Skip to main content

Manual Setup via Azure Portal

This guide walks you through setting up CXM Azure integration using the Azure Portal web interface.

Estimated time: 20-30 minutes

Overview

You will complete these steps:

  1. Create an App Registration (Service Principal)
  2. Create a Client Secret
  3. Assign Reader roles to subscriptions (for cloud scanning)
  4. Grant access to billing export storage (includes creating FOCUS exports if needed)
  5. Grant access to activity log storage (optional)
  6. Assign Directory Reader role (optional)
  7. Collect values for CXM onboarding
Read-Only Access - No Data Plane Access

CXM only requires read-only access to your Azure resources. The permissions granted in this guide:

  • Do not allow CXM to create, modify, or delete any infrastructure
  • Do not grant access to your data (database contents, storage blobs, application logs, secrets)
  • Only allow reading resource metadata, configurations, and billing exports

CXM will never attempt to make changes to your environment or access your application data.

Supported Billing Account Types

FOCUS billing exports are required for cost analysis. Support varies by account type:

Account TypeFOCUS ExportsNotes
Enterprise Agreement (EA)✅ SupportedFull support at billing account or subscription level
Microsoft Customer Agreement (MCA)✅ SupportedFull support at billing profile or subscription level
Pay-as-You-Go (MOSP)⚠️ LimitedSubscription-level exports only, some features limited
Cloud Solution Provider (CSP)⚠️ LimitedDepends on partner configuration, may require partner assistance
Check Your Account Type

Go to Cost Management + Billing > Billing scopes to see your account type.

Step 1: Create App Registration

The App Registration creates the identity CXM uses to access your Azure resources.

1.1 Navigate to App Registrations

  1. Go to Azure Portal
  2. Search for "App registrations" in the top search bar
  3. Click App registrations

1.2 Create New Registration

  1. Click + New registration
  2. Fill in the form:
    • Name: cxm-asset-crawler
    • Supported account types: Select "Accounts in this organizational directory only"
    • Redirect URI: Leave blank
  3. Click Register

1.3 Record Application Details

After creation, you'll see the app's overview page. Record these values:

FieldWhere to FindExample
Application (client) IDOverview pagexxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Directory (tenant) IDOverview pagexxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Step 2: Create Client Secret

The client secret is the password CXM uses to authenticate.

2.1 Create Secret

  1. In your App Registration, click Certificates & secrets in the left menu
  2. Click + New client secret
  3. Fill in:
    • Description: CXM Integration
    • Expires: Choose an appropriate expiration (recommended: 24 months)
  4. Click Add

2.2 Record the Secret

Copy Immediately

Copy the secret Value immediately! It will only be shown once.

FieldWhat to Copy
Client SecretThe Value column (not the Secret ID)
Set a Reminder for Secret Rotation

Important: Set a calendar reminder 2-4 weeks before your secret expires. When a secret expires, CXM will lose access to your Azure data until you create a new secret and provide it to CXM.

To rotate the secret:

  1. Create a new client secret (following steps above)
  2. Provide the new secret to CXM
  3. Delete the old secret after confirming the new one works

Step 3: Assign Reader Roles to Subscriptions

Grant the Service Principal read access to your subscriptions.

The Reader role provides CXM with access to:

  • All Azure resource configurations and metadata
  • Azure Advisor recommendations and cost optimization insights
  • Reserved Instances and Savings Plans information
  • Resource tags and resource group structures

3.1 Navigate to Subscriptions

  1. Search for "Subscriptions" in the Azure Portal search bar
  2. Click on the first subscription you want to grant access to

3.2 Add Role Assignment

  1. Click Access control (IAM) in the left menu
  2. Click + Add > Add role assignment

3.3 Assign Reader Role

  1. In the Role tab:

    • Search for "Reader"
    • Select Reader from the list
    • Click Next

  2. In the Members tab:

    • Select "User, group, or service principal"
    • Click + Select members
    • Search for "cxm-asset-crawler" (your app name)
    • Select it and click Select
    • Click Next

  3. In the Review + assign tab:

    • Click Review + assign

3.4 Assign Additional Roles

Repeat Step 3.3 to assign these additional roles:

  • Monitoring Reader - for metrics access
  • Key Vault Reader - for vault metadata (not secrets)

3.5 Repeat for All Subscriptions

Repeat Steps 3.2-3.4 for each subscription you want CXM to access.

Management Group Alternative

For many subscriptions, assign roles at the Management Group level instead. Go to Management groups > select your group > Access control (IAM) and follow the same steps.

Step 4: Grant Access to Billing Export Storage

CXM needs to read your Cost Management export files.

FOCUS Format Required

CXM requires billing exports in FOCUS format (FinOps Open Cost and Usage Specification) with Daily recurrence for optimal analysis. Daily is the most granular option available in Azure.

4.1 Locate or Create Your Billing Export

  1. Search for "Cost Management" in the Azure Portal
  2. Click Exports in the left menu
  3. Check if you have existing exports

If you have FOCUS exports configured:

  • Note the Storage account name shown for your exports
  • Proceed to Step 4.2

If you don't have FOCUS exports yet:

  • Follow our Creating Billing Exports guide to set up FOCUS exports with the recommended settings
  • Return here after creating the export and note the storage account name
Permissions to Create Exports

Creating billing exports requires specific permissions (separate from CXM's read access):

Account TypeRequired Role
Enterprise Agreement (EA)Enterprise Administrator or Billing Account Contributor
Microsoft Customer Agreement (MCA)Billing Profile Owner or Billing Profile Contributor
Pay-as-You-GoSubscription Owner or Contributor

If you don't have these permissions, contact your billing administrator to create the export.

