Common questions about CloudMonitor.

You are provisioning the CloudMonitor application in your Microsoft Entra tenant so we can grant it read-only access to your costs. CloudMonitor cannot change your resources and cannot read the data inside your services.

As soon as you authorize, we start processing your cost data and setting up your reports. We'll reach out by email with your access once it's ready, and we'll let you know if we run into any issues connecting your account.

There is no cost for the first two months, in return for your feedback as an early adopter.

Yes. Either side can end the beta immediately, with no notice period and no call required. To end it from your side, revoke the CloudMonitor app in your Microsoft Entra tenant, or email us and we'll switch off access. Either way, we stop processing your cost data.

By authorizing, you agree to take part in the CloudMonitor beta and you accept our Terms and Conditions. You understand that the beta is pre-release software that may contain bugs, and that we will not require feedback from you.

In the Microsoft Entra admin center under Overview → Tenant ID, or in the Azure portal as the Directory ID. It is a 36-character GUID.

Approving access requires the Microsoft Entra Cloud Application Administrator role — the least-privilege role for this step, and the one we encourage rather than using a Global Administrator. On the beta sign-up page you can enter your details and forward the authorization link to whoever holds that role.

Only your team and the CloudMonitor onboarding team helping you set up. During the beta, our onboarding team will be debugging and evaluating your data for the purpose of the beta, for the duration of the beta; after the beta, that access moves to a support-request-only basis.

No. There's no personally identifiable information in any of the cost datasets. See what data CloudMonitor can see for the exact schemas.

Yes. We are offering the beta to our existing customers first, and they will be upgraded to the new version.

No. The old technology is considered legacy and very hard to extend. The new technology we're using is built for agentic development, which means faster delivery and shorter release cycles. We will not be updating the old version, although we will support it until all our customers are migrated to the new version.

Next to nothing. CloudMonitor's platform runs entirely in our Microsoft Fabric tenancy — no Fabric capacity for you to license, no Hubs deployment, no compute or managed app in your tenant. The only Azure resource you create is one storage account that receives your scheduled cost exports; CloudMonitor reads it in place and needs nothing else. The annual license covers the Fabric capacity we run for you, and your team just gets a hosted SaaS URL and a Fabric app.

CloudMonitor is an Azure-native FinOps platform. It reads your Azure billing via FOCUS, pre-builds the reports your finance and engineering teams need in a Microsoft Fabric app, and runs an optimization engine that surfaces savings recommendations.

For hyperscaler billing, CloudMonitor supports Microsoft Azure today — the platform is purpose-built for Azure FinOps — with AWS and GCP read-only support on the 2026 roadmap. It also reaches beyond the hyperscaler bill to the AI and SaaS tools your teams already run: OpenAI, Anthropic Claude, Cursor, and GitHub Copilot. That puts your AI token and per-seat spend in the same reports as your Azure cost, so you see total technology spend side by side.

Two ways. First, efficiency: CloudMonitor reads your token and seat data and reports value per token — output per dollar, model-mix savings, prompt-cache and batch capture, and cost per active developer — so you can see whether each dollar buys useful work. Second, outcome: wire in a denominator your business already trusts, like a resolved ticket, a merged PR, or a generated document, and CloudMonitor divides AI cost by it for a true cost per outcome. You define the value unit; we do the math. See FinOps for AI for the full picture.

Each agent is scoped to a cost group and a governance policy. The output is always a recommendation, ticket, or runbook — your team or your existing automation makes the change. CloudMonitor itself is read-only.

Yes — white-label is built into the partner model. CSP and MSP partners rebrand the Fabric app with their own logo, brand colors, and report copy; set per-customer cost-group templates so each client sees only its own allocation; and get a single portfolio view across their whole book of business. The customer signs your contract and pays your invoice — CloudMonitor is the platform inside, and you set your own retail margin on top. See the partner channel for the full reseller model, and how partners like Arraya Solutions and XContent resell it.

Yes. Every permission CloudMonitor asks for is the minimal access needed to read your cost and usage data — read-only wherever Azure allows, scoped to the subscriptions and billing scope you choose. The only write or management access anywhere in setup is a single, tightly scoped role on the storage account that receives your cost exports, used only to create and run that export. Full detail is in the access guide.

CloudMonitor is a hosted SaaS platform running in our Microsoft Fabric tenancy. Your billing data stays in the storage account you own. CloudMonitor reads it in place through a OneLake shortcut, read-only, and never makes a second copy. The CloudMonitor environment that reads it and serves your reports runs in the data residency region you choose at sign-up — encrypted in transit and at rest. Every customer gets a dedicated Microsoft Fabric workspace, so your data lives in its own isolated workspace and is never co-mingled with another customer's. CloudMonitor staff access is restricted, audited, and gated by least-privilege controls, and only your authorized users see your reports.

