Assign access to Cost Management data - Microsoft Cost Management (2023)

  • Article
  • 8 minutes to read

For users with Azure Enterprise agreements, a combination of permissions granted in the Azure portal and the Enterprise (EA) portal define a user's level of access to Cost Management data. For users with other Azure account types, defining a user's level of access to Cost Management data is simpler by using Azure role-based access control (Azure RBAC). This article walks you through assigning access to Cost Management data. After the combination of permissions is assigned, the user views data in Cost Management based on their access scope and on the scope that they select in the Azure portal.

The scope that a user selects is used throughout Cost Management to provide data consolidation and to control access to cost information. When using scopes, users don't multi-select them. Instead, they select a larger scope that child scopes roll up to and then they filter-down to what they want to view. Data consolidation is important to understand because some people shouldn't access a parent scope that child scopes roll up to.

Watch the Cost Management controlling access video to learn about assigning access to view costs and charges with Azure role-based access control (Azure RBAC). To watch other videos, visit the Cost Management YouTube channel.

Cost Management scopes

Cost management supports a variety of Azure account types. To view the full list of supported account types, see Understand Cost Management data. The type of account determines available scopes.

(Video) How to assign access with Azure Cost Management

Azure EA subscription scopes

To view cost data for Azure EA subscriptions, a user must have at least read access to one or more of the following scopes.

ScopeDefined atRequired access to view dataPrerequisite EA settingConsolidates data to
Billing account¹https://ea.azure.comEnterprise AdminNoneAll subscriptions from the enterprise agreement
Departmenthttps://ea.azure.comDepartment AdminDA view charges enabledAll subscriptions belonging to an enrollment account that is linked to the department
Enrollment account²https://ea.azure.comAccount OwnerAO view charges enabledAll subscriptions from the enrollment account
Management grouphttps://portal.azure.comCost Management Reader (or Contributor)AO view charges enabledAll subscriptions below the management group
Subscriptionhttps://portal.azure.comCost Management Reader (or Contributor)AO view charges enabledAll resources/resource groups in the subscription
Resource grouphttps://portal.azure.comCost Management Reader (or Contributor)AO view charges enabledAll resources in the resource group

¹ The billing account is also referred to as the Enterprise Agreement or Enrollment.

² The enrollment account is also referred to as the account owner.

Direct enterprise administrators can assign the billing account, department, and enrollment account scope the in the Azure portal. For more information, see Azure portal administration for direct Enterprise Agreements.

Other Azure account scopes

To view cost data for other Azure subscriptions, a user must have at least read access to one or more of the following scopes:

  • Management group
  • Subscription
  • Resource group

Various scopes are available after partners onboard customers to a Microsoft Customer Agreement. CSP customers can then use Cost Management features when enabled by their CSP partner. For more information, see Get started with Cost Management for partners.

Enable access to costs in the Azure portal

The department scope requires the Department admins can view charges (DA view charges) option set to On. Configure the option in either the Azure portal or the EA portal. All other scopes require the Account owners can view charges (AO view charges) option set to On.

(Video) Creating Project Budgets Using Microsoft Access

To enable an option in the Azure portal:

  1. Sign in to the Azure portal at https://portal.azure.com with an enterprise administrator account.
  2. Select the Cost Management + Billing menu item.
  3. Select Billing scopes to view a list of available billing scopes and billing accounts.
  4. Select your Billing Account from the list of available billing accounts.
  5. Under Settings, select the Policies menu item and then configure the setting.
    Assign access to Cost Management data - Microsoft Cost Management (1)

After the view charge options are enabled, most scopes also require Azure role-based access control (Azure RBAC) permission configuration in the Azure portal.

Enable access to costs in the EA portal

The department scope requires the DA view charges option Enabled in the EA portal. Configure the option in either the Azure portal or the EA portal. All other scopes require the AO view charges option Enabled in the EA portal.

