Granting CloudMonitor access to your Azure environment betafabric
Thank you for joining the CloudMonitor beta. This guide explains exactly what you need to do so CloudMonitor can read your cost and usage data and start producing FinOps insights for your organization.
Every permission this guide asks for follows the principle of least privilege — the minimal access CloudMonitor needs to read your cost and usage data, and nothing more. It’s read-only wherever Azure allows; the only write or management access anywhere in the guide is the minimal role needed to create and run the scheduled cost export (see Step 4).
Two ways to grant access. Most teams click through the Azure portal; if you prefer the command line, an optional script makes the same grants for you. Both reach the same read-only result.
CloudMonitor connects through a multi-tenant service principal that we provide. You authorize our application, grant it read-only access to the subscriptions and billing scope you choose, and create one dedicated storage account that receives your scheduled cost exports. Our backend then reads your cost and usage data from that export and through the Azure APIs.
What we send you
Section titled “What we send you”We send you one thing: the admin consent URL (used in Step 1). You don’t need any IDs from us up front.
When you open that URL and approve it, Azure automatically creates the CloudMonitor application in your tenant. It always has the same fixed identifiers, so you can recognize and look it up afterwards:
| Identifier | Value |
|---|---|
| Display name | cloudmonitor-beta |
| Application (client) ID | ef7bf83e-23c6-4d84-962b-a3b0f14695a5 |
Use the display name cloudmonitor-beta (or the client ID above) to find
and select the service principal whenever you assign roles in the steps below —
or any time you want to look it up in Microsoft Entra.
After you finish, you simply let us know — see Let us know when you’re done.
Step 1 — Authorize the CloudMonitor application
Section titled “Step 1 — Authorize the CloudMonitor application”This is a one-time action. It provisions the CloudMonitor service principal in your tenant so you can assign it the read-only Azure roles in Steps 2 and 3. CloudMonitor requests no directory or Microsoft Graph permissions — all of its access comes from the Azure role assignments you make below.
- An administrator opens the admin consent URL we provided
(it looks like
https://login.microsoftonline.com/<your-tenant-id>/adminconsent?client_id=ef7bf83e-23c6-4d84-962b-a3b0f14695a5). - Sign in and click Accept. Because CloudMonitor requests no directory permissions, this simply creates the application in your tenant — it does not grant any access on its own.
- Once complete, a matching entry appears in your tenant under
Microsoft Entra ID → Enterprise applications. You can confirm it by
searching for the display name
cloudmonitor-beta(or the client ID above).
Step 2 — Prepare your subscriptions
Section titled “Step 2 — Prepare your subscriptions”Two subscription-level tasks: grant CloudMonitor read access (2a), then make sure the cost-export resource provider is registered (2b).
2a — Grant subscription read access
Section titled “2a — Grant subscription read access”Do this for each Azure subscription you want CloudMonitor to monitor. If you use management groups, assign the role once at the management-group scope and every current and future subscription underneath is covered automatically — this is the recommended approach.
- In the Azure portal, open the subscription (or management group) you want to monitor.
- Select Access control (IAM).
- Click + Add → Add role assignment.
- If + Add is greyed out, your account does not have the Owner role on this scope. Ask whoever does to complete this step.
- On the Role tab, select Reader, then click Next.
- On the Members tab, choose User, group, or service principal and click Select members.
- Search for
cloudmonitor-beta(or paste the client ID above), select it, and click Select. - Click Review + assign.
- Repeat for any additional subscriptions, or use a management group to cover them all at once.
2b — Register the export resource provider
Section titled “2b — Register the export resource provider”The scheduled Cost Management export that lands in your storage account
(Step 4) needs the
Microsoft.CostManagementExports resource provider registered on the
subscription that will hold that account. It’s often already registered — so
just check, and register it only if it isn’t. Since you’re already working at the
subscription level here, it’s a quick one to knock out now.
- Open the subscription that will hold your cost-export storage account.
- Select Resource providers.
- Search for
Microsoft.CostManagementExportsand check the Status. If it shows Registered, there’s nothing to do. If it shows NotRegistered, select it and click Register.
For more on registering providers, see Microsoft’s guide to Azure resource providers.
Step 3 — Grant billing access
Section titled “Step 3 — Grant billing access”Cost data is most complete when CloudMonitor reads it at the billing account scope. The exact steps depend on your billing agreement type.
Not sure which you have? See Microsoft’s guide: Check the type of your billing account.