You configure a FOCUS cost export to an Azure Storage account in your tenant and grant CloudMonitor scoped read-only access to it. CloudMonitor ingests that export into your dedicated Microsoft Fabric workspace, where it becomes your reports. Only billing and resource metadata moves — never the data inside your resources. See the Information Trust Center for the full data-flow detail.

Every customer gets a dedicated Microsoft Fabric workspace, and your data lives in that workspace's own OneLake storage. The workspace is the isolation boundary, so your data is never co-mingled with another customer's. The CloudMonitor application is scoped to your workspace and has no path to read across workspaces. Authentication and authorization are handled entirely by native Microsoft Entra ID and Fabric workspace roles; we have not built a custom identity or permissions layer on top, so access is governed by the same Microsoft security model that protects the rest of your Azure estate. Only the Entra users you authorize can reach your data. See the Information Trust Center for the full posture.

No. CloudMonitor reads only billing metadata and resource-level metadata (IDs, types, SKUs, tags). It has no access to data inside your resources.

Read-only, scoped to your billing data. You can limit it to specific subscriptions and revoke it from the Azure portal at any time. CloudMonitor has no write access to your workloads or the data inside your services. The one exception is a tightly scoped management role on the single storage account that receives your cost exports, used only to set up that export. Nothing else in your environment is writable by CloudMonitor.

CloudMonitor's access to your cost and usage data is read-only. The one management role it needs — on the single storage account that receives your cost exports — exists only so CloudMonitor can create and run the scheduled Azure Cost Management export that lands your billing data there. Azure requires write access on the destination account to set up an export; it gives CloudMonitor no access to your other resources or to the data inside your services, and reading the exported files back uses a separate read-only role. See the access guide.

No. Authorizing CloudMonitor provisions our application in your Microsoft Entra tenant, but it requests no directory or Microsoft Graph permissions — so consenting grants no access on its own. All of CloudMonitor's access comes from the read-only Azure role assignments you make, scoped to the subscriptions and billing data you choose. See the access guide.

No. CloudMonitor connects through a multi-tenant service principal that we provide and you authorize — you don't create or hand over a client secret, and no storage account access keys are shared. CloudMonitor authenticates to your storage and the Azure APIs over Microsoft Entra ID using the read-only role assignments you grant, which you can revoke at any time.

Very little. CloudMonitor's cost exports are small files and Azure Data Lake storage is inexpensive, but they accumulate over time. You can cap the cost by applying an Azure Blob Storage lifecycle-management policy that automatically deletes exports older than a retention window you choose — keeping enough history for the trends you rely on. It's the only Azure resource you create for CloudMonitor.

Yes — Azure Activity Log shows every read against your subscriptions. The reads originate from CloudMonitor's authorized identity and are logged like any other Azure action.

Yes — ISO/IEC 27001:2022 (Information Security), ISO 9001:2015 (Quality Management), and ISO/IEC 42001 (AI Management). Certificates available under NDA — see the certification statement.

CloudMonitor is ISO/IEC 27001 certified, which covers the same controls. We can share the certificate and a Stage 2 audit summary under NDA — request the Security Pack. See the full ISO 27001 + 9001 certification statement for scope, certifying body, and audit cadence.

CloudMonitor operates a certified AI management system under ISO/IEC 42001 — covering AI risk assessment, transparency, human oversight, and lifecycle controls. Every agentic FinOps action runs against scoped permissions, an approval workflow, and a reversible audit trail.

CloudMonitor maintains an incident response plan aligned to ISO 27001 Annex A.16. Because CloudMonitor only ever holds billing and resource metadata — never the data inside your resources — a breach of CloudMonitor systems would not expose your application data. We notify affected customers within 24 hours of confirming any incident with potential impact.

Yes — coordinate via Customer Success. We support customer-initiated pen tests against the CloudMonitor app and admin app surfaces.

Yes — CloudMonitor is a Microsoft Solutions Partner with certified software for Azure. The designation confirms the platform has been technically reviewed for interoperability with Microsoft Azure and validated against Microsoft Marketplace customer-success criteria. Procurement teams can reference the Microsoft Learn overview of the designation and the Information Trust Center for the full certification stack (ISO 27001, ISO 9001, ISO 42001, FinOps Specialty Solution, and Microsoft Solutions Partner).