4.2 Create Custom Role for Storage Access

  1. Go to the Subscription containing the storage account
  2. Click Access control (IAM) > + Add > Add custom role
  3. Fill in:
    • Custom role name: cxm-billing-export-reader
    • Description: Allows CXM to read billing export data
  4. Click Next
  5. Click + Add permissions and add: 
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/blobServices/containers/read
    Microsoft.Storage/storageAccounts/listkeys/action
    Microsoft.CostManagement/exports/read
  6. Click Add data actions and add: 
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
  7. Click Next twice, then Create

4.3 Assign Custom Role

  1. Navigate to the Resource Group containing the billing storage account
  2. Click Access control (IAM) > + Add > Add role assignment
  3. Search for "cxm-billing-export-reader"
  4. Select your custom role and click Next
  5. Add your cxm-asset-crawler app as a member
  6. Click Review + assign

Step 5: Grant Access to Activity Log Storage

CXM needs to read your Activity Log exports.

5.1 Locate Your Activity Log Storage Account

  1. Search for "Monitor" in the Azure Portal
  2. Click Activity log in the left menu
  3. Click Export Activity Logs or Diagnostic settings
  4. Note the Storage account receiving the logs

If logs aren't being exported:

  1. Click + Add diagnostic setting
  2. Configure to send logs to a storage account
  3. Note the storage account name

5.2 Create Custom Role for Activity Log Access

Follow the same process as Step 4.2, but:

  • Name: cxm-activity-log-reader
  • Description: Allows CXM to read activity log data
  • Permissions: 
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/blobServices/containers/read
    Microsoft.Storage/storageAccounts/listkeys/action
    Microsoft.Insights/diagnosticSettings/read
  • Data actions: 
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

5.3 Assign Custom Role

Follow Step 4.3 but assign the cxm-activity-log-reader role at the Resource Group containing the activity log storage account.

Step 6: (Optional) Assign Directory Reader Role

This allows CXM to read Azure AD users and groups for cost attribution.

note

This step requires Azure AD admin privileges (Global Administrator or Privileged Role Administrator).

6.1 Assign Directory Reader

  1. Go to Microsoft Entra ID (formerly Azure AD)
  2. Click Roles and administrators
  3. Search for "Directory Readers"
  4. Click Directory Readers
  5. Click + Add assignments
  6. Search for "cxm-asset-crawler"
  7. Select it and click Add

Step 7: Collect Onboarding Values

Gather all values needed for CXM onboarding:

ValueWhere to Find
Tenant IDApp Registration > Overview
Client IDApp Registration > Overview
Client SecretSaved from Step 2.2
Subscription IDsList of subscriptions where you assigned roles
Billing Export Storage AccountCost Management > Exports > Storage account name
Billing Export Resource GroupResource group containing the storage account

Summary Checklist

Verify you have completed:

  • Created App Registration (cxm-asset-crawler)
  • Created Client Secret and saved the value
  • Assigned Reader role to all target subscriptions
  • Assigned Monitoring Reader role to all target subscriptions
  • Assigned Key Vault Reader role to all target subscriptions
  • Created FOCUS billing exports with Daily recurrence (or verified existing)
  • Created and assigned cxm-billing-export-reader custom role
  • (Optional) Created and assigned cxm-activity-log-reader custom role
  • (Optional) Assigned Directory Reader role

Provide Values to CXM

Share the following with CXM:

Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subscription IDs:
  - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Billing Export Storage Account: mystorageaccount
Billing Export Resource Group: my-resource-group

CXM will validate the connection and begin data collection.

What Happens Next

Once CXM receives your credentials:

  1. Connection validation - CXM verifies access to your subscriptions and storage accounts
  2. Initial data sync - CXM performs an initial scan of your Azure resources and imports historical billing data
  3. Ongoing sync - CXM syncs data automatically:
    • Asset data: Refreshed every few hours
    • Billing data: Synced daily (aligned with Azure's daily export schedule)

Troubleshooting

"Access Denied" when CXM connects

Cause: Role assignments haven't propagated yet or are missing.

Solution:

  • Wait 5-10 minutes for Azure role propagation
  • Verify all roles are assigned correctly in Access control (IAM)

"Invalid client secret"

Cause: The client secret was copied incorrectly or has expired.

Solution:

  • Create a new client secret in the App Registration
  • Copy the Value (not the Secret ID)
  • Share the new secret with CXM

"Storage account not accessible"

Cause: Custom role not assigned or wrong scope.

Solution:

  • Verify the custom role exists
  • Check it's assigned at the Resource Group level (not subscription)
  • Ensure the storage account is in that resource group

Can't assign Directory Reader role

Cause: Your account lacks Azure AD admin privileges.

Solution:

  • Ask an Azure AD admin to assign the role, or
  • Skip this step (CXM will work without it, but user/group attribution won't be available)