In order for the Reader to access the invoices in the Generator, you must create a Service Principal associated with the Billing Reader role inside the Generator subscription.
-
Navigate to the Azure Portal
-
Azure Active Directory ➝ App registrations ➝ New registration
-
- Role: Billing Reader
- Assign access to: Azure AD User, group, or service principal
- Select: Start typing and select the name of the previously created principal
-
Cost Management + Billing ➝ Select subscription ➝ Invoices ➝ Access to invoice ➝ On
This allows users/groups with subscription-level access to download invoices.
This will allow the service principal to view personal information (name, email, and addresses) contained inside the invoices. View the privacy statement.
-
Azure Active Directory ➝ App registrations ➝ Certificates & secrets ➝ New client secret