Skip to content

Granting CloudMonitor access to your Azure environment betafabric

Thank you for joining the CloudMonitor beta. This guide explains exactly what you need to do so CloudMonitor can read your cost and usage data and start producing FinOps insights for your organization.

Every permission this guide asks for follows the principle of least privilege — the minimal access CloudMonitor needs to read your cost and usage data, and nothing more. It’s read-only wherever Azure allows; the only write or management access anywhere in the guide is the minimal role needed to create and run the scheduled cost export (see Step 4).

Two ways to grant access. Most teams click through the Azure portal; if you prefer the command line, an optional script makes the same grants for you. Both reach the same read-only result.

CloudMonitor connects through a multi-tenant service principal that we provide. You authorize our application, grant it read-only access to the subscriptions and billing scope you choose, and create one dedicated storage account that receives your scheduled cost exports. Our backend then reads your cost and usage data from that export and through the Azure APIs.

How your Azure cost data reaches CloudMonitor Your Azure Cost Management writes a scheduled FOCUS export into a storage account in a resource group you own, inside your own Azure tenancy. CloudMonitor's managed SaaS on Microsoft Fabric, in our tenancy, reads that export in place and read-only through a OneLake shortcut, then serves two surfaces off the same data: a Microsoft Fabric app of reports and insights, and Finn, a natural-language Fabric data agent. Both are consumed by your IT and FinOps team, business unit owners, and executives. YOUR AZURE TENANCY Azure Cost Management scheduled FOCUS export CLOUDMONITOR RESOURCE GROUP Storage account ADLS Gen2 · hierarchical namespace exports landing zone your data stays here Read-only service principal no access to your other resources OneLake shortcut read in place · no copy OUR AZURE TENANCY CloudMonitor on Fabric · managed SaaS Microsoft Fabric OneLake shortcut + pipelines transforms your exports CloudMonitor Fabric app reports, insights & recommendations Finn · the FinOps agent Fabric data agent ask your costs in plain English YOUR PEOPLE IT / FinOps team monitor & optimize Business unit owners cost accountability CFO / execs spend visibility
Your exported cost files never leave the storage account you own — CloudMonitor reads them in place, read-only, through a Microsoft Fabric OneLake shortcut, then serves both the Fabric app and Finn, a natural-language FinOps agent.

We send you one thing: the admin consent URL (used in Step 1). You don’t need any IDs from us up front.

When you open that URL and approve it, Azure automatically creates the CloudMonitor application in your tenant. It always has the same fixed identifiers, so you can recognize and look it up afterwards:

IdentifierValue
Display namecloudmonitor-beta
Application (client) IDef7bf83e-23c6-4d84-962b-a3b0f14695a5

Use the display name cloudmonitor-beta (or the client ID above) to find and select the service principal whenever you assign roles in the steps below — or any time you want to look it up in Microsoft Entra.

After you finish, you simply let us know — see Let us know when you’re done.

Step 1 — Authorize the CloudMonitor application

Section titled “Step 1 — Authorize the CloudMonitor application”

This is a one-time action. It provisions the CloudMonitor service principal in your tenant so you can assign it the read-only Azure roles in Steps 2 and 3. CloudMonitor requests no directory or Microsoft Graph permissions — all of its access comes from the Azure role assignments you make below.

  1. An administrator opens the admin consent URL we provided (it looks like https://login.microsoftonline.com/<your-tenant-id>/adminconsent?client_id=ef7bf83e-23c6-4d84-962b-a3b0f14695a5).
  2. Sign in and click Accept. Because CloudMonitor requests no directory permissions, this simply creates the application in your tenant — it does not grant any access on its own.
  3. Once complete, a matching entry appears in your tenant under Microsoft Entra ID → Enterprise applications. You can confirm it by searching for the display name cloudmonitor-beta (or the client ID above).

Two subscription-level tasks: grant CloudMonitor read access (2a), then make sure the cost-export resource provider is registered (2b).

Do this for each Azure subscription you want CloudMonitor to monitor. If you use management groups, assign the role once at the management-group scope and every current and future subscription underneath is covered automatically — this is the recommended approach.

  1. In the Azure portal, open the subscription (or management group) you want to monitor.
  2. Select Access control (IAM).
  3. Click + Add → Add role assignment.
    • If + Add is greyed out, your account does not have the Owner role on this scope. Ask whoever does to complete this step.
  4. On the Role tab, select Reader, then click Next.
  5. On the Members tab, choose User, group, or service principal and click Select members.
  6. Search for cloudmonitor-beta (or paste the client ID above), select it, and click Select.
  7. Click Review + assign.
  8. Repeat for any additional subscriptions, or use a management group to cover them all at once.