To enable an option in the EA portal:

(Video) Azure Cost Management Tutorial | Analyzing and reacting to changes in billing

  1. Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
  2. Select Manage in the left pane.
  3. For the cost management scopes that you want to provide access to, enable the charge option to DA view charges and/or AO view charges.
    Assign access to Cost Management data - Microsoft Cost Management (2)

After the view charge options are enabled, most scopes also require Azure role-based access control (Azure RBAC) permission configuration in the Azure portal.

Enterprise administrator role

By default, an enterprise administrator can access the billing account (Enterprise Agreement/enrollment) and all other scopes, which are child scopes. The enterprise administrator assigns access to scopes for other users. As a best practice for business continuity, you should always have two users with enterprise administrator access. The following sections are walk-through examples of the enterprise administrator assigning access to scopes for other users.

Assign billing account scope access

Access to the billing account scope requires enterprise administrator permission in the EA portal. The enterprise administrator can view costs across the entire EA enrollment or multiple enrollments. No action is required in the Azure portal for the billing account scope.

  1. Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
  2. Select Manage in the left pane.
  3. On the Enrollment tab, select the enrollment that you want to manage.
    Assign access to Cost Management data - Microsoft Cost Management (3)
  4. Select + Add Administrator.
  5. In the Add Administrator box, select the authentication type and type the user's email address.
  6. If the user should have read-only access to cost and usage data, under Read-only, select Yes. Otherwise, select No.
  7. Select Add to create the account.
    Assign access to Cost Management data - Microsoft Cost Management (4)

It may take up to 30 minutes before the new user can access data in Cost Management.

Assign department scope access

Access to the department scope requires department administrator (DA view charges) access in the EA portal. The department administrator can view costs and usage data associated with a department or to multiple departments. Data for the department includes all subscriptions belonging to an enrollment account that are linked to the department. No action is required in the Azure portal.

  1. Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
  2. Select Manage in the left pane.
  3. On the Enrollment tab, select the enrollment that you want to manage.
  4. Select the Department tab and then select Add Administrator.
  5. In the Add Department Administrator box, select the authentication type and then type the user's email address.
  6. If the user should have read-only access to cost and usage data, under Read-only, select Yes. Otherwise, select No.
  7. Select the departments that you want to grant department administrative permission to.
  8. Select Add to create the account.
    Assign access to Cost Management data - Microsoft Cost Management (5)

Direct enterprise administrators can assign department administrator access in the Azure portal. For more information, see Add a department administrator in the Azure portal.

Assign enrollment account scope access

Access to the enrollment account scope requires account owner (AO view charges) access in the EA portal. The account owner can view costs and usage data associated with the subscriptions created from that enrollment account. No action is required in the Azure portal.

(Video) Azure Cost Management Tutorial

  1. Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
  2. Select Manage in the left pane.
  3. On the Enrollment tab, select the enrollment that you want to manage.
  4. Select the Account tab and then select Add Account.
  5. In the Add Account box, select the Department to associate the account to, or leave it as unassigned.
  6. Select the authentication type and type the account name.
  7. Type the user's email address and then optionally type the cost center.
  8. Select on Add to create the account.
    Assign access to Cost Management data - Microsoft Cost Management (6)

After completing the steps above, the user account becomes an enrollment account in the Enterprise portal and can create subscriptions. The user can access cost and usage data for subscriptions that they create.

Direct enterprise administrators can assign account owner access in the Azure portal. For more information, see Add an account owner in the Azure portal.

Assign management group scope access

Access to view the management group scope requires at least the Cost Management Reader (or Reader) permission. You can configure permissions for a management group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the management group to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.

  • Assign the Cost Management Reader (or reader) role to a user at the management group scope.
    For detailed steps, see Assign Azure roles using the Azure portal.

Assign subscription scope access

Access to a subscription requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a subscription in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the subscription to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.

  • Assign the Cost Management Reader (or reader) role to a user at the subscription scope.
    For detailed steps, see Assign Azure roles using the Azure portal.

Assign resource group scope access

Access to a resource group requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a resource group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the resource group to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.

  • Assign the Cost Management Reader (or reader) role to a user at the resource group scope.
    For detailed steps, see Assign Azure roles using the Azure portal.

