How CloudMonitor reads your Azure data — and what it never touches.

Next to nothing. CloudMonitor's platform runs entirely in our Microsoft Fabric tenancy — no Fabric capacity for you to license, no Hubs deployment, no compute or managed app in your tenant. The only Azure resource you create is one storage account that receives your scheduled cost exports; CloudMonitor reads it in place and needs nothing else. The annual license covers the Fabric capacity we run for you, and your team just gets a hosted SaaS URL and a Fabric app.

Yes. Every permission CloudMonitor asks for is the minimal access needed to read your cost and usage data — read-only wherever Azure allows, scoped to the subscriptions and billing scope you choose. The only write or management access anywhere in setup is a single, tightly scoped role on the storage account that receives your cost exports, used only to create and run that export. Full detail is in the access guide.

CloudMonitor is a hosted SaaS platform running in our Microsoft Fabric tenancy. Your billing data stays in the storage account you own. CloudMonitor reads it in place through a OneLake shortcut, read-only, and never makes a second copy. The CloudMonitor environment that reads it and serves your reports runs in the data residency region you choose at sign-up — encrypted in transit and at rest. Every customer gets a dedicated Microsoft Fabric workspace, so your data lives in its own isolated workspace and is never co-mingled with another customer's. CloudMonitor staff access is restricted, audited, and gated by least-privilege controls, and only your authorized users see your reports.

You configure a FOCUS cost export to an Azure Storage account in your tenant and grant CloudMonitor scoped read-only access to it. CloudMonitor ingests that export into your dedicated Microsoft Fabric workspace, where it becomes your reports. Only billing and resource metadata moves — never the data inside your resources. See the Information Trust Center for the full data-flow detail.

Every customer gets a dedicated Microsoft Fabric workspace, and your data lives in that workspace's own OneLake storage. The workspace is the isolation boundary, so your data is never co-mingled with another customer's. The CloudMonitor application is scoped to your workspace and has no path to read across workspaces. Authentication and authorization are handled entirely by native Microsoft Entra ID and Fabric workspace roles; we have not built a custom identity or permissions layer on top, so access is governed by the same Microsoft security model that protects the rest of your Azure estate. Only the Entra users you authorize can reach your data. See the Information Trust Center for the full posture.

No. CloudMonitor reads only billing metadata and resource-level metadata (IDs, types, SKUs, tags). It has no access to data inside your resources.

Read-only, scoped to your billing data. You can limit it to specific subscriptions and revoke it from the Azure portal at any time. CloudMonitor has no write access to your workloads or the data inside your services. The one exception is a tightly scoped management role on the single storage account that receives your cost exports, used only to set up that export. Nothing else in your environment is writable by CloudMonitor.

CloudMonitor's access to your cost and usage data is read-only. The one management role it needs — on the single storage account that receives your cost exports — exists only so CloudMonitor can create and run the scheduled Azure Cost Management export that lands your billing data there. Azure requires write access on the destination account to set up an export; it gives CloudMonitor no access to your other resources or to the data inside your services, and reading the exported files back uses a separate read-only role. See the access guide.

No. Authorizing CloudMonitor provisions our application in your Microsoft Entra tenant, but it requests no directory or Microsoft Graph permissions — so consenting grants no access on its own. All of CloudMonitor's access comes from the read-only Azure role assignments you make, scoped to the subscriptions and billing data you choose. See the access guide.

No. CloudMonitor connects through a multi-tenant service principal that we provide and you authorize — you don't create or hand over a client secret, and no storage account access keys are shared. CloudMonitor authenticates to your storage and the Azure APIs over Microsoft Entra ID using the read-only role assignments you grant, which you can revoke at any time.

Very little. CloudMonitor's cost exports are small files and Azure Data Lake storage is inexpensive, but they accumulate over time. You can cap the cost by applying an Azure Blob Storage lifecycle-management policy that automatically deletes exports older than a retention window you choose — keeping enough history for the trends you rely on. It's the only Azure resource you create for CloudMonitor.

