Azure setup guide

Connect Azure Cost Management without granting infrastructure write access.

Create one dedicated Microsoft Entra app registration, assign Cost Management Reader to the subscription you want reviewed, and paste the credential fields into CloudCostIQ for a 90-day billing backfill.

Step 1

Create an app registration

In Azure Portal, open Microsoft Entra ID, then App registrations, then New registration. Name it CloudCostIQ Billing Reader.

Use a dedicated app registration so CloudCostIQ access is easy to audit and revoke.
Azure Portal / Microsoft Entra ID / App registrations
1New registration
2Name: CloudCostIQ Billing Reader
3Supported account type: Single tenant
Step 2

Copy tenant and client IDs

Open the new app registration Overview page. Copy Directory tenant ID and Application client ID.

These map to Client ID and Tenant ID in the CloudCostIQ form.
App registration / Overview
1Application client ID
2Directory tenant ID
3Copy both values
Step 3

Create a client secret

Open Certificates & secrets, add a new client secret, and copy the Value immediately.

Azure only shows the secret value once. Store it in CloudCostIQ immediately.
Certificates & secrets
1New client secret
2Expiration reviewed
3Copy secret value
Step 4

Assign Cost Management Reader

Open the subscription you want to review first. Go to Access control (IAM), add role assignment, and choose Cost Management Reader.

Start with the highest-spend subscription. Add more subscriptions after the first review proves value.
Subscription / Access control (IAM)
1Add role assignment
2Role: Cost Management Reader
3Members: CloudCostIQ Billing Reader app
Step 5

Add optional Reader role

If you want owner/resource context in recommendations, assign Reader at the same subscription scope.

Reader is optional. Do not assign Owner, Contributor, or User Access Administrator.
Optional role assignment
1Role: Reader
2Scope: same subscription
3Purpose: resource metadata only
Step 6

Paste into CloudCostIQ

Return to CloudCostIQ, open Cloud Data, choose Azure, paste Display name, Tenant ID, Subscription ID, Client ID, and Client secret.

CloudCostIQ validates Cost Management query access before saving the connection.
CloudCostIQ / Azure billing access
1Tenant ID
2Subscription ID
3Client ID
4Client secret
5Test, save, and backfill
Credential fields
Display name: Production subscription
Tenant ID: 00000000-0000-0000-0000-000000000000
Subscription ID: 00000000-0000-0000-0000-000000000000
Client ID: 00000000-0000-0000-0000-000000000000
Client secret: copied secret value
Role baseline
{
  "required_roles": [
    {
      "role": "Cost Management Reader",
      "scope": "/subscriptions/{subscriptionId}",
      "purpose": "Read Azure Cost Management ActualCost data for recurring reviews"
    },
    {
      "role": "Reader",
      "scope": "/subscriptions/{subscriptionId}",
      "purpose": "Optional resource metadata for owner and service context"
    }
  ],
  "credential_fields": [
    "tenantId",
    "subscriptionId",
    "clientId",
    "clientSecret"
  ],
  "explicitly_not_required": [
    "Owner",
    "Contributor",
    "User Access Administrator"
  ]
}

Common failures

  • The app registration exists but no client secret was copied.
  • The service principal has Reader but not Cost Management Reader.
  • The role was assigned to the wrong subscription.
  • Tenant admin consent or role assignment has not propagated yet.

Official references