Enhanced Azure Access

To collect additional information about your Azure consumption and costs — such as reservation details, savings plans, and recommendations — you can grant additional Azure permissions to the Azure Entra App credential you have already created. In most cases, no new credential is needed; you simply assign additional roles to your existing App Registration in Azure.

Optionally, if you have an Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), or CSP arrangement, you can also add a separate credential under your Azure tenant in Cloud Ctrl to unlock features like amortised costs and price lists.

Option 1: Assign Additional Permissions to Your Existing App Registration

If you already have an Azure Entra App credential configured in Cloud Ctrl, you can enhance the data it collects by assigning additional Azure roles to the same App Registration. No changes are needed in Cloud Ctrl — just update the permissions in Azure.

Subscription-Level Permissions

If you used the built-in Reader role during App Registration setup, all subscription-level permissions are already covered.

If you used a custom role, ensure it includes all the permissions Cloud Ctrl requires. The full custom role definition is:

{
  "Name": "CloudCtrl Reader",
  "IsCustom": true,
  "Description": "Grants Cloud Ctrl read access to billing, consumption, insights, and resource data.",
  "Actions": [
    "Microsoft.Billing/*/read",
    "Microsoft.Commerce/*/read",
    "Microsoft.Consumption/*/read",
    "Microsoft.Insights/*/read",
    "Microsoft.ResourceGraph/*/read",
    "Microsoft.Advisor/*/read",
    "Microsoft.Web/kubeEnvironments/read",
    "Microsoft.Kubernetes/connectedClusters/read",
    "Microsoft.Kubernetes/RegisteredSubscriptions/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/tags/read"
  ],
  "NotActions": [],
  "AssignableScopes": ["/"]
}

💡 See Step 3 of the App Registration guide for instructions on creating and assigning this custom role.

Savings Plan Reader (Tenant Level)

  1. In the Azure Portal, navigate to the Savings Plans page
  2. Click Role Assignments at the top of the page
  3. Click Add → Add role assignment
  4. Choose the role: Savings Plan Reader
  5. Select Members: your App Registration
  6. Click Save

⚠️ You must repeat this once per tenant. There is currently no management group–level equivalent for this permission.

Reservations Reader (Tenant Level)

To collect information about reserved instances for the inventory and pro rata cost information, you will need to grant the Reservations Reader role at a tenant level.

Assigning this role at the tenant level automatically grants read access to all reservations in the Microsoft Entra ID tenant (directory). You do not need to grant access to new reservations as they are acquired, nor do you need to provide access to each subscription individually.

Using the PowerShell script below, you can add the Reservations Reader role to the Microsoft Entra ID Application service principal you have created.

This can be run in the Azure Portal using the Cloud Shell

#Import required resources
Import-Module Az.Accounts
Import-Module Az.Resources

# Connect to Microsoft Entra ID
Connect-AzAccount -Tenant <Tenant ID> -UseDeviceAuthentication

# Get the Service Principal ID for your Microsoft Entra ID App Registration
$ServicePrincipalId = (Get-AzADServicePrincipal -DisplayName <AD Application Registration Display Name> -First 1).Id

# Assign the Reservation Reader role to the Application Service Principal
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId $ServicePrincipalId -RoleDefinitionName "Reservations Reader"

Refer to the Microsoft Official Azure documentation for details.

Option 2: Add a Separate Credential for EA, MCA, or CSP

If you have an Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), or Cloud Solution Provider (CSP) arrangement, you can add an additional credential directly to your Azure tenant in Cloud Ctrl. This unlocks enhanced features such as amortised cost breakdowns and price list access.

  1. Navigate to Settings → Cloud Connections → Microsoft Azure
  2. In the Credentials section, click + Add Credential
  3. Select the credential type:
    • Enterprise Agreement (EA) — Requires your EA Enrollment Number and API Key
    • Microsoft Customer Agreement (MCA) — Requires your Billing Account ID and Billing Profile ID
    • Cloud Solution Provider (CSP) — Requires your CSP Partner credentials
  4. Enter the required details and click Save

Tips

This is managed alongside your existing Azure Entra App credentials on the Cloud Connections screen — no separate setup process is required.