Architecture and data flow betafabric

CloudMonitor runs as a managed SaaS on Microsoft Fabric in our own Azure tenancy — there is nothing to deploy in yours. Your cost data stays in a storage account you own, inside your tenancy. CloudMonitor reads it in place and read-only, then turns it into FinOps reports for your team.

Your exported cost files never leave the storage account you own — CloudMonitor reads them in place, read-only, through a Microsoft Fabric OneLake shortcut, then serves both the Fabric app and Finn, a natural-language FinOps agent.

How the data flows

The flow has three parts: your tenancy produces the data, our Fabric SaaS reads and transforms it, and your people consume the reports.

1. Azure Cost Management writes a scheduled export. You set up one Azure Cost Management export that writes your cost and usage data — in the open FOCUS 1.2-preview format, as Parquet — into a storage account in your tenancy.
2. The export lands in a storage account you own. It sits in a dedicated resource group, in an ADLS Gen2 storage account with hierarchical namespace enabled. This account exists solely to receive the exports.
3. CloudMonitor reads it in place through a OneLake shortcut. Rather than copying your files out, our Fabric pipeline references them with a Microsoft Fabric OneLake shortcut — so there is no second copy of your data and no separate transfer to manage.
4. Fabric transforms the data and builds your Fabric app. Inside our tenancy, Fabric pipelines model the data and the Fabric app surfaces your reports, insights, and recommendations.
5. Your people consume the reports. Your IT and FinOps team, business unit owners, and executives get the views they each need — from day-to-day optimization to board-level spend visibility.

Where your data lives

Your exported cost files never leave the storage account you own. The OneLake shortcut is a reference into that account, not a transfer — CloudMonitor reads the files where they already are.

What lives in our tenancy is the compute and the reporting layer: the Fabric pipelines that transform the data and the Fabric app built on top of it. The raw export stays put in your storage account, under your control, and you can revoke our access at any time by removing the role assignments.

No personally identifiable information

These datasets contain resource and meter identifiers, quantities, prices, dates, and your own resource tags — not names, email addresses, or any personal data. See What data CloudMonitor can see for the exact field schemas.

What you grant CloudMonitor

CloudMonitor connects through a multi-tenant service principal you authorize. Every role you assign it is a reader role:

• Reader on the subscriptions or management groups you choose, so it can see service metadata and costs — but not change resources or read the data inside your services.
• Read-only billing access (or a cost-data role at the subscription scope) so it can read your cost and usage records.
• Storage Account Contributor on the one export storage account only — Azure requires this so the scheduled export can write your cost files there. It gives no access to your other resources.

The full step-by-step is in the access guide.

Related

• Granting CloudMonitor access to your Azure environment — the setup steps for everything shown above.
• What data CloudMonitor can see — the exact Azure Cost Management datasets and their Microsoft-published field schemas.