Choose the section that matches your agreement:
- 3a. Microsoft Customer Agreement (MCA)
- 3b. Enterprise Agreement (EA, legacy)
- 3c. No billing-account access (or running through a CSP)
If you set up MCA (3a) or EA (3b) billing access, also complete 3d. Grant reservation read access — a separate, tenant-scoped role for reservation data. CSP / subscription-scope setups (3c) skip 3d — reservations aren’t accessible in those arrangements.
3a — Microsoft Customer Agreement (MCA)
Section titled “3a — Microsoft Customer Agreement (MCA)”- In the Azure portal, open Cost Management + Billing. (This is at the billing-account level, not the subscription level.)
- Select the billing scope (billing account or billing profile) you want CloudMonitor to read.
- Select Access control (IAM) and click + Add.
- Choose the Billing account reader role. (This role has no write permissions.)
- Select the CloudMonitor application and click Add.
3b — Enterprise Agreement (EA, legacy)
Section titled “3b — Enterprise Agreement (EA, legacy)”EA billing roles can’t be assigned in the Azure portal, so this uses the Azure Billing REST API.
-
Open the REST API “Try it” page: Billing Role Assignments — Put.
- Sign in with an admin account.
- Select the AD tenant that you authorized in Step 1.
-
Fill in the parameters:
billingAccountName— your Billing account ID, found on the Cost Management + Billing overview page.billingRoleAssignmentName— a new, unique GUID. Generate one at guidgenerator.com.
-
Paste this into the Body, replacing the placeholders:
{"properties": {"principalId": "<cloudmonitor-service-principal-object-id>","principalTenantId": "<your-tenant-id>","roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<your-billing-account-id>/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"}}principalId— the Object ID of the CloudMonitor app in your tenant. Find it under Microsoft Entra ID → Enterprise applications, search forcloudmonitor-beta, and copy its Object ID.principalTenantId— your Directory (tenant) ID.<your-billing-account-id>— the same value you used forbillingAccountName.24f8edb6-1668-4659-b5e2-40bb5f3a7d7eis the fixed role-definition ID for the read-only EnrollmentReader role — leave it as-is.
-
Click Run. A 200 status means success.
- 400 — recheck every field.
- 403 — your account doesn’t have permission; sign in as an Account Owner or Department Administrator.
3c — No billing-account access (or running through a CSP)
Section titled “3c — No billing-account access (or running through a CSP)”Use this if you don’t have access to your billing account (for example, your CSP or managed service provider holds it), or if the MCA limitation above applies. CloudMonitor reads cost data at the subscription scope instead.
- In the Azure portal, open a subscription that CloudMonitor already has Reader access to (from Step 2a).
- Select Access control (IAM) → + Add → Add role assignment.
- On the Role tab, select Cost Management Contributor.
- On the Members tab, click Select members, search for the CloudMonitor application, and select it.
- Click Review + assign.
- Repeat for each subscription you want cost data from.
3d — Grant reservation read access
Section titled “3d — Grant reservation read access”This step applies to Microsoft Customer Agreement (MCA) and Enterprise
Agreement (EA) accounts only — complete it if you set up billing access in
3a or
3b. Reservations are a tenant-scoped
resource (under Microsoft.Capacity) with their own access control, separate
from your subscriptions and billing account — so reservation orders, details,
and utilization don’t come through the roles you granted in 3a or 3b. Granting
Reservations Reader at the tenant level lets CloudMonitor read your
reservation orders and utilization across the whole tenant, which is what makes
reservation coverage and net-savings reporting possible.
- In the Azure portal, go to Reservations.
- Select Role assignment from the top command bar.
- This grants access to all reservations in the tenant. Don’t use the per-reservation Access control (IAM) — that would only cover a single reservation.
- Click + Add → Add role assignment.
- On the Role tab, select Reservations Reader, then click Next.
- On the Members tab, choose User, group, or service principal and click
Select members. Search for
cloudmonitor-beta(or paste the client ID above), select it, and click Select. - Click Review + assign.
Step 4 — Set up the cost-data export storage
Section titled “Step 4 — Set up the cost-data export storage”CloudMonitor receives your detailed cost data through a scheduled Azure Cost Management export. You create one dedicated storage account for these exports and grant the CloudMonitor service principal access to it. (The export resource provider this relies on is registered back in Step 2b.) CloudMonitor authenticates to this storage account using the service principal you authorized in Step 1 — no access keys are shared.
Your data stays in your storage account. Rather than copying it out, CloudMonitor reads the exported files in place using a Microsoft Fabric OneLake shortcut — a reference that surfaces your storage account directly inside our Fabric pipeline, so there’s no second copy of your data and no separate transfer to manage. You can read more about OneLake shortcuts.
