Documentation / Connecting Azure

Connecting Azure

Service principal setup, subscription scopes, billing account access, permission requirements, and SSO configuration.

On this page

Overview

Cirrova connects to your Azure environment via a service principal with read-only access to Azure APIs. Once connected, Cirrova pulls your cost and usage data and surfaces it as near real-time dashboards, anomaly alerts, and optimisation insights.

No agents or software need to be installed in your Azure environment. Cirrova uses standard Azure APIs and holds no standing write access to your subscriptions.

Cirrova is read-only. We never create, modify, or delete resources in your Azure subscriptions.

Service principal setup

The steps below walk through registering a service principal in Entra ID, creating credentials, assigning the required roles, and entering the details into Cirrova. If you completed these steps during initial setup, no further action is needed.

  1. Register an app in Entra ID

    In the Azure Portal, navigate to Entra ID → App registrations → New registration. Give the app a recognisable name (e.g. Cirrova) and leave all other defaults as-is. Click Register.

  2. Create a client secret

    Inside the newly registered app, go to Certificates & secrets → Client secrets → New client secret. Enter a description (e.g. Cirrova Client Secret), set an expiry that suits your rotation policy (12 or 24 months is common) and then click Add. Copy the Value immediately — it will not be shown again.

    Copy the secret value before navigating away. Azure only shows it once.
  3. Assign roles on the Tenant Root Management Group

    To find your Tenant Root Management Group, go to Azure Portal → Resource Manager → Organization → Management Groups and select the root group at the top of the hierarchy - usually Tenant Root Group.

    Go to Access control (IAM) → Add role assignment and assign the following three roles to the service principal you registered in step 1:

    • Reader
    • Cost Management Reader
    • Monitoring Reader

    Add each role as a separate role assignment, repeating the Add role assignment steps for each one.

    Assigning roles at the Tenant Root Management Group level means all current and future subscriptions are automatically in scope. If you prefer to limit access to specific subscriptions, you can assign the same roles at the individual subscription level instead.

  4. Enter the credentials in Cirrova

    In Cirrova, go to Settings → Azure Connection and enter the following values:

    • Tenant ID — found on the Entra ID Overview page
    • Application (client) ID — found on the App registration Overview page
    • Client secret — the value you copied in step 2

    Click Test connection. Cirrova will verify access and begin the initial data ingestion. The first run retrieves 30 days of historical data and may take up to an hour to complete.

Enabling SSO

Cirrova supports single sign-on with Microsoft Entra ID. Setup is short — Cirrova is registered as a shared multi-tenant Entra application, so you don't need to create your own app registration or upload SAML metadata. You just paste your Entra Tenant ID into Cirrova and (optionally) have a Global Administrator pre-grant consent.

Full setup steps, account-type options, and notes on editing or removing SSO live with the rest of the access-control docs:

Access Control → Entra ID single sign-on →

Previous Getting Started