Create Azure Application Registration

All Azure connections to Cloud Ctrl require an App Registration in Microsoft Entra ID (formerly Azure Active Directory).
This registration allows Cloud Ctrl to securely access cost, usage, reservation, and savings plan data through Microsoft APIs.

Step 1. Create the App Registration

1. Sign in to the Azure Portal
2. Navigate to Microsoft Entra ID → App registrations → New registration
3. Enter a name such as Cloud Ctrl Connector
4. Supported account types: Accounts in this organizational directory only
5. Redirect URI: leave blank
6. Click Register

Step 2. Record the Credentials

After registration:

• Copy the Application (client) ID
• Copy the Directory (tenant) ID
• Under Certificates & secrets, create a New client secret and record its Value

⚠️ Keep the client secret safe — you’ll need it plus the Application ID and Client ID to connect Azure in Cloud Ctrl.

Step 3. Assign Reader Role to Subscriptions

To allow Cloud Ctrl to access subscription data:

1. In the Azure Portal, navigate to Subscriptions
2. Select a subscription you want Cloud Ctrl to access
3. Click Access control (IAM) in the left menu
4. Click Add → Add role assignment
5. Choose the role: Reader
6. Select Members: your App Registration (from earlier)
7. Click Review + assign

⚠️ Repeat this for all subscriptions you want Cloud Ctrl to monitor.
Alternatively, you can assign the Reader role at the Management Group level to grant access to all subscriptions within that group.

Step 4. Assign Role for Savings Plans

To allow Cloud Ctrl to read Savings Plan data:

1. In the Azure Portal, navigate to the Savings Plans page.
2. Click Role Assignments at the top of the page.
3. Click Add → Add role assignment.
4. Choose the role: Savings Plan Reader
5. Select Members: your App Registration (from earlier)
6. Click Save

⚠️ You must repeat this once per tenant.
There is currently no management group–level equivalent for this permission.

Step 5. Assign Role for Reservations

To allow Cloud Ctrl to read Reservation data:

1. Navigate to the Reservations page.
2. Click Role Assignments.
3. Click Add → Add role assignment.
4. Choose the role: Reservations Reader
5. Select Members: your App Registration (from earlier)
6. Click Save

⚠️ As with Savings Plans, this role must be added per tenant, not at the management group level.

Step 6. Grant Access to Storage Account

Cloud Ctrl needs access to read the export files from your storage account.

💡 Don't have a storage account yet? Go back to Create a Dedicated Storage Account first.

1. Navigate to the Storage Account you created for cost exports
2. Click Access control (IAM) in the left menu
3. Click Add → Add role assignment
4. Choose the role: Storage Blob Data Reader
5. Select Members: your App Registration (from earlier)
6. Click Review + assign

⚠️ For CSP accounts with automated export management: assign Storage Blob Data Owner instead to allow Cloud Ctrl to create containers and manage export files.

What’s Next

• Configure Cost Management Exports →
• Automated CSP Export Setup →
• Troubleshooting Azure Connections →