Azure Cost Management Exports – CSP Accounts

For Microsoft Cloud Solution Provider (CSP) customers, Cloud Ctrl integrates with Azure Cost Management Exports to collect detailed cost and usage data.

Due to Microsoft’s CSP billing model, exports can only be created at the subscription level.
However, Cloud Ctrl can now automate export creation and historical backfills when granted the required permissions.

⚠️ Supported subscription types: Automated Export Setup is supported on CSP, EA, and MCA-Enterprise subscriptions. It is not supported on MCA-Individual or legacy Pay-As-You-Go subscriptions — Cost Management applies a billing-scope authorization check on those subscription classes that cannot be satisfied by ARM RBAC alone, and export creation will fail with RBACAccessDenied regardless of any role granted to the service principal. Customers on those subscription types should follow the Manual Setup instructions below.

If you can grant the required permissions to the Cloud Ctrl App Registration, Cloud Ctrl will automatically:

  • Create and manage Cost Management Exports for each subscription
  • Schedule daily export jobs
  • Perform historical backfills (up to 13 months)
  • Monitor export status and recover from missed runs

This ensures consistent configuration across all CSP subscriptions with minimal manual effort.

Step 1. Register required resource providers

The subscription must have the Cost Management and Consumption resource providers registered before exports can be created. This is typically already done on long-lived subscriptions but is missing on freshly-created subscriptions.

az provider register --namespace Microsoft.CostManagement --wait
az provider register --namespace Microsoft.Consumption    --wait
az provider register --namespace Microsoft.Storage        --wait

Or in the Azure Portal: Subscription → Resource providers, then search for and register each of Microsoft.CostManagement, Microsoft.Consumption and Microsoft.Storage.

Repeat for each subscription you wish to connect.

Step 2. Create a Custom Role

Create a Custom Role that allows Cloud Ctrl to manage exports and read usage data.

To create the custom role in Azure Portal:

  1. Navigate to any SubscriptionAccess control (IAM)
  2. Click Add → Add custom role
  3. Enter the role name: CSPExportManager
  4. Select Start from scratch
  5. On the Permissions tab, click Add permissions and add:
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/tags/read
    • Microsoft.Consumption/*/read
    • Microsoft.CostManagement/exports/*
    • Microsoft.CostManagement/query/*
    • Microsoft.CostManagement/views/*/read
  6. On the Assignable scopes tab, select the subscriptions or management group where this role should be available
  7. Click Review + create

Alternatively, use this JSON definition (via Azure CLI or PowerShell):

{
  "Name": "CSPExportManager",
  "IsCustom": true,
  "Description": "Allows for creating and managing Cost Management Exports and read consumption data.",
  "Actions": [
    "Microsoft.Resources/subscriptions/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/tags/read",
    "Microsoft.Consumption/*/read",
    "Microsoft.CostManagement/exports/*",
    "Microsoft.CostManagement/query/*",
    "Microsoft.CostManagement/views/*/read"
  ],
  "NotActions": [],
  "AssignableScopes": ["/"]
}

💡 The AssignableScopes: ["/"] allows this role to be applied across all subscriptions in the tenant. You can also specify individual subscription IDs.

Step 3. Assign the Role

In the Azure Portal, open the Subscription.

  1. Go to Access Control (IAM) → Add → Add role assignment.
  2. Select your CSPExportManager role.
  3. Assign it to the Cloud Ctrl App Registration.

Repeat this step for each subscription you wish to connect.

💡 Cross-subscription storage: If the storage account that will receive exports lives in a different subscription from the one being onboarded, also assign the Reader role to the Cloud Ctrl App Registration at the storage subscription scope. Without it, Cloud Ctrl cannot resolve the storage account by name during onboarding and you will see a "storage account not found" error.

Step 4. Grant Access to the Storage Account

Cloud Ctrl needs two permissions on the storage account so that Cost Management can write exports and Cloud Ctrl can read them:

  1. Storage Blob Data Owner — lets Cloud Ctrl create containers and read export files.
  2. Microsoft.Authorization/roleAssignments/write — required during export creation because Azure Cost Management uses a system-assigned managed identity for each export and must assign that identity StorageBlobDataContributor on the storage account. The built-in Owner role contains this action; if your tenant blocks assigning Owner at resource scope (a common ABAC restriction), grant a custom role containing only the actions listed below instead.

