Connecting an Azure account
Overview
To onboard your Azure environment to DigiUsher, an App Registration with read-only access to cost, usage, and resource metadata is required. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.
Supported Agreement Types
| Agreement Type | Terraform Example | Notes |
|---|---|---|
| Enterprise Agreement (EA) | terraform.tfvars.scenario1-ea-billing-account | Full org-level billing. Recommended for most enterprises. |
| EA — Enrollment Account | terraform.tfvars.ea-enrollment-account-example | Scoped to a specific enrollment account within EA. |
| Microsoft Customer Agreement (MCA) | terraform.tfvars.scenario3-mca | MCA is auto-detected by the presence of a colon (:) in the billing account ID. |
| MCA — Invoice Section | terraform.tfvars.mca-invoice-section-example | Scoped to a specific invoice section within MCA. |
Summary of Access Required
| Component | Details |
|---|---|
| Identity | Azure App Registration (DigiUsherApp) — service principal, no interactive login |
| Authentication | Client secret (recommended 24-month expiry) |
| Access level | Read-only — Reader role at Management Group level |
| Scope | All subscriptions under the root Management Group |
| Billing | FOCUS cost export from appropriate billing scope (EA, MCA, or MPA) |
| Data access | Storage Blob Data Reader on the cost export storage account only |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
| Resource inventory | Asset discovery, idle resource detection, tag-based cost allocation |
| Optimization recommendations | Reservation and Savings Plan analysis, idle resource cleanup |
| Utilization metrics | Resource usage for rightsizing analysis |
DigiUsher cannot create, modify, or delete any of your Azure resources.
Use Terraform for the fastest setup
DigiUsher strongly recommends the Terraform configuration for the most efficient and reliable setup. It automates the entire process and simplifies future maintenance.
Terraform Repository: https://github.com/digiusher/digiusher-iac/
If your organization's policies require manual resource provisioning, follow the steps below.
Prerequisites
Information to Gather
| Item | How to Find |
|---|---|
| Tenant ID | Azure Portal > Microsoft Entra ID > Overview |
| Billing Account ID | Cost Management + Billing > Billing scopes |
| Subscription ID | A subscription to host the storage account for cost exports |
Roles Required by the Person Performing Setup
| Role | Why |
|---|---|
| Global Administrator or Application Administrator | To create the App Registration and assign IAM roles |
| Enterprise Administrator (EA) or Billing account owner (MCA) | To assign billing roles and create cost exports at billing scope |
| Subscription Owner | To create storage resources for cost exports |
Not sure whether you hold these billing roles, or at what level? Follow Check Your Permission Level below.
Check Your Permission Level
DigiUsher reads cost data from a FOCUS export created at your billing scope. For complete, organization-wide visibility, the export must be created at the top-level billing scope — the EA billing account (enrollment) or the MCA billing account. Azure also lets you create exports at lower scopes (an EA enrollment account, an MCA billing profile or invoice section, or a single subscription), and an export created there will silently contain only that scope's spend. Before starting, confirm what level of billing access you actually have.
1. Identify your agreement type
- Go to Cost Management + Billing → Billing scopes
- Check the Billing account type column:
- Enterprise Agreement → follow the EA steps below
- Microsoft Customer Agreement → follow the MCA steps below
- Microsoft Online Services Program (pay-as-you-go) → not supported; FOCUS exports require EA or MCA
Or use the Azure CLI:
az billing account list --query "[].{Name:displayName, ID:name, Type:agreementType}" -o tableQuick tell
MCA billing account IDs contain a colon (:), e.g. da605be5-...:a04cc649-..._2019-05-31. EA enrollment numbers are plain numbers, e.g. 123456.
2. Check your role and its scope
- Go to Cost Management + Billing → Billing scopes and select your EA billing account
- Open Access control (IAM) and find your user
- Top level (what you want): Enterprise Administrator on the billing account (enrollment). This lets you assign the
Cost Management Contributorbilling role toDigiUsherAppand create exports covering all subscriptions. - Lower level: Department Administrator or Account Owner. You can only create exports and assign roles within that department or enrollment account, so the export will contain only those subscriptions.
- No enrollment access: If Billing scopes shows only individual subscriptions and no EA billing account, you have no enrollment-level access — ask your Enterprise Administrator.
- Go to Cost Management + Billing → Billing scopes and select your billing account
- Open Access control (IAM) and find your user
- Check which scope the role is assigned at — the same role names exist at three levels
- Top level (what you want): Billing account owner (or Billing account contributor) on the billing account itself. This lets you assign the
Billing Account Contributorrole toDigiUsherAppand create exports covering all billing profiles. - Lower level: the same roles assigned at a Billing profile or Invoice section. Check the scope selector/breadcrumb when viewing your role — a role on a billing profile or invoice section is not top-level access, and an export created there contains only that slice of spend.
Note
MCA billing roles are a separate RBAC system from Azure subscription roles. Being an Owner of a subscription says nothing about your billing account access.
What if I only have lower-level access?
Connecting at a lower scope is supported (see EA — Enrollment Account and MCA — Invoice Section in Supported Agreement Types), but the cost export will contain only that scope's spend — DigiUsher will not see the rest of your organization. For organization-wide visibility, ask your Enterprise Administrator (EA) or Billing account owner (MCA) to perform the setup or grant you top-level access.
Network & Email Access (For Regulated Environments)
If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:
- Domain allowlist: Add
*.digiusher.comto your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers. - Email allowlist: Add
digiusher.comas an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from@digiusher.comaddresses.
Option A: Terraform (Recommended)
The DigiUsher Terraform configuration automates the entire setup.
git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/azureCopy the example file that matches your agreement type (see Supported Agreement Types above):
# Pick ONE of the following:
cp terraform.tfvars.scenario1-ea-billing-account terraform.tfvars # EA — Billing Account
cp terraform.tfvars.ea-enrollment-account-example terraform.tfvars # EA — Enrollment Account
cp terraform.tfvars.scenario3-mca terraform.tfvars # MCA — Billing Account
cp terraform.tfvars.mca-invoice-section-example terraform.tfvars # MCA — Invoice Section
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform applyTerraform Feature Flags
| Variable | Default | Description |
|---|---|---|
enable_cost_exports | true | Creates storage account, container, and FOCUS cost export |
enable_reservations_access | true | Assigns Reservations Reader and Savings Plan Reader at tenant level |
target_subscription_ids | [] (all) | Limit Reader role to specific subscriptions instead of the root Management Group |
See the digiusher-iac README for full Terraform documentation including all parameters and troubleshooting.
Option B: Manual Setup
Note
The manual steps below cover Enterprise Agreement (EA) setup via the Azure Portal. For MCA, MPA/CSP, or other billing types, use the Terraform option above.
Follow these steps if you prefer to set up via the Azure Portal.
Create App Registration
- Go to Azure Portal → Microsoft Entra ID → App registrations
- Click New registration
- Configure:
- Name:
DigiUsherApp - Supported account types: "Accounts in this organizational directory only"
- Name:
- Click Register
- Note down:
- Application (client) ID
- Directory (tenant) ID