2b — Register the export resource provider

Section titled “2b — Register the export resource provider”

The scheduled Cost Management export that lands in your storage account (Step 4) needs the Microsoft.CostManagementExports resource provider registered on the subscription that will hold that account. It’s often already registered — so just check, and register it only if it isn’t. Since you’re already working at the subscription level here, it’s a quick one to knock out now.

  1. Open the subscription that will hold your cost-export storage account.
  2. Select Resource providers.
  3. Search for Microsoft.CostManagementExports and check the Status. If it shows Registered, there’s nothing to do. If it shows NotRegistered, select it and click Register.

For more on registering providers, see Microsoft’s guide to Azure resource providers.

Cost data is most complete when CloudMonitor reads it at the billing account scope. The exact steps depend on your billing agreement type.

Not sure which you have? See Microsoft’s guide: Check the type of your billing account.

Choose the section that matches your agreement:

If you set up MCA (3a) or EA (3b) billing access, also complete 3d. Grant reservation read access — a separate, tenant-scoped role for reservation data. CSP / subscription-scope setups (3c) skip 3d — reservations aren’t accessible in those arrangements.

  1. In the Azure portal, open Cost Management + Billing. (This is at the billing-account level, not the subscription level.)
  2. Select the billing scope (billing account or billing profile) you want CloudMonitor to read.
  3. Select Access control (IAM) and click + Add.
  4. Choose the Billing account reader role. (This role has no write permissions.)
  5. Select the CloudMonitor application and click Add.

EA billing roles can’t be assigned in the Azure portal, so this uses the Azure Billing REST API.

  1. Open the REST API “Try it” page: Billing Role Assignments — Put.

    • Sign in with an admin account.
    • Select the AD tenant that you authorized in Step 1.
  2. Fill in the parameters:

    • billingAccountName — your Billing account ID, found on the Cost Management + Billing overview page.
    • billingRoleAssignmentName — a new, unique GUID. Generate one at guidgenerator.com.
  3. Paste this into the Body, replacing the placeholders:

    {
    "properties": {
    "principalId": "<cloudmonitor-service-principal-object-id>",
    "principalTenantId": "<your-tenant-id>",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<your-billing-account-id>/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
    }
    }
    • principalId — the Object ID of the CloudMonitor app in your tenant. Find it under Microsoft Entra ID → Enterprise applications, search for cloudmonitor-beta, and copy its Object ID.
    • principalTenantId — your Directory (tenant) ID.
    • <your-billing-account-id> — the same value you used for billingAccountName.
    • 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e is the fixed role-definition ID for the read-only EnrollmentReader role — leave it as-is.
  4. Click Run. A 200 status means success.

    • 400 — recheck every field.
    • 403 — your account doesn’t have permission; sign in as an Account Owner or Department Administrator.

3c — No billing-account access (or running through a CSP)

Section titled “3c — No billing-account access (or running through a CSP)”

Use this if you don’t have access to your billing account (for example, your CSP or managed service provider holds it), or if the MCA limitation above applies. CloudMonitor reads cost data at the subscription scope instead.

  1. In the Azure portal, open a subscription that CloudMonitor already has Reader access to (from Step 2a).
  2. Select Access control (IAM)+ Add → Add role assignment.
  3. On the Role tab, select Cost Management Contributor.
  4. On the Members tab, click Select members, search for the CloudMonitor application, and select it.
  5. Click Review + assign.
  6. Repeat for each subscription you want cost data from.

This step applies to Microsoft Customer Agreement (MCA) and Enterprise Agreement (EA) accounts only — complete it if you set up billing access in 3a or 3b. Reservations are a tenant-scoped resource (under Microsoft.Capacity) with their own access control, separate from your subscriptions and billing account — so reservation orders, details, and utilization don’t come through the roles you granted in 3a or 3b. Granting Reservations Reader at the tenant level lets CloudMonitor read your reservation orders and utilization across the whole tenant, which is what makes reservation coverage and net-savings reporting possible.

  1. In the Azure portal, go to Reservations.
  2. Select Role assignment from the top command bar.
    • This grants access to all reservations in the tenant. Don’t use the per-reservation Access control (IAM) — that would only cover a single reservation.
  3. Click + Add → Add role assignment.
  4. On the Role tab, select Reservations Reader, then click Next.
  5. On the Members tab, choose User, group, or service principal and click Select members. Search for cloudmonitor-beta (or paste the client ID above), select it, and click Select.
  6. Click Review + assign.

Step 4 — Set up the cost-data export storage

Section titled “Step 4 — Set up the cost-data export storage”

CloudMonitor receives your detailed cost data through a scheduled Azure Cost Management export. You create one dedicated storage account for these exports and grant the CloudMonitor service principal access to it. (The export resource provider this relies on is registered back in Step 2b.) CloudMonitor authenticates to this storage account using the service principal you authorized in Step 1 — no access keys are shared.

