Data Connections

Connecting an Azure account

Overview

To onboard your Azure environment to DigiUsher, an App Registration with read-only access to cost, usage, and resource metadata is required. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.

Supported Agreement Types

Agreement TypeTerraform ExampleNotes
Enterprise Agreement (EA)terraform.tfvars.scenario1-ea-billing-accountFull org-level billing. Recommended for most enterprises.
EA — Enrollment Accountterraform.tfvars.ea-enrollment-account-exampleScoped to a specific enrollment account within EA.
Microsoft Customer Agreement (MCA)terraform.tfvars.scenario3-mcaMCA is auto-detected by the presence of a colon (:) in the billing account ID.
MCA — Invoice Sectionterraform.tfvars.mca-invoice-section-exampleScoped to a specific invoice section within MCA.

Summary of Access Required

ComponentDetails
IdentityAzure App Registration (DigiUsherApp) — service principal, no interactive login
AuthenticationClient secret (recommended 24-month expiry)
Access levelRead-only — Reader role at Management Group level
ScopeAll subscriptions under the root Management Group
BillingFOCUS cost export from appropriate billing scope (EA, MCA, or MPA)
Data accessStorage Blob Data Reader on the cost export storage account only
CapabilityWhat It Provides
Billing dataCost analytics, chargeback/showback, budgeting, forecasting, anomaly detection
Resource inventoryAsset discovery, idle resource detection, tag-based cost allocation
Optimization recommendationsReservation and Savings Plan analysis, idle resource cleanup
Utilization metricsResource usage for rightsizing analysis

DigiUsher cannot create, modify, or delete any of your Azure resources.

Use Terraform for the fastest setup

DigiUsher strongly recommends the Terraform configuration for the most efficient and reliable setup. It automates the entire process and simplifies future maintenance.

Terraform Repository: https://github.com/digiusher/digiusher-iac/

If your organization's policies require manual resource provisioning, follow the steps below.


Prerequisites

Information to Gather

ItemHow to Find
Tenant IDAzure Portal > Microsoft Entra ID > Overview
Billing Account IDCost Management + Billing > Billing scopes
Subscription IDA subscription to host the storage account for cost exports

Roles Required by the Person Performing Setup

RoleWhy
Global Administrator or Application AdministratorTo create the App Registration and assign IAM roles
Enterprise Administrator (EA) or Billing account owner (MCA)To assign billing roles and create cost exports at billing scope
Subscription OwnerTo create storage resources for cost exports

Not sure whether you hold these billing roles, or at what level? Follow Check Your Permission Level below.

Check Your Permission Level

DigiUsher reads cost data from a FOCUS export created at your billing scope. For complete, organization-wide visibility, the export must be created at the top-level billing scope — the EA billing account (enrollment) or the MCA billing account. Azure also lets you create exports at lower scopes (an EA enrollment account, an MCA billing profile or invoice section, or a single subscription), and an export created there will silently contain only that scope's spend. Before starting, confirm what level of billing access you actually have.

1. Identify your agreement type

  1. Go to Cost Management + Billing → Billing scopes
  2. Check the Billing account type column:
    • Enterprise Agreement → follow the EA steps below
    • Microsoft Customer Agreement → follow the MCA steps below
    • Microsoft Online Services Program (pay-as-you-go) → not supported; FOCUS exports require EA or MCA

Or use the Azure CLI:

az billing account list --query "[].{Name:displayName, ID:name, Type:agreementType}" -o table

Quick tell

MCA billing account IDs contain a colon (:), e.g. da605be5-...:a04cc649-..._2019-05-31. EA enrollment numbers are plain numbers, e.g. 123456.

2. Check your role and its scope

  1. Go to Cost Management + Billing → Billing scopes and select your EA billing account
  2. Open Access control (IAM) and find your user
  • Top level (what you want): Enterprise Administrator on the billing account (enrollment). This lets you assign the Cost Management Contributor billing role to DigiUsherApp and create exports covering all subscriptions.
  • Lower level: Department Administrator or Account Owner. You can only create exports and assign roles within that department or enrollment account, so the export will contain only those subscriptions.
  • No enrollment access: If Billing scopes shows only individual subscriptions and no EA billing account, you have no enrollment-level access — ask your Enterprise Administrator.
  1. Go to Cost Management + Billing → Billing scopes and select your billing account
  2. Open Access control (IAM) and find your user
  3. Check which scope the role is assigned at — the same role names exist at three levels
  • Top level (what you want): Billing account owner (or Billing account contributor) on the billing account itself. This lets you assign the Billing Account Contributor role to DigiUsherApp and create exports covering all billing profiles.
  • Lower level: the same roles assigned at a Billing profile or Invoice section. Check the scope selector/breadcrumb when viewing your role — a role on a billing profile or invoice section is not top-level access, and an export created there contains only that slice of spend.

