Documentation / Getting Started / Step 4

Assign Roles

Grant the service principal read-only access to your Azure subscriptions via the Tenant Root Management Group.

Overview
Register App
Client Secret
4
Assign Roles
5
Connect
6
Explore

Find the Tenant Root Management Group

In the Azure Portal, navigate to:

Management Groups

Select the root group at the top of the hierarchy — this is your Tenant Root Management Group. Assigning roles here means Cirrova will automatically have access to all current and future subscriptions within your tenant.

If you prefer to limit Cirrova's access to specific subscriptions rather than the whole tenant, you can assign the same three roles at the individual subscription level instead. You will need to repeat the assignment for each subscription you want Cirrova to monitor.

Assign the three roles

Go to Access control (IAM) → Add role assignment and assign each of the following roles to the service principal you registered in Step 2:

  • Reader
  • Cost Management Reader
  • Monitoring Reader

Each role must be added as a separate role assignment. Repeat the Add role assignment steps three times, once for each role.

When searching for the service principal in the Members tab, search by the name you gave the app in Step 2 (e.g. Cirrova Cost Reader).

Why these three roles?

  • Reader — allows Cirrova to enumerate subscriptions, resource groups, and resources.
  • Cost Management Reader — grants access to billing and cost data via the Azure Cost Management APIs.
  • Monitoring Reader — allows Cirrova to read performance metrics (CPU, memory, disk) alongside cost data for insights and anomaly context.

All three are built-in Azure roles with no write permissions.

Previous — Step 3 of 6 Create a Client Secret Next — Step 5 of 6 Enter Your Credentials in Cirrova