Create Client Secret
- In your app registration, go to Certificates & secrets
- Click New client secret
- Configure:
- Description:
DigiUsher secret - Expires: 24 months (recommended)
- Description:
- Click Add
- Copy the Value immediately — it won't be shown again

Assign Reader Role
- Go to Management Groups → Select your root management group
- Click Access Control (IAM) → Add → Add role assignment
- Configure:
- Role:
Reader - Members: Search for and select
DigiUsherApp
- Role:
- Click Review + assign
Note
Assigning at Management Group level covers all current and future subscriptions.

Create Storage Account for Exports
4a. Create Resource Group
- Go to Resource Groups → Create
- Configure:
- Name:
digiusher-billing-exports - Region: East US (or your preferred region)
- Name:
- Click Review + create → Create
4b. Create Storage Account
- Go to Storage accounts → Create
- On the Basics tab:
- Resource group:
digiusher-billing-exports - Storage account name: Something unique, lowercase alphanumeric only (e.g.,
digiusherexports<yourcompany>) - Region: Same as resource group
- Performance: Standard
- Redundancy: LRS (Locally-redundant storage)
- Resource group:
- On the Networking tab:
- Public network access: Enable
- Public network access scope: Enable from all networks
- Click Review + create → Create
4c. Create Container
- Open your new storage account
- Go to Containers → + Container
- Configure:
- Name:
digiusher-focus-exports - Anonymous access level: Private (no anonymous access)
- Name:
- Click Create
4d. Grant Storage Access
- On the storage account, go to Access Control (IAM) → Add → Add role assignment
- Configure:
- Role:
Storage Blob Data Reader - Members: Search for and select
DigiUsherApp
- Role:
- Click Review + assign
Create FOCUS Cost Export
- Go to Cost Management + Billing → Exports
- Make sure you're at the Billing Account scope, not a subscription scope
- Click Add
- Select FOCUS cost and usage (preview)

- Configure:
- Export name:
digiusher-focus-export - Frequency: Daily export of month-to-date costs
- Dataset version: 1.2-preview
- File format: Parquet
- Compression: Snappy
- Export directory/path: focus
- Storage account: Select the account created in Step 4
- Container:
digiusher-focus-exports
- Export name:
- Click Create
Note
The first export will run within 24 hours. You can click "Run now" to trigger immediately.