Note

MCA billing roles are a separate RBAC system from Azure subscription roles. Being an Owner of a subscription says nothing about your billing account access.

What if I only have lower-level access?

Connecting at a lower scope is supported (see EA — Enrollment Account and MCA — Invoice Section in Supported Agreement Types), but the cost export will contain only that scope's spend — DigiUsher will not see the rest of your organization. For organization-wide visibility, ask your Enterprise Administrator (EA) or Billing account owner (MCA) to perform the setup or grant you top-level access.

Network & Email Access (For Regulated Environments)

If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:

  • Domain allowlist: Add *.digiusher.com to your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers.
  • Email allowlist: Add digiusher.com as an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from @digiusher.com addresses.

The DigiUsher Terraform configuration automates the entire setup.

git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/azure

Copy the example file that matches your agreement type (see Supported Agreement Types above):

# Pick ONE of the following:
cp terraform.tfvars.scenario1-ea-billing-account terraform.tfvars      # EA — Billing Account
cp terraform.tfvars.ea-enrollment-account-example terraform.tfvars     # EA — Enrollment Account
cp terraform.tfvars.scenario3-mca terraform.tfvars                     # MCA — Billing Account
cp terraform.tfvars.mca-invoice-section-example terraform.tfvars       # MCA — Invoice Section

# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform apply

Terraform Feature Flags

VariableDefaultDescription
enable_cost_exportstrueCreates storage account, container, and FOCUS cost export
enable_reservations_accesstrueAssigns Reservations Reader and Savings Plan Reader at tenant level
target_subscription_ids[] (all)Limit Reader role to specific subscriptions instead of the root Management Group

See the digiusher-iac README for full Terraform documentation including all parameters and troubleshooting.


Option B: Manual Setup

Note

The manual steps below cover Enterprise Agreement (EA) setup via the Azure Portal. For MCA, MPA/CSP, or other billing types, use the Terraform option above.

Follow these steps if you prefer to set up via the Azure Portal.

Create App Registration

  1. Go to Azure Portal → Microsoft Entra ID → App registrations
  2. Click New registration
  3. Configure:
    • Name: DigiUsherApp
    • Supported account types: "Accounts in this organizational directory only"
  4. Click Register
  5. Note down:
    • Application (client) ID
    • Directory (tenant) ID

Azure App Registration overview page Azure App Registration details with Client and Tenant IDs

Create Client Secret

  1. In your app registration, go to Certificates & secrets
  2. Click New client secret
  3. Configure:
    • Description: DigiUsher secret
    • Expires: 24 months (recommended)
  4. Click Add
  5. Copy the Value immediately — it won't be shown again

Azure client secret creation

Assign Reader Role

  1. Go to Management Groups → Select your root management group
  2. Click Access Control (IAM) → Add → Add role assignment
  3. Configure:
    • Role: Reader
    • Members: Search for and select DigiUsherApp
  4. Click Review + assign

Note

Assigning at Management Group level covers all current and future subscriptions.

Azure Reader role assignment at Management Group level

Create Storage Account for Exports

4a. Create Resource Group

  1. Go to Resource Groups → Create
  2. Configure:
    • Name: digiusher-billing-exports
    • Region: East US (or your preferred region)
  3. Click Review + create → Create

4b. Create Storage Account

  1. Go to Storage accounts → Create
  2. On the Basics tab:
    • Resource group: digiusher-billing-exports
    • Storage account name: Something unique, lowercase alphanumeric only (e.g., digiusherexports<yourcompany>)
    • Region: Same as resource group
    • Performance: Standard
    • Redundancy: LRS (Locally-redundant storage)
  3. On the Networking tab:
    • Public network access: Enable
    • Public network access scope: Enable from all networks
  4. Click Review + create → Create

4c. Create Container

  1. Open your new storage account
  2. Go to Containers → + Container
  3. Configure:
    • Name: digiusher-focus-exports
    • Anonymous access level: Private (no anonymous access)
  4. Click Create

4d. Grant Storage Access

  1. On the storage account, go to Access Control (IAM) → Add → Add role assignment
  2. Configure:
    • Role: Storage Blob Data Reader
    • Members: Search for and select DigiUsherApp
  3. Click Review + assign

Create FOCUS Cost Export

  1. Go to Cost Management + Billing → Exports
  2. Make sure you're at the Billing Account scope, not a subscription scope
  3. Click Add
  4. Select FOCUS cost and usage (preview)

Azure FOCUS cost export type selection

  1. Configure:
    • Export name: digiusher-focus-export
    • Frequency: Daily export of month-to-date costs
    • Dataset version: 1.2-preview
    • File format: Parquet
    • Compression: Snappy
    • Export directory/path: focus
    • Storage account: Select the account created in Step 4
    • Container: digiusher-focus-exports
  2. Click Create

Note

The first export will run within 24 hours. You can click "Run now" to trigger immediately.

