SECTION 02 / PROVIDERS

Connect Azure (Read-Only)

Configure a read-only Azure service principal with Reader and Cost Management Reader roles for Costframe. Secure setup, audited read scopes, and complete revocation control.

Required Access Roles

To audit your resources safely without write access, Costframe requires a Microsoft Entra Service Principal with exactly two standard read-only roles:

  • Reader— Used to query Azure Resource Graph for resource configuration, types, and tags.
  • Cost Management Reader— Used to query Microsoft Cost Management APIs for billing and cost data.

What Costframe reads — and never does

What We Access
  • Resource inventory & metadata
  • Compute sizing & SKU info
  • Cost & invoice billing aggregates
  • Utilization metrics (VM CPU, database load)
What We Never Access
  • No write or modification paths
  • No host-level agents installed
  • No database rows or table contents
  • No VM internal application payloads

Alternative: Direct CLI Provisioning

For active shell sessions, you can provision the service principal directly via the Azure CLI. Run this command with administrator privileges:

az ad sp create-for-rbac \
  --name "Costframe-ReadOnly" \
  --role "Reader" \
  --scopes "/subscriptions/{subscription-id}"

Step-by-Step Setup

  1. 1

    Create App Registration

    In the Azure Portal, open Microsoft Entra ID, click App registrations New registration. Name the registration Costframe-ReadOnly. Keep default organizational directory options and click Register.

  2. 2

    Generate Client Secret

    Navigate to Certificates & secrets, then click New client secret. Choose a description and set an expiration window, then click Add. Copy the secret value.

    Azure Entra ID Certificates & Secrets Screen Setup
    Example setup flow

    Security Note: Costframe encrypts credentials immediately with AES-256-GCM. Raw secrets are never stored in plaintext, logged, or returned by any API.

  3. 3

    Assign Reader Scopes

    Navigate to your Subscriptions, choose the target scope, click Access control (IAM), and add role assignments. Assign both Reader and Cost Management Reader to the Costframe-ReadOnly app registration.

  4. 4

    Configure Costframe

    In your Costframe workspace dashboard under connection settings, input your Tenant ID, Subscription ID, Client ID, and Client Secret to queue instant read validation.

Revoke access at any time

You remain in complete control. Delete the service principal or simply remove its role assignments in your Azure console. All connection access ceases immediately and scheduled runs will pause.