SECTION 02 / PROVIDERS
Connect Azure (Read-Only)
Configure a read-only Azure service principal with Reader and Cost Management Reader roles for Costframe. Secure setup, audited read scopes, and complete revocation control.
Required Access Roles
To audit your resources safely without write access, Costframe requires a Microsoft Entra Service Principal with exactly two standard read-only roles:
- Reader— Used to query Azure Resource Graph for resource configuration, types, and tags.
- Cost Management Reader— Used to query Microsoft Cost Management APIs for billing and cost data.
What Costframe reads — and never does
- Resource inventory & metadata
- Compute sizing & SKU info
- Cost & invoice billing aggregates
- Utilization metrics (VM CPU, database load)
- No write or modification paths
- No host-level agents installed
- No database rows or table contents
- No VM internal application payloads
Alternative: Direct CLI Provisioning
For active shell sessions, you can provision the service principal directly via the Azure CLI. Run this command with administrator privileges:
az ad sp create-for-rbac \
--name "Costframe-ReadOnly" \
--role "Reader" \
--scopes "/subscriptions/{subscription-id}"Step-by-Step Setup
- 1
Create App Registration
In the Azure Portal, open Microsoft Entra ID, click App registrations → New registration. Name the registration
Costframe-ReadOnly. Keep default organizational directory options and click Register. - 2
Generate Client Secret
Navigate to Certificates & secrets, then click New client secret. Choose a description and set an expiration window, then click Add. Copy the secret value.
Example setup flowSecurity Note: Costframe encrypts credentials immediately with AES-256-GCM. Raw secrets are never stored in plaintext, logged, or returned by any API.
- 3
Assign Reader Scopes
Navigate to your Subscriptions, choose the target scope, click Access control (IAM), and add role assignments. Assign both Reader and Cost Management Reader to the
Costframe-ReadOnlyapp registration. - 4
Configure Costframe
In your Costframe workspace dashboard under connection settings, input your Tenant ID, Subscription ID, Client ID, and Client Secret to queue instant read validation.
Revoke access at any time
You remain in complete control. Delete the service principal or simply remove its role assignments in your Azure console. All connection access ceases immediately and scheduled runs will pause.