Cross-tenant authentication issues

Currently, Cost Management has limited support for cross-tenant authentication. In some circumstances when you try to authenticate across tenants, you may receive an Access denied error in cost analysis. This issue might occur if you configure Azure role-based access control (Azure RBAC) to another tenant's subscription and then try to view cost data.

To work around the problem: After you configure cross-tenant Azure RBAC, wait an hour. Then, try to view costs in cost analysis or grant Cost Management access to users in both tenants.

(Video) AZ-900 Episode 37 | Azure Cost Management

Next steps

  • If you haven't already completed the first quickstart for Cost Management, read it at Start analyzing costs.

FAQs

Can you use Azure cost management to view costs associated to management? ›

Azure Cost Management lets you analyze past cloud usage and expenses, and predict future expenses. You can view costs in a daily, monthly, or annual trend, to identify trends and anomalies, and find opportunities for optimization and savings.

Does Microsoft have access to my data in Azure? ›

Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered into Azure.

Who can use Azure cost management? ›

You don't need to pay additional costs to use Azure cost management. It is available for all AWS (Amazon Web Services) users. New Azure accounts require a 48-hour waiting time before they can access full features of Azure Cost Management.

Who can use the Azure TCO? ›

To get an idea of how those savings will impact your company, business owners can use the Microsoft Azure Total Cost of Ownership (TCO) tool to calculate their savings using a cloud-based ERP.

What are contributor permissions? ›

Contributors are a group of collaborators within a project, component, registration, or preprint. Projects and components have individual contributor lists and permissions levels, so you can control who can access and modify your work.

What is delegated access in Azure? ›

In Azure AD, you can delegate Application creation and management permissions in the following ways: Restricting who can create applications and manage the applications they create. By default in Azure AD, all users can register applications and manage all aspects of applications they create.

What can delegated permissions be assigned to for Azure role based access control? ›

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Does Microsoft still have access database? ›

Is Microsoft Access still available in 2022? Microsoft Access is still available and continues to be supported. A proven product for 25+ years it is still the most widely used desktop, team, and small/medium sized business database product.

Does Microsoft have access to my data? ›

Microsoft collects data to help you do more. To do this, we use the data we collect to provide, improve, and develop our products and services, and to provide you with personalized experiences. If you use products like Outlook.com, Skype, OneDrive, or Xbox, you likely have a personal Microsoft account.

Is Microsoft discontinuing Azure? ›

We're retiring Azure VMs (classic) on September 1, 2023 - Azure Virtual Machines | Microsoft Learn. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

What is Microsoft conditional access? ›

Conditional access is the tool used by Azure AD to bring together signals, make decisions, and enforce organizational policies. Help keep your organization secure using conditional access policies only when needed.

How do I create a conditional access policy in Office 365? ›

Sign in to the Microsoft Endpoint Manager admin center, select Endpoint Security > Conditional Access > New Policy. Provide a Name for your specific Conditional Access policy. On the New Policy tab, under Users and groups, choose Specific users included.

How do I check cost management in Azure portal? ›

To get started analyzing your Azure Monitor charges, open Cost Management + Billing in the Azure portal. Select Cost Management > Cost analysis. Select your subscription or another scope. You might need additional access to cost management data.

Which Azure tool has a set of tools for monitoring allocating and optimization as your cost? ›

Azure Advisor is a tool that analyzes Azure configurations and uses telemetry to provide practical, tailored recommendations on how to better optimize resources and maximize value for money.

How do I access cost Explorer? ›

To open Cost Explorer

Sign in to the AWS Management Console and open the AWS Cost Management console at https://console.aws.amazon.com/cost-management/home . This opens the Cost dashboard that shows you the following: Your estimated costs for the month to date. Your forecasted costs for the month.

Who uses cost management information? ›

Cost management is required in the manufacturing industry where the raw material is used to produce the finished product. There is some process involved to convert the raw material into a finished product.

Who is responsible for cost management in project management? ›

Project managers are responsible for cost project management. As part of their role, they must estimate total costs, plan the budget, monitor spend, and prepare for potential risks. A project manager must remain vigilant throughout the cost management process to ensure they stay within budget and improve profitability.