Your data stays in your storage account. Rather than copying it out, CloudMonitor reads the exported files in place using a Microsoft Fabric OneLake shortcut — a reference that surfaces your storage account directly inside our Fabric pipeline, so there’s no second copy of your data and no separate transfer to manage. You can read more about OneLake shortcuts.

  1. In the Azure portal, go to Storage accounts and click Create.
  2. Select the subscription. Choose one of your existing subscriptions, or create a new one, to host the new CloudMonitor exports landing zone. Treat its contents as production data and apply all your existing company policies (governance, access, retention, and the like). Then, under Resource group, click Create new and make a dedicated resource group for these cost exports. So the group is easy to find, audit, and remove later, do at least one of the following: give it a name that includes CloudMonitor (for example, rg-cloudmonitor-exports), or tag the resource group Purpose = CloudMonitor Exports from its own Tags page once it exists. (The Tags tab in this wizard tags the storage account, not the new resource group, so set the group’s tag from the resource group itself.)
  3. Name the storage account per your organization’s naming conventions.
  4. Leave the default Standard performance and Azure Blob Storage or Azure Data Lake Storage Gen2 primary service — this creates a general-purpose v2 (StorageV2) account.
  5. Region — choose the region closest to your main workloads to avoid egress charges.
  6. RedundancyLRS is sufficient.
  7. On the Advanced tab, enable Hierarchical namespace (Azure Data Lake Storage Gen2 — the “hierarchical folders” option). This is required so CloudMonitor can read the exports through a Fabric OneLake shortcut.
  8. Click Review + create.

4b — Grant CloudMonitor access to the storage account

Section titled “4b — Grant CloudMonitor access to the storage account”

CloudMonitor’s service principal does two distinct things with this account, so it needs two role assignments here — and nothing else:

  • Storage Account Contributor — lets CloudMonitor create and run the scheduled Cost Management export that lands your cost files in this account. Pointing an export at a storage account requires management-plane write on that account, which the Cost Management Contributor role from Step 3 doesn’t include. This role is for setting up the export, not for reading your data — reading is handled by the Storage Blob Data Reader role below (see the note for a stricter, no-keys variant).
  • Storage Blob Data Reader — lets CloudMonitor read the exported files in place through the Fabric OneLake shortcut. Read-only is all that’s needed: the export’s writes are performed by Azure Cost Management itself (via the copy permission you set in 4c), not by CloudMonitor.

Assign both roles to cloudmonitor-beta, scoped to this one storage account only:

  1. Open the storage account you created in Step 4a.
  2. Select Access control (IAM)+ Add → Add role assignment.
  3. On the Role tab, select Storage Account Contributor, then Next.
  4. On the Members tab, click Select members, search for cloudmonitor-beta, select it, click Select, then Review + assign.
  5. Repeat + Add → Add role assignment for the Storage Blob Data Reader role, assigning it to cloudmonitor-beta the same way.
  1. On the same storage account, open Configuration.
  2. Set Permitted scope for copy operations to “From any storage account”.
  3. Click Save.

This lets Azure Cost Management write the scheduled export data into the account.

You don’t need to send us any IDs. Once you’ve completed the steps above, just email support@cloudmonitor.ai to let us know it’s done — we can take care of the rest from our side.

  1. We run a health check on your setup to confirm the permissions and the cost export are working as expected.
  2. We extract your data and build your CloudMonitor reports.
  3. We email you the link to your reports, at the address you gave us.

Run into a problem at any point? Click here to raise a ticket and our support team will help.

Quick reference — everything CloudMonitor asks for

Section titled “Quick reference — everything CloudMonitor asks for”
ScopeRole / permissionHow it’s grantedAccess level
Subscription / management groupReaderIAM role assignment (Step 2a)Read-only
Billing account — MCABilling account readerIAM role assignment (Step 3a)Read-only
Billing account — EAEnrollmentReaderBilling REST API (Step 3b)Read-only
Subscription — billing fallback (not for MCA or EA)Cost Management ContributorIAM role assignment (Step 3c)Cost data only
Reservations — tenant scope (MCA & EA only)Reservations ReaderTenant-level role assignment (Step 3d)Read-only
Cost-export storage account (one dedicated account)Storage Account ContributorIAM role assignment (Step 4b)Create & run the export on this one account; no blob data access
Cost-export storage account (same account)Storage Blob Data ReaderIAM role assignment (Step 4b)Read-only access to the exported blob data

Questions at any point? Reach out to your CloudMonitor contact — we’re happy to walk through any step with you.