What's NewCloudZero Academy
Guides
CloudZero Status

Connecting Azure Resource Metadata

Azure resource connections collect resource-level metadata from your Azure environment. This metadata enriches your cost data with information about the Azure resources generating costs, enabling more granular analysis.

ℹ️

You must have an existing Azure billing connection with a verified tenant before creating a resource connection. If you have not yet connected an Azure billing account, see Connecting to Azure to get started.

Prerequisites

  • In CloudZero, you must have the necessary permissions to create a new connection.
  • You must have at least one active Azure billing connection with a verified tenant.

Connect Azure Resource Metadata

Step 1: Grant the CloudZero Service Principal the Reader Role in Azure

Before creating the resource connection in CloudZero, you must grant the CloudZeroPlatform service principal the Reader role in Azure. This allows CloudZero to read resource metadata from your environment.

  1. In the Azure Portal, navigate to the management group or subscription scope where you want CloudZero to collect resource metadata.
  2. Select Access control (IAM).
  3. Select Add > Add role assignment.
  4. On the Role tab, search for and select the Reader role.
  5. Select Next.
  6. On the Members tab, select User, group, or service principal.
  7. Click Select members.
  8. Search for and select the CloudZeroPlatform service principal. This is the same service principal created when you set up your Azure billing connection.
  9. Select Next.
  10. Select Review + assign to assign the role.

For more details on assigning Azure roles, see Assign Azure roles using the Azure portal.

Step 2: Create the Resource Connection in CloudZero

  1. In CloudZero, navigate to Settings and from the left navigation, select Cloud Integrations.
  2. Click the Add Connection button and select Azure Resource Metadata.
  3. Enter a Connection Name (for example, Production-Azure-Resources).
  4. Select your Azure Tenant from the drop-down menu. This lists the tenant IDs from your verified billing connections.
  5. By default, Use root management group is enabled. This uses the tenant ID as the root management group, which collects resource metadata across all management groups in the tenant.
    • To collect metadata from specific management groups only, uncheck Use root management group and specify the individual management groups.
  6. Click Create Connection.
ℹ️

All of CloudZero's Azure permissions are read-only. The resource connection collects metadata only and does not modify any resources in your Azure environment.

What Data Is Collected

Azure resource connections collect resource-level metadata, including:

  • Resource names, types, and locations
  • Resource group assignments
  • Tags applied to resources
  • Management group hierarchy

Once connected, resource properties and tags appear alongside cost data in the Explorer, just as they do for AWS resources. When investigating a cost spike, you can click into any Azure resource to see what it is, what tags it has, and what configuration it is running; reducing investigation time from hours to minutes.

With resource-level metadata, CloudZero can also surface deeper cost optimization recommendations — identifying unused, idle, or over-provisioned Azure resources that represent quick wins for lowering your Azure bill with no architectural changes required.

Updated about 14 hours ago