What is required to use as your cost management? ›

Planning, communication, motivation, appraisal, and decision-making are the features that make managing costs an important business procedure. Resource allocation, cost estimation, cost budgeting, and cost control are the major functions of the cost management process.

What is TCO database? ›

Gartner defines total cost of ownership (TCO) a comprehensive assessment of information technology (IT) or other costs across enterprise boundaries over time.

What are some challenges with using TCO? ›

A frequently lobbed criticism about TCO is that the methodology isn't comprehensive enough and typically fails to include soft, or hidden, costs such as the training required when new users are added to a system.

What authenticates and authorizes users to use Azure resources under a tenant? ›

Use OAuth access tokens for authentication

Azure Storage accepts OAuth 2.0 access tokens from the Azure AD tenant associated with the subscription that contains the storage account.

Is identity management the same as access management? ›

They are related, but decidedly not the same thing. Identity management relates to authenticating users. Access management relates to authorizing users.

What is identity and access management? ›

Identity and access management (IAM) ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator.

What is a user assigned managed identity? ›

A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances.

What are the three types of role Basic Access Control in Microsoft Azure? ›

The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.

What is Azure role-based access control? ›

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

Which role-based access control should you assign to User1? ›

The solution must use the principle of least privilege. Which role-based access control (RBAC) role should you assign to User1? Incorrect Answers: A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

What can you use to assign permissions to an IAM user? ›

Adding IAM identity permissions (console) You can use the AWS Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy.

What are two types of access for IAM user? ›

Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task. Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account.

What are permissions in IAM? ›

The permissions for a session are the intersection of the identity-based policies for the IAM entity (user or role) used to create the session and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow.

What are the three types of share permissions? ›

There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files.

What are the three levels of share permissions? ›

Basically, share permissions apply more generally to files, folders, and have three different levels of sharing: Full Control, Change, and Read.

What is the difference between delegated and application permissions? ›

Delegated permissions, also called scopes, allow the application to act on behalf of the signed-in user. Application permissions, also called app roles, allow the app to access data on its own, without a signed-in user.

Why does Azure have two access keys? ›

If possible, use Azure Key Vault to manage your access keys. If you are not using Key Vault, you will need to rotate your keys manually. Two access keys are assigned so that you can rotate your keys. Having two keys ensures that your application maintains access to Azure Storage throughout the process.

What is the difference between role-based access control and rule based access control? ›

Rule-based access controls are preventative – they don't determine access levels for employees. Instead, they work to prevent unauthorized access. Role-based models are proactive – they provide employees with a set of circumstances in which they can gain authorized access.

Who can use Azure Cost Management? ›

You don't need to pay additional costs to use Azure cost management. It is available for all AWS (Amazon Web Services) users. New Azure accounts require a 48-hour waiting time before they can access full features of Azure Cost Management.

How do you grant admin permission to applications in Azure? ›

Search for and select Azure Active Directory. Select Enterprise applications. Under Manage, select User settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to .

How do I give permission to an App in Microsoft? ›

Select Start > Settings > Privacy & security. Select an App permission (for example, Location) then choose which apps can access it.

How do I grant permissions in Azure API? ›

Select Azure Active Directory > App registrations, and then select your client application. Select API permissions > Add a permission > Microsoft Graph > Application permissions.

Videos

1. Microsoft Azure Fundamentals AZ-900 Practice Questions | PART- 8
(Deep Practice Microsoft)
2. Azure Cost Management Overview
(Microsoft Azure)
3. Azure Cost Management Setup, Org. and Tagging | Controlling Access: Part C
(Microsoft Azure)
4. How to set up "Connectors for AWS" in Azure Cost Management
(Microsoft Azure)
5. Azure Cost Management Setup, Org. and Tagging | Setting up for Success: Part A
(Microsoft Azure)
6. Keep Cloud Cost Down & Set Budget Accountability | Azure Cost Management and Billing
(Microsoft Mechanics)
Top Articles
Latest Posts
Article information

Author: Reed Wilderman

Last Updated: 03/07/2023

Views: 5844

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.