DigiUsherDigiUsher Documentation
Go to Product
Data Connections

Connecting an Azure account (Enterprise Agreement)

Overview

To onboard your Azure environment to DigiUsher, an App Registration with read-only access to cost, usage, and resource metadata is required. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide. This guide covers Enterprise Agreement (EA) customers.

Summary of Access Required

ComponentDetails
IdentityAzure App Registration (DigiUsherApp) — service principal, no interactive login
AuthenticationClient secret (recommended 24-month expiry)
Access levelRead-only — Reader role at Management Group level
ScopeAll subscriptions under the root Management Group
BillingFOCUS cost export from Billing Account scope
Data accessStorage Blob Data Reader on the cost export storage account only
CapabilityWhat It Provides
Billing dataCost analytics, chargeback/showback, budgeting, forecasting, anomaly detection
Resource inventoryAsset discovery, idle resource detection, tag-based cost allocation
Optimization recommendationsReservation and Savings Plan analysis, idle resource cleanup
Utilization metricsResource usage for rightsizing analysis

DigiUsher cannot create, modify, or delete any of your Azure resources.

Use Terraform for the fastest setup

We strongly recommend the DigiUsher Terraform configuration for the most efficient and reliable setup. It automates the entire process and simplifies future maintenance.

Terraform Repository: https://github.com/digiusher/digiusher-iac/

If your organization's policies require manual resource provisioning, follow the steps below.

Prerequisites

Information to Gather

ItemHow to Find
Tenant IDAzure Portal > Microsoft Entra ID > Overview
Billing Account IDCost Management + Billing > Billing scopes
Subscription IDA subscription to host the storage account for cost exports

Roles Required by the Person Performing Setup

RoleWhy
Global Administrator or Application AdministratorTo create the App Registration and assign IAM roles
EA AdminTo assign billing roles and create cost exports at billing scope
Subscription OwnerTo create storage resources for cost exports

Network & Email Access (For Regulated Environments)

If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:

  • Domain allowlist: Add *.digiusher.com to your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers.
  • Email allowlist: Add digiusher.com as an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from @digiusher.com addresses.

Our Terraform configuration automates the entire setup.

git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/azure

cp terraform.tfvars.ea-enrollment-account-example terraform.tfvars
# Edit terraform.tfvars with your values

terraform init
terraform plan
terraform apply

See the digiusher-iac README for full Terraform documentation including parameters and troubleshooting.

Option B: Manual Setup

Follow these steps if you prefer to set up via the Azure Portal.

Create App Registration

  1. Go to Azure Portal → Microsoft Entra ID → App registrations
  2. Click New registration
  3. Configure:
    • Name: DigiUsherApp
    • Supported account types: "Accounts in this organizational directory only"
  4. Click Register
  5. Note down:
    • Application (client) ID
    • Directory (tenant) ID

Azure App Registration overview page Azure App Registration details with Client and Tenant IDs

Create Client Secret

  1. In your app registration, go to Certificates & secrets
  2. Click New client secret
  3. Configure:
    • Description: DigiUsher secret
    • Expires: 24 months (recommended)
  4. Click Add
  5. Copy the Value immediately — it won't be shown again

Azure client secret creation

Assign Reader Role

  1. Go to Management Groups → Select your root management group
  2. Click Access Control (IAM) → Add → Add role assignment
  3. Configure:
    • Role: Reader
    • Members: Search for and select DigiUsherApp
  4. Click Review + assign

Note

Assigning at Management Group level covers all current and future subscriptions.

Azure Reader role assignment at Management Group level

Create Storage Account for Exports

4a. Create Resource Group

  1. Go to Resource Groups → Create
  2. Configure:
    • Name: digiusher-billing-exports
    • Region: East US (or your preferred region)
  3. Click Review + create → Create

4b. Create Storage Account

  1. Go to Storage accounts → Create
  2. Configure:
    • Resource group: digiusher-billing-exports
    • Storage account name: Something unique, lowercase alphanumeric only (e.g., digiusherexports<yourcompany>)
    • Region: Same as resource group
    • Performance: Standard
    • Redundancy: LRS (Locally-redundant storage)
  3. Click Review + create → Create

4c. Create Container

  1. Open your new storage account
  2. Go to Containers → + Container
  3. Configure:
    • Name: digiusher-focus-exports
    • Public access level: Private
  4. Click Create

4d. Grant Storage Access

  1. On the storage account, go to Access Control (IAM) → Add → Add role assignment
  2. Configure:
    • Role: Storage Blob Data Reader
    • Members: Search for and select DigiUsherApp
  3. Click Review + assign

Create FOCUS Cost Export

  1. Go to Cost Management + Billing → Exports
  2. Make sure you're at the Billing Account scope, not a subscription scope
  3. Click Add
  4. Select FOCUS cost and usage (preview)

Azure FOCUS cost export type selection

  1. Configure:
    • Export name: digiusher-focus-export
    • Frequency: Daily export of month-to-date costs
    • Dataset version: 1.2-preview
    • File format: Parquet
    • Compression: Snappy
    • Export directory/path: focus
    • Storage account: Select the account created in Step 4
    • Container: digiusher-focus-exports
  2. Click Create

Note

The first export will run within 24 hours. You can click "Run now" to trigger immediately.

