1
Authorize CloudMonitor
Enter your Azure tenant ID and work email, then approve read-only access through the standard Microsoft admin-consent screen. Only a Global Administrator can approve it.
Beta access
Connect your Azure tenant.
Two details and one click. Enter your Azure tenant ID and work email, then approve read-only access through Microsoft's standard admin-consent screen. CloudMonitor runs entirely in our Microsoft Fabric tenancy — nothing to deploy in yours — and can never change your resources.
Start your beta access
We'll record your details, then hand you to Microsoft to authorize.
By continuing you agree to our Privacy Policy and the terms of our Beta.
How it works
From consent to live reports in four steps.
You stay in control the whole way — you choose what CloudMonitor can see, and every role we ask for is read-only.
2
Grant reader permissions to the new service principal
Assign the read-only Reader role to the CloudMonitor service principal on the subscriptions (or management group) you want monitored, plus billing read access. Our access guide walks through every step.
3
We connect your account
Our team finishes wiring up cost and usage ingestion against your billing scope and subscriptions. There is nothing to deploy in your tenancy.
4
Your reports go live
We email you when your CloudMonitor reports and FinOps agents are ready — usually within a couple of business days.
A look inside the Fabric app
See what your team opens every week.
CloudMonitor is a Microsoft Fabric app of pre-built FinOps reports, an admin app for governance, and a Teams agent — one data model your CFO, engineers, and FinOps leads all read in the same language.
Executive overview
The numbers you take to the board.
A single-glance view of your FinOps program — Azure spend trend, forecast accuracy, and the cost groups moving the total. The proof points that justify the investment to finance.
- 22% average year-one Azure spend reduction
- ±3% forecast accuracy month over month
- Every dollar allocated to a named owner
Cost analytics
One view of Azure spend, sliced any way.
Break spend down by subscription, cost group, and tag, with cross-filtered drill-down from the total to a single resource. The report finance and engineering both open first thing Monday.
- Spend by subscription, cost group, and tag
- Drill-down from total to a single resource
- Row-level security so each team sees its own slice
Anomaly detection
Catch bill-shock before it lands.
Per-resource daily spend is compared against a 30-day forecast, and divergences fire as Critical, High, or Medium alerts with the owner and cost group already attached — so a creeping overspend surfaces in hours, not at month-end.
- Severity-tiered alerts, dollar impact first
- Drill to usage and recent deployments
- Owner and cost group pre-attached
Recommendations
An action queue ranked by annual saving.
Every right-sizing, reservation, idle-resource, storage-tier, and hybrid-licensing recommendation in one report, sorted by projected annual saving and backed by 14 days of CPU, RAM, IOPS, and network telemetry. The $14k item surfaces ahead of the long tail worth cents.
- VM, App Service, SQL, and AKS right-sizing
- Bulk push to Jira / ServiceNow with full context
- Audit trail of every accept, dismiss, and applied decision
Cost groups
Allocation that mirrors how you actually run.
Define cost groups from tag values, resource groups, or subscription IDs, nest them up to five levels deep, and assign Finance, Technical, and Business owners to each. Allocation maps to projects and programs, not the Azure subscription layout.
- Stand up a project cost group in under 30 minutes
- Virtual tags fix tagging gaps without redeploying
- Shared-cost and RI savings split back to consumers
Teams agent
Alerts land where your team already works.
The CloudMonitor FinOps agent posts anomaly and budget-breach cards into per-cost-group Microsoft Teams channels — acknowledge, snooze, or hand off to ITSM in place. Cost decisions happen in the channels engineers already watch, not a dashboard nobody opens.
- Per-cost-group routing, quiet hours, on-call escalation
- Acknowledge / snooze / hand off to ITSM in place
- Daily and weekly digest cards
What exactly am I approving?
You are provisioning the CloudMonitor application in your Microsoft Entra tenant so we can grant it read-only access to your costs. CloudMonitor cannot change your resources and cannot read the data inside your services.
What happens next?
As soon as you authorize, we start processing your cost data and setting up your reports. We'll reach out by email with your access once it's ready, and we'll let you know if we run into any issues connecting your account.
How much does the beta cost?
There is no cost for the first two months, in return for your feedback as an early adopter.
Can either side end the beta at any time?
Yes. Either side can end the beta immediately, with no notice period and no call required. To end it from your side, revoke the CloudMonitor app in your Microsoft Entra tenant, or email us and we'll switch off access. Either way, we stop processing your cost data.
What am I agreeing to by authorizing?
By authorizing, you agree to take part in the CloudMonitor beta and you accept our Terms and Conditions. You understand that the beta is pre-release software that may contain bugs, and that we will not require feedback from you.
Where do I find my tenant ID?
In the Microsoft Entra admin center under Overview → Tenant ID, or in the Azure portal as the Directory ID. It is a 36-character GUID.
Do I need to be an administrator?
Approving access requires the Microsoft Entra Cloud Application Administrator role — the least-privilege role for this step, and the one we encourage rather than using a Global Administrator. On the beta sign-up page you can enter your details and forward the authorization link to whoever holds that role.
Who sees my cost information?
Only your team and the CloudMonitor onboarding team helping you set up. During the beta, our onboarding team will be debugging and evaluating your data for the purpose of the beta, for the duration of the beta; after the beta, that access moves to a support-request-only basis.
Can you see any PII data?
No. There's no personally identifiable information in any of the cost datasets. See what data CloudMonitor can see for the exact schemas.
Will all existing customers be updated?
Yes. We are offering the beta to our existing customers first, and they will be upgraded to the new version.
Are we adding more features to the old version?
No. The old technology is considered legacy and very hard to extend. The new technology we're using is built for agentic development, which means faster delivery, faster release cycles, and more value for our customers. We will not be updating the old version, although we will support it until all our customers are migrated to the new version.
Do we host any infrastructure in our Azure tenancy?
No — zero infrastructure in your tenancy. CloudMonitor runs entirely in our Microsoft Fabric tenancy: no Fabric capacity for you to license, no Hubs deployment, no Azure resources to manage. The annual license covers the Fabric capacity we run for you. Your team gets a hosted SaaS URL and a Fabric app — that is the whole footprint on your side.
How is our data isolated inside Microsoft Fabric and OneLake?
Every customer gets a dedicated Microsoft Fabric workspace, and your data lives in that workspace's own OneLake storage — the workspace is the isolation boundary, so your data is never co-mingled with another customer's. The CloudMonitor application is scoped to your workspace and has no path to read across workspaces. Authentication and authorization are handled entirely by native Microsoft Entra ID and Fabric workspace roles — we have not built a custom identity or permissions layer on top, so access is governed by the same Microsoft security model that protects the rest of your Azure estate. Only the Entra users you authorize can reach your data. See the Information Trust Center for the full posture.
