Skip to main content

Azure Permissions Reference

This document provides a complete reference of the permissions CloudYali requires for each Azure account type.

Required Service Principal Permissions

Pay-as-You-Go (PAYG)

RoleScopePurpose
Cost Management ReaderSubscriptionRead cost and usage data
Storage Blob Data ReaderStorage AccountRead exported cost files

Minimum Required Permissions:

Microsoft.CostManagement/*/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft Customer Agreement (MCA)

RoleScopePurpose
Billing Account ReaderBilling AccountRead cost data at billing account level
Storage Blob Data ReaderStorage AccountRead exported cost files

Prerequisites:

  • "Azure charges" setting must be enabled at billing account level

Minimum Required Permissions:

Microsoft.CostManagement/*/read
Microsoft.Billing/billingAccounts/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Enterprise Agreement (EA)

RoleScopePurpose
Cost Management Reader OR Enrollment ReaderManagement Group OR EnrollmentRead cost data at enrollment level
Storage Blob Data ReaderStorage AccountRead exported cost files

Prerequisites:

  • Enterprise Admin must enable "Account Owner (AO) view charges" at enrollment level

Minimum Required Permissions:

Microsoft.CostManagement/*/read
Microsoft.Billing/*/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

What CloudYali Can Access

✅ Read-Only Access

CloudYali can read the following data:

  • Cost and Usage Data

    • Daily cost breakdowns
    • Usage by resource
    • Cost by service
    • Amortized costs

  • Resource Information

    • Resource names and types
    • Resource locations and regions
    • Resource group names
    • Subscription information

  • Tags and Metadata

    • Resource tags
    • Custom metadata
    • Resource attributes

❌ Cannot Access

CloudYali cannot and will never have access to:

  • Resource Management

    • Cannot create resources
    • Cannot modify resources
    • Cannot delete resources
    • Cannot start/stop resources

  • Sensitive Data

    • Cannot access VM data or application logs
    • Cannot view application secrets or keys
    • Cannot access database passwords
    • Cannot view storage account keys

  • Billing Configuration

    • Cannot change billing settings
    • Cannot create invoices
    • Cannot modify agreements
    • Cannot change payment methods

Role Propagation Delay

⏱️ Important: After assigning roles, wait 5-10 minutes for Azure to propagate the permissions before testing the connection. This is normal Azure RBAC behavior.

Permission Verification

Verify Your Service Principal Has Correct Roles

Using Azure CLI:

# Check all role assignments for the service principal
az role assignment list --assignee {client-id} --output table

# Example output should show:
# Scope                          Role                        Assignee
# /subscriptions/xxx...          Cost Management Reader      CloudYali-Billing
# /subscriptions/xxx.../...      Storage Blob Data Reader    CloudYali-Billing

Verify Service Principal Exists

# Confirm the service principal is still active
az ad sp show --id {client-id}

Troubleshooting Permission Issues

Issue: "Authentication Failed"

Symptoms: Cannot authenticate with Azure

Solutions:

  1. Verify Client ID, Tenant ID, and Client Secret are correct
  2. Check if Client Secret has expired (max 24 months, should be 12 months)
  3. Confirm Service Principal still exists in Azure AD
  4. Verify role assignments:
    • PAYG: Check "Cost Management Reader" on subscription
    • MCA: Check "Billing Account Reader" on billing account
    • EA: Check "Cost Management Reader" or "Enrollment Reader"
  5. Wait 5-10 minutes for role propagation if recently assigned

Issue: "Cannot Access Storage"

Symptoms: Cannot read cost export files

Solutions:

  1. Verify Service Principal has Storage Blob Data Reader role
  2. Check storage account name matches exactly (case-sensitive)
  3. Ensure Service Principal was assigned role (may need to wait 5-10 minutes)
  4. Verify exports are being generated in Cost Management
  5. Confirm storage account exists and container is named correctly

Issue: "Permission Denied (403 Errors)"

Symptoms: 403 Forbidden errors in sync logs

Solutions:

  1. PAYG: Ensure Service Principal has "Cost Management Reader" (not generic "Reader")
  2. MCA: Requires "Billing Account Reader" role AND "Azure charges" setting enabled
  3. EA: Requires "Cost Management Reader" or "Enrollment Reader" AND "AO view charges" enabled
  4. Check scope matches account type:
    • PAYG: /subscriptions/{subscription-id}
    • MCA: /providers/Microsoft.Billing/billingAccounts/{billing-account-id}
    • EA: /providers/Microsoft.Management/managementGroups/{mg-id}
  5. Wait 5-10 minutes after assigning roles

Security Best Practices

✅ CloudYali Implements:

  • Principle of Least Privilege: Only grants minimum required permissions
  • Encrypted Credentials: Service Principal credentials encrypted with AES-256
  • Secure Storage: Credentials stored in AWS Secrets Manager, not in database
  • Read-Only Access: Never grants WRITE or DELETE permissions
  • Audit Logging: All credential access is logged
  • Encryption in Transit: All data encrypted when transmitted

📋 You Should:

  1. Rotate Credentials Regularly: Regenerate Service Principal secret every 6-12 months
  2. Monitor Access: Review role assignments periodically
  3. Use Dedicated Service Principal: Create one specifically for CloudYali (don't reuse)
  4. Secure the Secret: Never share Client Secret; it's sensitive like a password
  5. Verify Permissions: Periodically verify Service Principal has only expected roles