Azure FOCUS export configuration

Azure FOCUS export creation confirmation

Backfill historical data

  1. Go to Cost ManagementExports → select your export
  2. Click Export selected dates
  3. Run the export for each of the last 3 months (one at a time)
    • Note that for large accounts you might have to wait for one export to finish before scheduling another month

Azure export selected dates for backfill

(Optional) Reservations & Savings Plans Access

This step requires temporary elevated access to assign tenant-level roles.

6a. Enable Elevated Access

  1. Go to Azure Portal → Microsoft Entra ID → Properties

Azure Entra ID Properties page

  1. Scroll to Access management for Azure resources
  2. Toggle to Yes

Azure elevated access toggle

  1. Click Save

6b. Assign Reservations Reader

  1. Go to Reservations → Access Control (IAM) → Add role assignment
  2. Configure:
    • Role: Reservations Reader
    • Members: DigiUsherApp
  3. Click Review + assign

6c. Assign Savings Plan Reader

  1. Repeat the same process with role: Savings Plan Reader

6d. Disable Elevated Access

  1. Go back to Microsoft Entra ID → Properties
  2. Toggle Access management for Azure resources to No
  3. Click Save

Important

Always disable elevated access after completing these assignments.

Connect in DigiUsher

After completing either the Terraform or Manual setup, enter the following into the DigiUsher platform to complete the connection:

FieldWhere to Find
Tenant IDAzure Portal > Microsoft Entra ID > Overview, or terraform output tenant_id
Application (Client) IDApp Registration > Overview, or terraform output client_id
Client SecretCreated during App Registration setup, or terraform output client_secret
Storage Account NameThe storage account created for exports (e.g., digiusherexports<yourcompany>)
Storage Container NameThe container created inside the storage account (e.g., digiusher-focus-exports)
Export Root PathThe directory/path configured in the FOCUS export (e.g., focus)

Verification Checklist

  • App registration created with client secret
  • Reader role assigned at Management Group (or Subscription) level
  • Storage account and container created
  • Storage Blob Data Reader role assigned on storage account
  • FOCUS export created and scheduled
  • (Optional) Reservations Reader and Savings Plan Reader assigned
  • Elevated access disabled (if used)
  • *.digiusher.com allowlisted in network/firewall (if applicable)
  • digiusher.com allowlisted for incoming email (if applicable)

Security

What DigiUsher CAN Access (Read-Only)

  • Cost and usage data via FOCUS exports in Azure Storage
  • Resource metadata (names, types, regions, tags) via Reader role
  • Reservation and Savings Plan information (if optional access granted)
  • Management Group, subscription, and resource group hierarchy

What DigiUsher CANNOT Do

  • Create, modify, or delete any Azure resources
  • Access application data, databases, or storage contents (beyond cost exports)
  • Modify IAM policies or role assignments
  • Read secrets, credentials, or encryption keys
  • Access network traffic or logs content
  • Make purchases or modify billing settings

Monitoring

Monitor App Registration activity in Microsoft Entra ID > Enterprise applications > DigiUsherApp > Sign-in logs and Audit logs.

Credential Rotation

  • Terraform: terraform apply -replace="azuread_application_password.digiusher"
  • Manual: App Registration > Certificates & secrets > New client secret (create new), then delete the old secret. Enter the new secret into the DigiUsher platform.

Revocation

  • Terraform: terraform destroy — removes the App Registration, all role assignments, and invalidates the client secret.
  • Manual: Delete the DigiUsherApp App Registration in Microsoft Entra ID > App registrations. This instantly invalidates the client secret and all associated role assignments.

Troubleshooting

Export not appearing

  • Ensure Microsoft.CostManagementExports resource provider is registered
  • Go to Subscription → Resource providers → Search for CostManagementExports → Register

Permission denied on billing scope

  • Verify you have EA Admin access
  • Some EA accounts require the enrollment admin to grant access via the EA Portal first

Cannot see Management Groups

  • Go to Management Groups → Start using management groups
  • You may need to elevate access (Step 6a) to see the tenant root group

Need Help?

If you encounter any issues not covered above, contact us at support@digiusher.com and we'll help you get set up.

New Cost Explorer

We’re excited to introduce the new Cost Explorer — smarter, faster, and more intuitive for managing and understanding your costs.

Connecting an AWS account

Next Page