Connecting Azure with read-only access

CostRadar connects to Azure through a customer-created service principal with read-only permissions. The exact role assignments depend on which CostRadar ingestion/features you use.

Current recommended permission set

For the full CostRadar experience, use one service principal with:

| Purpose | Azure role | Scope | |---|---|---| | Subscription validation, Cost Management Query fallback, resource names/tags through Azure Resource Graph, and Azure Advisor recommendations | Reader | The monitored Azure subscription | | Storage Export cost ingestion | Storage Blob Data Reader | The export container, or the narrowest storage-account scope that covers the export container/prefix |

The Storage Blob Data Reader role is the role CostRadar uses to read exported cost files. The subscription Reader role is not what reads the export blobs; it is used for subscription validation, resource metadata/tags, and Azure Advisor recommendations. CostRadar does not need Contributor or Owner for ongoing ingestion.

Values you need from Azure

When you connect a subscription, CostRadar asks for:

• Azure tenant ID.
• Azure subscription ID.
• Application client ID for the service principal.
• Client secret value for that application.

Azure only shows a new client secret value once. Copy it when it is created and store it according to your team's credential process.

Visual walkthrough

If you prefer the Azure Portal path, watch the app registration setup walkthrough: https://youtu.be/Hs0s_Dz06eI

Use the video for the Entra app registration and client secret steps, then return to CostRadar to enter the tenant ID, subscription ID, application client ID, and client secret value.

Cloud Shell setup

In Azure Cloud Shell, create a service principal scoped to the subscription you want CostRadar to monitor:

az ad sp create-for-rbac \
  --name "CostRadar" \
  --role "Reader" \
  --scopes /subscriptions/YOUR_SUBSCRIPTION_ID

Replace YOUR_SUBSCRIPTION_ID with the subscription you want to connect. The command returns the values that map to CostRadar's connection form.

If you use Storage Export ingestion, also grant the same app read access to the export container:

az role assignment create \
  --assignee <APP_ID_FROM_CREATE_OUTPUT> \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT>/blobServices/default/containers/<CONTAINER>

Use the container scope when possible. Storage-account scope is acceptable when the export container cannot be scoped separately, but it grants read access to all blobs in that storage account.

Portal setup

You can also create the app registration manually in the Azure portal:

1. Create an app registration in Microsoft Entra ID.
2. Create a client secret and copy the value.
3. Assign the built-in Reader role to the app registration at the Azure subscription scope.
4. If using Storage Export ingestion, assign Storage Blob Data Reader to the same app registration on the export container or narrowest storage scope that covers it.
5. Copy the tenant ID, subscription ID, application client ID, and client secret value into CostRadar.
6. After the subscription is connected, configure Storage Export from the connected subscription row.

Permission boundaries

CostRadar uses the credentials to read Azure billing data, configured export files, resource metadata/tags, and Azure Advisor recommendations where available. It cannot use Reader or Storage Blob Data Reader access to deploy resources, change configuration, stop workloads, alter networking, enforce budgets, or write to your storage account.

If your organization requires narrower access, contact support before changing the roles. Storage Export cost ingestion itself needs blob read access to the export files; resource metadata and Advisor features require read visibility to the relevant Azure resources.