Backfill historical data
- Go to Cost Management → Exports → select your export
- Click Export selected dates
- Run the export for each of the last 3 months (one at a time)
- Note that for large accounts you might have to wait for one export to finish before scheduling another month

(Optional) Reservations & Savings Plans Access
This step requires temporary elevated access to assign tenant-level roles.
6a. Enable Elevated Access
- Go to Azure Portal → Microsoft Entra ID → Properties

- Scroll to Access management for Azure resources
- Toggle to Yes

- Click Save
6b. Assign Reservations Reader
- Go to Reservations → Access Control (IAM) → Add role assignment
- Configure:
- Role:
Reservations Reader - Members:
DigiUsherApp
- Role:
- Click Review + assign
6c. Assign Savings Plan Reader
- Repeat the same process with role:
Savings Plan Reader
6d. Disable Elevated Access
- Go back to Microsoft Entra ID → Properties
- Toggle Access management for Azure resources to No
- Click Save
Important
Always disable elevated access after completing these assignments.
Connect in DigiUsher
After completing either the Terraform or Manual setup, enter the following into the DigiUsher platform to complete the connection:
| Field | Where to Find |
|---|---|
| Tenant ID | Azure Portal > Microsoft Entra ID > Overview, or terraform output tenant_id |
| Application (Client) ID | App Registration > Overview, or terraform output client_id |
| Client Secret | Created during App Registration setup, or terraform output client_secret |
| Storage Account Name | The storage account created for exports (e.g., digiusherexports<yourcompany>) |
| Storage Container Name | The container created inside the storage account (e.g., digiusher-focus-exports) |
| Export Root Path | The directory/path configured in the FOCUS export (e.g., focus) |
Verification Checklist
- Confirmed top-level billing access (EA: Enterprise Administrator; MCA: Billing account owner) — or accepted scoped data at a lower level
- App registration created with client secret
- Reader role assigned at Management Group (or Subscription) level
- Storage account and container created
- Storage Blob Data Reader role assigned on storage account
- FOCUS export created and scheduled
- (Optional) Reservations Reader and Savings Plan Reader assigned
- Elevated access disabled (if used)
-
*.digiusher.comallowlisted in network/firewall (if applicable) -
digiusher.comallowlisted for incoming email (if applicable)
Security
What DigiUsher CAN Access (Read-Only)
- Cost and usage data via FOCUS exports in Azure Storage
- Resource metadata (names, types, regions, tags) via Reader role
- Reservation and Savings Plan information (if optional access granted)
- Management Group, subscription, and resource group hierarchy
What DigiUsher CANNOT Do
- Create, modify, or delete any Azure resources
- Access application data, databases, or storage contents (beyond cost exports)
- Modify IAM policies or role assignments
- Read secrets, credentials, or encryption keys
- Access network traffic or logs content
- Make purchases or modify billing settings
Monitoring
Monitor App Registration activity in Microsoft Entra ID > Enterprise applications > DigiUsherApp > Sign-in logs and Audit logs.
Credential Rotation
- Terraform:
terraform apply -replace="azuread_application_password.digiusher" - Manual: App Registration > Certificates & secrets > New client secret (create new), then delete the old secret. Enter the new secret into the DigiUsher platform.
Revocation
- Terraform:
terraform destroy— removes the App Registration, all role assignments, and invalidates the client secret. - Manual: Delete the
DigiUsherAppApp Registration in Microsoft Entra ID > App registrations. This instantly invalidates the client secret and all associated role assignments.
Troubleshooting
Export not appearing
- Ensure
Microsoft.CostManagementExportsresource provider is registered - Go to Subscription → Resource providers → Search for CostManagementExports → Register
Permission denied on billing scope
- EA: Verify you have Enterprise Administrator access at the billing account (enrollment) level — see Check Your Permission Level. Some EA accounts require the enrollment admin to grant access via the EA Portal first.
- MCA: Verify you have Billing account owner access on the billing account itself, not just a billing profile or invoice section — see Check Your Permission Level. MCA uses a separate billing RBAC system — standard ARM roles like Cost Management Contributor do not apply. The Terraform configuration handles this automatically.
Cannot see Management Groups
- Go to Management Groups → Start using management groups
- You may need to elevate access (Step 6a) to see the tenant root group
Need Help?
If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.
DigiUsher Documentation