When you cancel, revoke CloudMonitor's access from your Azure portal and request data deletion. We delete your data within 30 days; nothing is retained beyond contractual backup windows.

Certificates are available for download on request. Open a ticket via the Support Helpdesk and we'll send the current certificates within one business hour.

Annual surveillance audits, with full re-certification every 3 years. Our most recent surveillance was in February 2026.

Azure FinOps is the practice of running the FinOps Foundation Framework specifically against Microsoft Azure spend. It covers four Domains — Understand Usage and Cost, Quantify Business Value, Optimize Usage and Cost, and Manage the FinOps Practice — applied to Azure billing scopes, Reservations, Savings Plans, Azure Hybrid Benefit, FOCUS exports, and Microsoft Cost Management. The 2026 Framework adds Executive Strategy Alignment and broader FinOps Scopes across SaaS, Data Centers, and AI.

Generic cloud FinOps assumes a multi-cloud abstraction layer. Azure FinOps starts from Azure-specific primitives: billing scopes (Management Group, Billing Account, Subscription, Resource Group), Cost Management exports, Microsoft Customer Agreement structure, MACC commitments, Reservation exchange policy, and Azure Hybrid Benefit. Treating these as first-class produces sharper recommendations than a tool that flattens every cloud into one schema.

The Microsoft FinOps Toolkit is an open-source set of Power BI reports, Bicep modules, PowerShell scripts, and the Hubs ingestion pattern, built by Microsoft's FinOps engineering team. It suits teams that can staff a Power BI plus data engineering effort to run it. CloudMonitor is the managed, supported platform for teams that would rather not maintain a Hubs deployment, dashboards, alerting, and role-based access themselves. Many CloudMonitor customers started on the Toolkit and moved across as the practice grew — see the side-by-side comparison for where each fits.

Reservations lock to a specific VM family and region and offer up to 72% off. Savings Plans for Compute apply to any family or region at up to 65% off. Reservations are exchangeable and partially refundable up to $50,000 per rolling 12 months; Savings Plans cannot be exchanged or canceled once purchased. The right answer is usually a layered portfolio: enable Azure Hybrid Benefit first, place Reservations on stable single-family workloads, and use Savings Plans for the broader compute baseline. CloudMonitor models all three together and tracks Coverage and Utilization across the portfolio.

Yes. Microsoft Cost Management is the native Azure tool — every Azure tenant has it, and CloudMonitor reads from the same billing data via FOCUS exports. Think of Cost Management as the floor: cost views, basic budgets, and exports. CloudMonitor adds Anomaly Management with Teams or Slack (via webhooks) alerts, role-based cost groups, Chargeback workflows, commitment portfolio analysis, FinOps Assessment scoring, and the full Framework alignment that Cost Management does not provide natively.

AHB is the highest-leverage quick win on Azure. If you hold Windows Server or SQL Server licenses with Software Assurance, AHB removes the license premium from eligible VMs — up to 40% off Windows and up to 55% off SQL — with no commitment, no restart, and a single CLI command per VM. Enable AHB on every eligible resource before evaluating any commitment instrument. CloudMonitor flags AHB-eligible resources that are still being billed at full PAYG so finance and engineering can close the gap.

FOCUS — the FinOps Open Cost and Usage Specification — is a vendor-neutral schema for billing data. Azure supports FOCUS v1.2 exports as of March 2026. Standardizing on FOCUS lets you treat Azure spend, SaaS spend, and other Technology Categories with one data model — which is the direction the 2026 Framework points. CloudMonitor ingests FOCUS exports directly and normalizes everything against the spec.

Microsoft and the FinOps Foundation each offer relevant credentials. The FinOps Foundation offers FinOps Certified Practitioner, FinOps Certified Professional, and the FOCUS Practitioner certification. Microsoft offers role-based Azure certifications (AZ-104, AZ-305) plus a FinOps on Azure training module on Microsoft Learn. None of these is branded "Azure FinOps Certification," but the FinOps Foundation credentials plus Azure operational fluency are the standard combination.

Yes. CloudMonitor supports CSP and MSP partners with white-label tenancy, per-customer cost groups, and partner-grade reporting. The platform reads CSP billing scopes the same way it reads enterprise billing scopes, so the same FinOps Domains apply. See how Arraya Solutions and XContent use CloudMonitor for partner-led delivery.

Connection takes under fifteen minutes — sign up, point CloudMonitor at your FOCUS billing export, grant scoped read-only access to the billing scope. The first set of reports populates the same day. A FinOps Assessment in the admin app gives a Crawl, Walk, Run baseline per Capability after the first refresh, so you can plan the practice maturity path from week one.