4a — Create the storage account
Section titled “4a — Create the storage account”- In the Azure portal, go to Storage accounts and click Create.
- Select the subscription. Choose one of your existing subscriptions, or
create a new one, to host the new CloudMonitor exports landing zone. Treat its
contents as production data and apply all your existing company policies
(governance, access, retention, and the like). Then, under Resource group,
click Create new and make a dedicated resource group for these cost
exports. So the group is easy to find, audit, and remove later, do at least
one of the following: give it a name that includes CloudMonitor (for
example,
rg-cloudmonitor-exports), or tag the resource groupPurpose=CloudMonitor Exportsfrom its own Tags page once it exists. (The Tags tab in this wizard tags the storage account, not the new resource group, so set the group’s tag from the resource group itself.) - Name the storage account per your organization’s naming conventions.
- Leave the default Standard performance and Azure Blob Storage or Azure Data Lake Storage Gen2 primary service — this creates a general-purpose v2 (StorageV2) account.
- Region — choose the region closest to your main workloads to avoid egress charges.
- Redundancy — LRS is sufficient.
- On the Advanced tab, enable Hierarchical namespace (Azure Data Lake Storage Gen2 — the “hierarchical folders” option). This is required so CloudMonitor can read the exports through a Fabric OneLake shortcut.
- Click Review + create.
4b — Grant CloudMonitor access to the storage account
Section titled “4b — Grant CloudMonitor access to the storage account”CloudMonitor’s service principal does two distinct things with this account, so it needs two role assignments here — and nothing else:
- Storage Account Contributor — lets CloudMonitor create and run the scheduled Cost Management export that lands your cost files in this account. Pointing an export at a storage account requires management-plane write on that account, which the Cost Management Contributor role from Step 3 doesn’t include. This role is for setting up the export, not for reading your data — reading is handled by the Storage Blob Data Reader role below (see the note for a stricter, no-keys variant).
- Storage Blob Data Reader — lets CloudMonitor read the exported files in place through the Fabric OneLake shortcut. Read-only is all that’s needed: the export’s writes are performed by Azure Cost Management itself (via the copy permission you set in 4c), not by CloudMonitor.
Assign both roles to cloudmonitor-beta, scoped to this one storage
account only:
- Open the storage account you created in Step 4a.
- Select Access control (IAM) → + Add → Add role assignment.
- On the Role tab, select Storage Account Contributor, then Next.
- On the Members tab, click Select members, search for
cloudmonitor-beta, select it, click Select, then Review + assign. - Repeat + Add → Add role assignment for the Storage Blob Data Reader
role, assigning it to
cloudmonitor-betathe same way.
4c — Allow cost-export write operations
Section titled “4c — Allow cost-export write operations”- On the same storage account, open Configuration.
- Set Permitted scope for copy operations to “From any storage account”.
- Click Save.
This lets Azure Cost Management write the scheduled export data into the account.
Let us know when you’re done
Section titled “Let us know when you’re done”You don’t need to send us any IDs. Once you’ve completed the steps above, just email support@cloudmonitor.ai to let us know it’s done — we can take care of the rest from our side.
What happens next
Section titled “What happens next”- We run a health check on your setup to confirm the permissions and the cost export are working as expected.
- We extract your data and build your CloudMonitor reports.
- We email you the link to your reports, at the address you gave us.
Run into a problem at any point? Click here to raise a ticket and our support team will help.
Quick reference — everything CloudMonitor asks for
Section titled “Quick reference — everything CloudMonitor asks for”| Scope | Role / permission | How it’s granted | Access level |
|---|---|---|---|
| Subscription / management group | Reader | IAM role assignment (Step 2a) | Read-only |
| Billing account — MCA | Billing account reader | IAM role assignment (Step 3a) | Read-only |
| Billing account — EA | EnrollmentReader | Billing REST API (Step 3b) | Read-only |
| Subscription — billing fallback (not for MCA or EA) | Cost Management Contributor | IAM role assignment (Step 3c) | Cost data only |
| Reservations — tenant scope (MCA & EA only) | Reservations Reader | Tenant-level role assignment (Step 3d) | Read-only |
| Cost-export storage account (one dedicated account) | Storage Account Contributor | IAM role assignment (Step 4b) | Create & run the export on this one account; no blob data access |
| Cost-export storage account (same account) | Storage Blob Data Reader | IAM role assignment (Step 4b) | Read-only access to the exported blob data |
Questions at any point? Reach out to your CloudMonitor contact — we’re happy to walk through any step with you.