💡 Use the dedicated storage account you created earlier (including the blob container in Step 2). If you haven't created one yet, do that first.

To grant Storage Blob Data Owner:

  1. Navigate to the Storage Account in the Azure Portal
  2. Click Access control (IAM) in the left menu
  3. Click Add → Add role assignment
  4. Choose the role: Storage Blob Data Owner
  5. Select Members: your Cloud Ctrl App Registration
  6. Click Review + assign

To grant the role-assignment-write permission, repeat the steps above and choose either:

  • The built-in Owner role on the storage account, or
  • A custom role (e.g. CMEStorageAuth) that contains only:
    • Microsoft.Authorization/roleAssignments/write
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/permissions/read

🛡️ Recommended for the Owner option — apply an ABAC condition. When granting Owner, on the Conditions tab choose "Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended)". This prevents the Cloud Ctrl App Registration from ever escalating its own (or anyone else's) privileges on the storage account, while still allowing Cost Management's managed identity to assign itself the non-privileged Storage Blob Data Contributor role it needs. Many tenants enforce this constraint on Owner grants by policy, and it has been verified to work end-to-end with Cloud Ctrl's automated export setup.

Add role assignment - Conditions tab showing the recommended ABAC constraint

JSON for the narrow custom role:

{
  "Name": "CMEStorageAuth",
  "IsCustom": true,
  "Description": "Grants Microsoft.Authorization/roleAssignments/write on storage accounts so Azure Cost Management can assign Storage Blob Data Contributor to the export's system-assigned managed identity.",
  "Actions": [
    "Microsoft.Authorization/roleAssignments/write",
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Authorization/permissions/read"
  ],
  "NotActions": [],
  "AssignableScopes": ["/"]
}

⚠️ Without the role-assignment-write permission, export creation will appear to authenticate successfully and then fail with a misleading RBACAccessDenied from Cost Management.

💡 The role-assignment-write permission is only used during export creation or modification. After an export is created, the SP only needs Storage Blob Data Owner for routine operations.

Firewalled Storage Accounts

If your storage account has firewall rules enabled (network access restricted to specific VNets/IPs), additional configuration is required:

  1. On the storage account, navigate to Networking and enable "Allow Azure services on the trusted services list to access this storage account"
  2. Ensure "Permitted scope for copy operations" is set to "From any storage account"

(The role-assignment-write permission above applies in both firewalled and non-firewalled scenarios.)

Step 5. Add a Credential in Cloud Ctrl

  1. Go to Settings → Cloud Connections → Microsoft Azure
  2. Click + Add Credential
  3. Enter:
    • Azure Tenant ID
    • Azure Application (Client) ID from your App Registration
    • Azure Client Secret from your App Registration
  4. Click Save to validate and store the credential.

Step 6. Add a Cloud Account in Cloud Ctrl

  1. From Settings → Cloud Connections → Microsoft Azure, scroll down to the Cloud Accounts section
  2. Click + Add Cloud Account
  3. Select the credential you just added
  4. Select Microsoft Azure Cost Management Export as the account type
  5. Enter:
    • Name: A name for your cloud account
    • Automatically manage exports must be checked
    • Storage Account Name
    • Container Name
  6. Click Submit to validate and save the cloud account.

Add CME Automated

Cloud Ctrl will confirm permissions and automatically:

  • Create daily Cost Management Exports for each connected subscription
  • Run historical exports to populate prior months of data
  • Begin continuous data ingestion

Tips

When a new subscription is added, to include it in the automated reporting please register the resource providers (Step 1) and assign the custom role (Steps 2 & 3) on that new subscription.

Manual Setup (Alternative Method)

If your organisation cannot grant the required permissions, you can manually create exports for each subscription.

Please follow the Standard Export process for per Subscription Exports

After connecting:

  • Once ingestion begins, data will appear in your Cost Explorer and Budgets dashboards.
  • Initial imports can take several minutes depending on file size and number of subscriptions.
  • (Optional) Once you have confirmed that data for the current month has imported successfully, feel free to run Cost Management Exports for any historical months you would also like imported. This can be done for each export from the Azure portal by selecting the export by name and then '→ Export selected dates' option.

What's Next