Yes — Azure Activity Log shows every read against your subscriptions. The reads originate from CloudMonitor's authorized identity and are logged like any other Azure action.

Yes — ISO/IEC 27001:2022 (Information Security), ISO 9001:2015 (Quality Management), and ISO/IEC 42001 (AI Management). Certificates available under NDA — see the certification statement.

CloudMonitor is ISO/IEC 27001 certified, which covers the same controls. We can share the certificate and a Stage 2 audit summary under NDA — request the Security Pack. See the full ISO 27001 + 9001 certification statement for scope, certifying body, and audit cadence.

CloudMonitor operates a certified AI management system under ISO/IEC 42001 — covering AI risk assessment, transparency, human oversight, and lifecycle controls. Every agentic FinOps action runs against scoped permissions, an approval workflow, and a reversible audit trail.

CloudMonitor maintains an incident response plan aligned to ISO 27001 Annex A.16. Because CloudMonitor only ever holds billing and resource metadata — never the data inside your resources — a breach of CloudMonitor systems would not expose your application data. We notify affected customers within 24 hours of confirming any incident with potential impact.

Yes — coordinate via Customer Success. We support customer-initiated pen tests against the CloudMonitor app and admin app surfaces.

Yes — CloudMonitor is a Microsoft Solutions Partner with certified software for Azure. The designation confirms the platform has been technically reviewed for interoperability with Microsoft Azure and validated against Microsoft Marketplace customer-success criteria. Procurement teams can reference the Microsoft Learn overview of the designation and the Information Trust Center for the full certification stack (ISO 27001, ISO 9001, ISO 42001, FinOps Specialty Solution, and Microsoft Solutions Partner).

When you cancel, revoke CloudMonitor's access from your Azure portal and request data deletion. We delete your data within 30 days; nothing is retained beyond contractual backup windows.

Certificates are available for download on request. Open a ticket via the Support Helpdesk and we'll send the current certificates within one business hour.

Annual surveillance audits, with full re-certification every 3 years. Our most recent surveillance was in February 2026.

Every customer gets a dedicated Microsoft Fabric workspace, and their data lives in that workspace's own OneLake storage — the workspace is the isolation boundary, so no two customers' data is ever co-mingled. As a partner you get a portfolio view across your book of business, but each of your customers only ever sees their own data. Full posture is on the Information Trust Center.

You are provisioning the CloudMonitor application in your Microsoft Entra tenant so we can grant it read-only access to your costs. CloudMonitor cannot change your resources and cannot read the data inside your services.

As soon as you authorize, we start processing your cost data and setting up your reports. We'll reach out by email with your access once it's ready, and we'll let you know if we run into any issues connecting your account.

There is no cost for the first two months, in return for your feedback as an early adopter.

Yes. Either side can end the beta immediately, with no notice period and no call required. To end it from your side, revoke the CloudMonitor app in your Microsoft Entra tenant, or email us and we'll switch off access. Either way, we stop processing your cost data.

By authorizing, you agree to take part in the CloudMonitor beta and you accept our Terms and Conditions. You understand that the beta is pre-release software that may contain bugs, and that we will not require feedback from you.

In the Microsoft Entra admin center under Overview → Tenant ID, or in the Azure portal as the Directory ID. It is a 36-character GUID.

Approving access requires the Microsoft Entra Cloud Application Administrator role — the least-privilege role for this step, and the one we encourage rather than using a Global Administrator. On the beta sign-up page you can enter your details and forward the authorization link to whoever holds that role.

Only your team and the CloudMonitor onboarding team helping you set up. During the beta, our onboarding team will be debugging and evaluating your data for the purpose of the beta, for the duration of the beta; after the beta, that access moves to a support-request-only basis.

No. There's no personally identifiable information in any of the cost datasets. See what data CloudMonitor can see for the exact schemas.

Yes. We are offering the beta to our existing customers first, and they will be upgraded to the new version.

No. The old technology is considered legacy and very hard to extend. The new technology we're using is built for agentic development, which means faster delivery and shorter release cycles. We will not be updating the old version, although we will support it until all our customers are migrated to the new version.