Cloud Ctrl

# Create Azure Application Registration

All Azure connections to Cloud Ctrl require an Application Registration in Azure Active Directory.
This registration allows Cloud Ctrl to securely access cost, usage, reservation, and savings plan data through Microsoft APIs.

# Step 1. Create the App Registration

  1. Sign in to the Azure Portal (opens new window)
  2. Navigate to Azure Active Directory → App registrations → New registration
  3. Enter a name such as Cloud Ctrl Connector
  4. Supported account types: Accounts in this organizational directory only
  5. Redirect URI: leave blank
  6. Click Register

# Step 2. Record the Credentials

After registration:

  • Copy the Application (client) ID
  • Copy the Directory (tenant) ID
  • Under Certificates & secrets, create a New client secret and record its Value

⚠️ Keep the client secret safe — you’ll need it plus the Application ID and Client ID to connect Azure in Cloud Ctrl.

# Step 3. Add API Permissions

  1. In the App Registration, open API permissions
  2. Click Add a permission → APIs my organization uses
  3. Add the following delegated permissions:
API Permission Purpose
Azure Service Management user_impersonation Read resources and subscription metadata
Azure Reservations user_impersonation Read Savings Plan and Reservation data
Microsoft Graph Directory.Read.All (Optional) Read directory information for tagging context

Click Grant admin consent to apply the permissions.

# Step 4. Assign Roles to the Application

For each subscription you want to connect:

  1. Navigate to Subscriptions → Access Control (IAM)
  2. Click Add → Add role assignment
  3. Assign the Reader role (minimum required)
  4. Search for your new App Registration and select it
  5. Save

💡 Reader access is sufficient for most Azure accounts.
CSP customers can optionally assign additional permissions to allow Cloud Ctrl to automate export creation — see CSP Export Permissions.

# Step 5. Assign Role for Savings Plans

To allow Cloud Ctrl to read Savings Plan data:

  1. In the Azure Portal, navigate to the Savings Plans page (opens new window).
  2. Click Role Assignments at the top of the page.
  3. Click Add → Add role assignment.
  4. Choose the role: Savings Plan Reader
  5. Select Members: your App Registration (from earlier)
  6. Click Save

⚠️ You must repeat this once per tenant.
There is currently no management group–level equivalent for this permission.

# Step 6. Assign Role for Reservations

To allow Cloud Ctrl to read Reservation data:

  1. Navigate to the Reservations page (opens new window).
  2. Click Role Assignments.
  3. Click Add → Add role assignment.
  4. Choose the role: Reservations Reader
  5. Select Members: your App Registration (from earlier)
  6. Click Save

⚠️ As with Savings Plans, this role must be added per tenant, not at the management group level.

# What’s Next

Cost Management Exports