Azure Permissions Reference

This document provides a complete reference of the permissions CloudYali requires for each Azure account type.

---

Required Service Principal Permissions

Pay-as-You-Go (PAYG)

Role	Scope
Reader	Subscription(s)
Storage Blob Data Reader	Storage Account

Minimum Required Permissions:

Microsoft.Resources/*/read
Microsoft.Advisor/*/read
Microsoft.CostManagement/*/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft Customer Agreement (MCA)

Role	Scope
Reader	Management Group or Subscription(s)
Billing Account Reader	Billing Account
Storage Blob Data Reader	Storage Account

Prerequisites:

• "Azure charges" setting must be enabled at billing account level

Minimum Required Permissions:

Microsoft.Resources/*/read
Microsoft.Advisor/*/read
Microsoft.CostManagement/*/read
Microsoft.Billing/billingAccounts/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Enterprise Agreement (EA)

Role	Scope
Reader	Management Group
Storage Blob Data Reader	Storage Account

Prerequisites:

• Enterprise Admin must enable "Account Owner (AO) view charges" at enrollment level

Minimum Required Permissions:

Microsoft.Resources/*/read
Microsoft.Advisor/*/read
Microsoft.CostManagement/*/read
Microsoft.Billing/*/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

---

What CloudYali Can Access

Read-Only Access

CloudYali can read the following data:

• Resource Inventory

  • All Azure resources via Resource Graph
  • Resource names, types, and properties
  • Resource locations and regions
  • Resource group names
  • Subscription information

• Cost and Usage Data

  • Daily cost breakdowns
  • Usage by resource
  • Cost by service
  • Amortized costs

• Optimization Recommendations

  • Azure Advisor recommendations
  • Cost optimization suggestions
  • Performance recommendations
  • Security recommendations

• Tags and Metadata

  • Resource tags
  • Custom metadata
  • Resource attributes

Cannot Access

CloudYali cannot and will never have access to:

• Resource Management

  • Cannot create resources
  • Cannot modify resources
  • Cannot delete resources
  • Cannot start/stop resources

• Sensitive Data

  • Cannot access VM data or application logs
  • Cannot view application secrets or keys
  • Cannot access database passwords
  • Cannot view storage account keys

• Billing Configuration

  • Cannot change billing settings
  • Cannot create invoices
  • Cannot modify agreements
  • Cannot change payment methods

---

Role Propagation Delay

Important: After assigning roles, wait 5-10 minutes for Azure to propagate the permissions before testing the connection. This is normal Azure RBAC behavior.

---

Permission Verification

Verify Your Service Principal Has Correct Roles

Using Azure CLI:

# Check all role assignments for the service principal
az role assignment list --assignee {client-id} --output table

# Example output should show:
# Scope                          Role                        Assignee
# /subscriptions/xxx...          Reader                      CloudYali
# /subscriptions/xxx.../...      Storage Blob Data Reader    CloudYali

Verify Service Principal Exists

# Confirm the service principal is still active
az ad sp show --id {client-id}

---

Troubleshooting Permission Issues

Issue: "Authentication Failed"

Symptoms: Cannot authenticate with Azure

Solutions:

1. Verify Client ID, Tenant ID, and Client Secret are correct
2. Check if Client Secret has expired (max 24 months, should be 12 months)
3. Confirm Service Principal still exists in Azure AD
4. Verify role assignments:
   • PAYG: Check "Reader" on subscription
   • MCA: Check "Reader" on Management Group/Subscription AND "Billing Account Reader" on billing account
   • EA: Check "Reader" on Management Group
5. Wait 5-10 minutes for role propagation if recently assigned

Issue: "Cannot Access Storage"

Symptoms: Cannot read cost export files

Solutions:

1. Verify Service Principal has Storage Blob Data Reader role
2. Check storage account name matches exactly (case-sensitive)
3. Ensure Service Principal was assigned role (may need to wait 5-10 minutes)
4. Verify exports are being generated in Cost Management
5. Confirm storage account exists and container is named correctly

Issue: "Permission Denied (403 Errors)"

Symptoms: 403 Forbidden errors in sync logs

Solutions:

1. PAYG: Ensure Service Principal has "Reader" role on subscription
2. MCA: Requires "Reader" role AND "Billing Account Reader" role AND "Azure charges" setting enabled
3. EA: Requires "Reader" role on Management Group AND "AO view charges" enabled by Enterprise Admin
4. Check scope matches account type:
   • PAYG: /subscriptions/{subscription-id}
   • MCA: /providers/Microsoft.Management/managementGroups/{mg-id} + /providers/Microsoft.Billing/billingAccounts/{billing-account-id}
   • EA: /providers/Microsoft.Management/managementGroups/{mg-id}
5. Wait 5-10 minutes after assigning roles

---

Security Best Practices

CloudYali Implements:

• Principle of Least Privilege: Only grants minimum required permissions
• Encrypted Credentials: Service Principal credentials encrypted with AES-256
• Secure Storage: Credentials stored in AWS Secrets Manager, not in database
• Read-Only Access: Never grants WRITE or DELETE permissions
• Audit Logging: All credential access is logged
• Encryption in Transit: All data encrypted when transmitted

You Should:

1. Rotate Credentials Regularly: Regenerate Service Principal secret every 6-12 months
2. Monitor Access: Review role assignments periodically
3. Use Dedicated Service Principal: Create one specifically for CloudYali (don't reuse)
4. Secure the Secret: Never share Client Secret; it's sensitive like a password
5. Verify Permissions: Periodically verify Service Principal has only expected roles

---

Related Documentation

• Creating a Service Principal
• Configuring Cost Management Exports
• Azure RBAC Documentation
• Cost Management Permissions

---