Azure FOCUS export configuration

Azure FOCUS export creation confirmation

Backfill historical data

  1. Go to Cost ManagementExports → select your export
  2. Click Export selected dates
  3. Run the export for each of the last 3 months (one at a time)
    • Note that for large accounts you might have to wait for one export to finish before scheduling another month

Azure export selected dates for backfill

(Optional) Reservations & Savings Plans Access

This step requires temporary elevated access to assign tenant-level roles.

6a. Enable Elevated Access

  1. Go to Azure Portal → Microsoft Entra ID → Properties

Azure Entra ID Properties page

  1. Scroll to Access management for Azure resources
  2. Toggle to Yes

Azure elevated access toggle

  1. Click Save

6b. Assign Reservations Reader

  1. Go to Reservations → Access Control (IAM) → Add role assignment
  2. Configure:
    • Role: Reservations Reader
    • Members: DigiUsherApp
  3. Click Review + assign

6c. Assign Savings Plan Reader

  1. Repeat the same process with role: Savings Plan Reader

6d. Disable Elevated Access

  1. Go back to Microsoft Entra ID → Properties
  2. Toggle Access management for Azure resources to No
  3. Click Save

Important

Always disable elevated access after completing these assignments.


Connect in DigiUsher

After completing either the Terraform or Manual setup, enter the following into the DigiUsher platform to complete the connection:

FieldWhere to Find
Tenant IDAzure Portal > Microsoft Entra ID > Overview, or terraform output tenant_id
Application (Client) IDApp Registration > Overview, or terraform output client_id
Client SecretCreated during App Registration setup, or terraform output client_secret
Storage Account NameThe storage account created for exports (e.g., digiusherexports<yourcompany>)
Storage Container NameThe container created inside the storage account (e.g., digiusher-focus-exports)
Export Root PathThe directory/path configured in the FOCUS export (e.g., focus)

Verification Checklist

  • Confirmed top-level billing access (EA: Enterprise Administrator; MCA: Billing account owner) — or accepted scoped data at a lower level
  • App registration created with client secret
  • Reader role assigned at Management Group (or Subscription) level
  • Storage account and container created
  • Storage Blob Data Reader role assigned on storage account
  • FOCUS export created and scheduled
  • (Optional) Reservations Reader and Savings Plan Reader assigned
  • Elevated access disabled (if used)
  • *.digiusher.com allowlisted in network/firewall (if applicable)
  • digiusher.com allowlisted for incoming email (if applicable)

Security

What DigiUsher CAN Access (Read-Only)

  • Cost and usage data via FOCUS exports in Azure Storage
  • Resource metadata (names, types, regions, tags) via Reader role
  • Reservation and Savings Plan information (if optional access granted)
  • Management Group, subscription, and resource group hierarchy

What DigiUsher CANNOT Do

  • Create, modify, or delete any Azure resources
  • Access application data, databases, or storage contents (beyond cost exports)
  • Modify IAM policies or role assignments
  • Read secrets, credentials, or encryption keys
  • Access network traffic or logs content
  • Make purchases or modify billing settings

Monitoring

Monitor App Registration activity in Microsoft Entra ID > Enterprise applications > DigiUsherApp > Sign-in logs and Audit logs.

Credential Rotation

  • Terraform: terraform apply -replace="azuread_application_password.digiusher"
  • Manual: App Registration > Certificates & secrets > New client secret (create new), then delete the old secret. Enter the new secret into the DigiUsher platform.

Revocation

  • Terraform: terraform destroy — removes the App Registration, all role assignments, and invalidates the client secret.
  • Manual: Delete the DigiUsherApp App Registration in Microsoft Entra ID > App registrations. This instantly invalidates the client secret and all associated role assignments.

Troubleshooting

Export not appearing

  • Ensure Microsoft.CostManagementExports resource provider is registered
  • Go to Subscription → Resource providers → Search for CostManagementExports → Register

Permission denied on billing scope

  • EA: Verify you have Enterprise Administrator access at the billing account (enrollment) level — see Check Your Permission Level. Some EA accounts require the enrollment admin to grant access via the EA Portal first.
  • MCA: Verify you have Billing account owner access on the billing account itself, not just a billing profile or invoice section — see Check Your Permission Level. MCA uses a separate billing RBAC system — standard ARM roles like Cost Management Contributor do not apply. The Terraform configuration handles this automatically.

Cannot see Management Groups

  • Go to Management Groups → Start using management groups
  • You may need to elevate access (Step 6a) to see the tenant root group

Need Help?

If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.