Azure Permissions and Security
CloudZero connects to your Azure accounts using read-only access. You control all permissions, and connections do not update themselves. This page covers how the connection works, what CloudZero accesses, and where to review the full permissions.
How the connection works (service principal)
CloudZero connects to your Azure tenant through a read-only application called a service principal. You authorize this application (named CloudZeroPlatform) in your tenant during setup. CloudZero then assumes the application's identity to read your cost and resource data. All access is read-only.
The service principal is created once per tenant. If you connect multiple billing accounts or subscriptions within the same tenant, they share the same service principal.
For setup instructions, see the guide for your agreement type: MCA, EA, or CSP.
What CloudZero accesses
Billing connections
The data CloudZero collects depends on your agreement type and billing scope. Each connection uses a read-only role that grants access to cost and billing data only. CloudZero cannot query resource configurations or modify any resources through billing connections.
| Agreement type | Scope | Role | Data collected |
|---|---|---|---|
| MCA | Billing account | Billing Account Reader | Usage, billing, and invoice data across all subscriptions |
| MCA | Billing profile | Billing Profile Reader | Usage, billing, and invoice data for subscriptions in the profile |
| MCA | Invoice section | Invoice Section Reader | Usage and billing data (no invoice data) |
| MCA | Subscription | Billing Reader | Usage and billing data for a single subscription (no invoice data) |
| EA | Billing account | EnrollmentReader | Usage, billing, and discount data (no invoice data) |
| CSP | Subscription | Billing Reader | Usage and billing data for a single subscription (no invoice data) |
For MCA invoice section and subscription scopes, and for CSP, Marketplace purchases not directly associated with the subscriptions in scope cannot be collected.
Resource metadata connections
Resource metadata connections use the Reader role, which provides read-only access to resource properties without access to secrets, keys, or data within the resources. CloudZero collects:
- Resource names, types, and locations
- Resource group assignments
- Tags applied to resources
- Management group hierarchy
For setup instructions, see Connecting Azure Resource Metadata.
PowerShell scripts
CloudZero publishes a PowerShell script for automating billing role assignments. The script supports MCA (billing account scope) and EA agreement types.
Supported currencies
CloudZero supports Azure cost data in USD. If your Azure costs are billed in a different currency, reach out to your account manager.
Have questions or feedback? Reach out to your account manager.
Updated about 1 month ago