# Required Permissions The following RBAC roles are granted to the Archera.ai Enterprise Application: ## Read Access * [**Storage Blob Data Reader**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-reader) - Read blob containers and blob data. Expected scope: the storage account that stores Azure cost exports. * [**Billing Reader**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#billing-reader) - Read billing data, invoices, and usage details. Expected scope: your Azure billing scope. * [**Reservations Reader**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#reservations-reader) - Read reservation data and related transactions. Expected scope: the tenant root group. * [**Savings Plan Reader**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#savings-plan-reader) - Read savings plan data and related transactions. Expected scope: the tenant root group. ## Write Access * [**Reservation Purchaser**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#reservation-purchaser) - Create reservations and read reservation transactions. Expected scope: the tenant root group. * [**Savings Plan Purchaser**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#savings-plan-purchaser) - Create savings plans and read savings plan transactions. Expected scope: the tenant root group. ## One-Time Write Access We utilize the compressed cost export feature inside Azure that adheres to the FinOps Cost Usage and Specification (FOCUS) dataset standards. This feature requires a blob storage account, so we utilize a one-time write action to configure the cost export. For more details, see: [Microsoft Cost Management updates — announcing the new FOCUS report](https://azure.microsoft.com/en-us/blog/announcing-the-new-finops-cost-usage-specification-report-now-in-public-preview-in-azure-cost-management/) ## Related Resources * [Prerequisite Checklist](/help-center/azure-onboarding/technical-onboarding/prerequisite-checklist.md) * [What Information Does Archera Require to Connect to My Azure Account?](/help-center/azure-onboarding/technical-onboarding/required-information.md) * [How Does Archera Access My Azure Environment?](/help-center/security/azure-access.md) * [Azure Offboarding](/help-center/azure-onboarding/offboarding/offboarding.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.archera.ai/help-center/azure-onboarding/technical-onboarding/required-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.