--- title: Architecture and data flow canonical: "https://cloudmonitor.ai/docs/cloudmonitor-fabric-beta/architecture-and-data-flow/" description: "How CloudMonitor on Fabric connects to your Azure environment — your cost exports stay in your tenancy and we read them in place, read-only." --- import ArchitectureDiagram from '~/components/docs/ArchitectureDiagram.astro'; CloudMonitor runs as a managed SaaS on **Microsoft Fabric** in our own Azure tenancy — there is nothing to deploy in yours. Your cost data stays in a storage account **you** own, inside your tenancy. CloudMonitor reads it **in place** and **read-only**, then turns it into FinOps reports for your team. ## How the data flows The flow has three parts: your tenancy produces the data, our Fabric SaaS reads and transforms it, and your people consume the reports. 1. **Azure Cost Management writes a scheduled export.** You set up one Azure Cost Management export that writes your cost and usage data — in the open [FOCUS](https://focus.finops.org/) 1.2-preview format, as Parquet — into a storage account in your tenancy. 2. **The export lands in a storage account you own.** It sits in a dedicated resource group, in an **ADLS Gen2** storage account with hierarchical namespace enabled. This account exists solely to receive the exports. 3. **CloudMonitor reads it in place through a OneLake shortcut.** Rather than copying your files out, our Fabric pipeline references them with a [Microsoft Fabric OneLake shortcut](https://learn.microsoft.com/en-us/fabric/onelake/onelake-shortcuts) — so there is no second copy of your data and no separate transfer to manage. 4. **Fabric transforms the data and builds your Fabric app.** Inside our tenancy, Fabric pipelines model the data and the Fabric app surfaces your reports, insights, and recommendations. 5. **Your people consume the reports.** Your IT and FinOps team, business unit owners, and executives get the views they each need — from day-to-day optimization to board-level spend visibility. ## Where your data lives **Your exported cost files never leave the storage account you own.** The OneLake shortcut is a *reference* into that account, not a transfer — CloudMonitor reads the files where they already are. What lives in **our** tenancy is the compute and the reporting layer: the Fabric pipelines that transform the data and the Fabric app built on top of it. The raw export stays put in your storage account, under your control, and you can revoke our access at any time by removing the role assignments. :::note[No personally identifiable information] These datasets contain resource and meter identifiers, quantities, prices, dates, and your own resource tags — **not** names, email addresses, or any personal data. See [What data CloudMonitor can see](/docs/cloudmonitor-fabric-beta/what-data-cloudmonitor-can-see/) for the exact field schemas. ::: ## What you grant CloudMonitor CloudMonitor connects through a **multi-tenant service principal** you authorize. Every role you assign it is a **reader** role: - **Reader** on the subscriptions or management groups you choose, so it can see service metadata and costs — but **not** change resources or read the data inside your services. - Read-only **billing access** (or a cost-data role at the subscription scope) so it can read your cost and usage records. - **Storage Account Contributor** on the one export storage account only — Azure requires this so the scheduled export can write your cost files there. It gives no access to your other resources. The full step-by-step is in the [access guide](/docs/cloudmonitor-fabric-beta/granting-cloudmonitor-access-to-your-azure-environment/). ## Related - [Granting CloudMonitor access to your Azure environment](/docs/cloudmonitor-fabric-beta/granting-cloudmonitor-access-to-your-azure-environment/) — the setup steps for everything shown above. - [What data CloudMonitor can see](/docs/cloudmonitor-fabric-beta/what-data-cloudmonitor-can-see/) — the exact Azure Cost Management datasets and their Microsoft-published field schemas.