Setting up Azure Cost Management Exports

Learn how to set up Cost Management Exports reports in Azure, so you can sync your Azure data to Cloud Ctrl.

1. Create a Cost Management Export report in Azure

Cost Management Export reports are available for various Azure account types, including Enterprise Agreement (EA) and Microsoft Customer Agreement (MCA) customers. The prerequisites for this process is available from the following Microsoft page here (opens new window)

This process is the same for any of the three types of export, 'actual', 'amortized', or 'FOCUS'. Currently Cloud Ctrl only supports importing 'actual' type CME exports.

To start creating a new (or edit an existing) Cost Management Export, search for 'Cost Management + Billing' in the Azure portal. From there, navigate to Cost Management -> Exports.

Choose or change to a billing scope that includes all (or some) of the subscriptions that you want to gather usage data from.

Select 'Create' and then the 'Cost and usage (actual)' template to setup a new export.

Note: The export must be the "Cost and usage (actual)" template. This may not be available on all subscription types.

Specify a name prefix for the export report. The setup will automatically add the type of export being created to end of the name. This name can be edited later.

Next, specify the destination (Blob storage container) for where the export reports will be created by Azure. This is the location where Cloud Ctrl will ingest the export reports from. It should be located in a subscription that is able to be accessed (through trusted Azure service access) by Cloud Ctrl. It does not have to be located in the same subscription as any the subscriptions that are being exported. You will need to make a note of this location; the details will be required when you create the connection in Cloud Ctrl.

Ensure that 'CSV' format is choosen, as well as Gzip compression for the export. Please note that it may take 24 hours for the first CME report to be created by Microsoft in the destination location.

Important: When creating the export, ensure you select the option to overwrite old reports. This is crucial for maintaining up-to-date data in Cloud Ctrl.

Once complete, the export report should appear in the list of exports under the choosen billing scope.

2. Register an application and create a role assignment

Microsoft Entra ID Applications are identities that you create and control within your own Microsoft Entra tenant and can be granted privileges on the resources that you specify. These applications have their own login credentials and are intended to be used in code, such as in Cloud Ctrl. The application identity and role assignment created in this step, will allow to access the destination subscription (and storage account etc.) specified in step 1.

Cloud Ctrl uses the Microsoft Entra ID Applications to connect to the Azure Resource Manager and gather metadata and metrics from your subscriptions.

For all these steps, Microsoft have published documentation covering the process in the Azure Portal. View the Microsoft Documentation (opens new window)

Collect the Tenant ID

1. Log in to the Azure Management Portal (opens new window) using tenant admin credentials.
2. From the search bar at the top of the screen, type 'Entra' and select Microsoft Entra ID.
3. Select Properties from the list.
4. From the properties screen, copy the Directory ID. This is your Tenant ID.

Register a New Application

1. Navigate to the Manage section of Microsoft Entra ID, then click App Registrations > New Registration.
   1. Enter a Name for your application.
   2. For Support Account Types, leave the default.
   3. For User Redirect URI, leave the default.
   4. Click on Register.
2. Copy the Application ID after successful registration. This is your Client ID.
3. Generate the client secret
   1. Go to Manage > Certificates & secrets
   2. Under Client Secrets, click New client secret.
   3. Add a Description for the secret and select an expiration period.
   4. Click on Add.
   5. Copy down the Client Secret Value that is generated as this cannot be displayed again. (==Important!==)

Assign Permissions

You must assign two roles with different scopes:

---

A. Assign the Reader Role

This allows Cloud Ctrl to read subscription metadata and export configuration.

Scope: Assign at the highest scope possible (Subscription, Management Group, or Billing Account) that includes the exported subscriptions.

1. Go to the scope in Azure Portal (e.g. subscription or management group). We recommend assigning to management groups which you can find here (opens new window). Select the subscription or top level management group that you specified as the destination for the automatic Cost Management Export.
2. Open Access Control (IAM) > Add role assignment.
3. Choose:
   • Role: Reader
   • Assign access to: User, group, or service principal
   • Select: your registered app

---

B. Assign the Storage Blob Data Reader Role

This grants read access to the blob container storing the Cost Management Export files.

Scope: Assign only at the container level (not subscription-wide).

1. Go to the Storage Account > Containers.
2. Open the target container.
3. Click Access Control (IAM).
4. Add a role assignment:
   • Role: Storage Blob Data Reader
   • Assign access to: User, group, or service principal
   • Select: your registered app

⚠️ Do not assign StorageBlobDataReader at the subscription or resource group level to avoid over-permissioning.

3. Create a new Cloud Account in Cloud Ctrl

To start importing usage data for Microsoft Azure Cost Management Exports, you need to create an Azure Cloud Account.

• To add a new cloud account go to Settings > Cloud Accounts > Create
• The New Cloud Account window will appear, select Azure Account (Cost Management Export)

You will be prompted for a name for the Cloud Account as well as the Tenant Id, Application / Client Id and the Application / Client Secret you got from the ARM Connection.

The name is an internal name used within the platform for you to be able to identify this connection among multiple connections, e.g. Azure MSDN, Azure PAYG, etc. You also need to specify the 'Storage Account Name', the 'Container Name', the 'Directory Name' and the 'Export Name' from the automated Cost Management Export report that was created in the Azure Portal.

Once you submit, your data should start to be ingested into ; it may take up to 24hrs for your usage to fully load. Please contact our support team if you are experiencing issues.

4. Enhance the connection

Once your usage credential has been supplied you will need to attribute some additional permissions to ensure functionality such as recommendations, savings plans and reservations reports flow.

• Find your newly created Azure account within the Azure tab on the settings page.
• Expand the details of the cloud connection, and click the three dotted lines highlighted in the picture above.
• Click Edit Enhanced connection to provide the additional credentials.
• From here, follow the guide here to create a credential that has the necessary permissions.