Required Permissions

The following RBAC roles are granted to the Archera.ai Enterprise Application:

Read Access

• Storage Blob Data Reader - Read blob containers and blob data. Expected scope: the storage account that stores Azure cost exports.

• Billing Reader - Read billing data, invoices, and usage details. Expected scope: your Azure billing scope.

• Reservations Reader - Read reservation data and related transactions. Expected scope: the tenant root group.

• Savings Plan Reader - Read savings plan data and related transactions. Expected scope: the tenant root group.

Write Access

• Reservation Purchaser - Create reservations and read reservation transactions. Expected scope: the tenant root group.

• Savings Plan Purchaser - Create savings plans and read savings plan transactions. Expected scope: the tenant root group.

One-Time Write Access

We utilize the compressed cost export feature inside Azure that adheres to the FinOps Cost Usage and Specification (FOCUS) dataset standards. This feature requires a blob storage account, so we utilize a one-time write action to configure the cost export.

For more details, see: Microsoft Cost Management updates — announcing the new FOCUS report

Related Resources

• Prerequisite Checklist

• What Information Does Archera Require to Connect to My Azure Account?

• How Does Archera Access My Azure Environment?

• Azure Offboarding