- Article
- 8 minutes to read
For users with Azure Enterprise agreements, a combination of permissions granted in the Azure portal and the Enterprise (EA) portal define a user's level of access to Cost Management data. For users with other Azure account types, defining a user's level of access to Cost Management data is simpler by using Azure role-based access control (Azure RBAC). This article walks you through assigning access to Cost Management data. After the combination of permissions is assigned, the user views data in Cost Management based on their access scope and on the scope that they select in the Azure portal.
The scope that a user selects is used throughout Cost Management to provide data consolidation and to control access to cost information. When using scopes, users don't multi-select them. Instead, they select a larger scope that child scopes roll up to and then they filter-down to what they want to view. Data consolidation is important to understand because some people shouldn't access a parent scope that child scopes roll up to.
Watch the Cost Management controlling access video to learn about assigning access to view costs and charges with Azure role-based access control (Azure RBAC). To watch other videos, visit the Cost Management YouTube channel.
Cost Management scopes
Cost management supports a variety of Azure account types. To view the full list of supported account types, see Understand Cost Management data. The type of account determines available scopes.
Azure EA subscription scopes
To view cost data for Azure EA subscriptions, a user must have at least read access to one or more of the following scopes.
Scope | Defined at | Required access to view data | Prerequisite EA setting | Consolidates data to |
---|---|---|---|---|
Billing account¹ | https://ea.azure.com | Enterprise Admin | None | All subscriptions from the enterprise agreement |
Department | https://ea.azure.com | Department Admin | DA view charges enabled | All subscriptions belonging to an enrollment account that is linked to the department |
Enrollment account² | https://ea.azure.com | Account Owner | AO view charges enabled | All subscriptions from the enrollment account |
Management group | https://portal.azure.com | Cost Management Reader (or Contributor) | AO view charges enabled | All subscriptions below the management group |
Subscription | https://portal.azure.com | Cost Management Reader (or Contributor) | AO view charges enabled | All resources/resource groups in the subscription |
Resource group | https://portal.azure.com | Cost Management Reader (or Contributor) | AO view charges enabled | All resources in the resource group |
¹ The billing account is also referred to as the Enterprise Agreement or Enrollment.
² The enrollment account is also referred to as the account owner.
Direct enterprise administrators can assign the billing account, department, and enrollment account scope the in the Azure portal. For more information, see Azure portal administration for direct Enterprise Agreements.
Other Azure account scopes
To view cost data for other Azure subscriptions, a user must have at least read access to one or more of the following scopes:
- Management group
- Subscription
- Resource group
Various scopes are available after partners onboard customers to a Microsoft Customer Agreement. CSP customers can then use Cost Management features when enabled by their CSP partner. For more information, see Get started with Cost Management for partners.
Enable access to costs in the Azure portal
The department scope requires the Department admins can view charges (DA view charges) option set to On. Configure the option in either the Azure portal or the EA portal. All other scopes require the Account owners can view charges (AO view charges) option set to On.
To enable an option in the Azure portal:
- Sign in to the Azure portal at https://portal.azure.com with an enterprise administrator account.
- Select the Cost Management + Billing menu item.
- Select Billing scopes to view a list of available billing scopes and billing accounts.
- Select your Billing Account from the list of available billing accounts.
- Under Settings, select the Policies menu item and then configure the setting.
After the view charge options are enabled, most scopes also require Azure role-based access control (Azure RBAC) permission configuration in the Azure portal.
Enable access to costs in the EA portal
Note
The information in the section applies only to users that have an Enterprise Agreement with a Microsoft partner (indirect EA).
The department scope requires the DA view charges option Enabled in the EA portal. Configure the option in either the Azure portal or the EA portal. All other scopes require the AO view charges option Enabled in the EA portal.
To enable an option in the EA portal:
- Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
- Select Manage in the left pane.
- For the cost management scopes that you want to provide access to, enable the charge option to DA view charges and/or AO view charges.
After the view charge options are enabled, most scopes also require Azure role-based access control (Azure RBAC) permission configuration in the Azure portal.
Enterprise administrator role
By default, an enterprise administrator can access the billing account (Enterprise Agreement/enrollment) and all other scopes, which are child scopes. The enterprise administrator assigns access to scopes for other users. As a best practice for business continuity, you should always have two users with enterprise administrator access. The following sections are walk-through examples of the enterprise administrator assigning access to scopes for other users.
Assign billing account scope access
Access to the billing account scope requires enterprise administrator permission in the EA portal. The enterprise administrator can view costs across the entire EA enrollment or multiple enrollments. No action is required in the Azure portal for the billing account scope.
- Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
- Select Manage in the left pane.
- On the Enrollment tab, select the enrollment that you want to manage.
- Select + Add Administrator.
- In the Add Administrator box, select the authentication type and type the user's email address.
- If the user should have read-only access to cost and usage data, under Read-only, select Yes. Otherwise, select No.
- Select Add to create the account.
It may take up to 30 minutes before the new user can access data in Cost Management.
Assign department scope access
Access to the department scope requires department administrator (DA view charges) access in the EA portal. The department administrator can view costs and usage data associated with a department or to multiple departments. Data for the department includes all subscriptions belonging to an enrollment account that are linked to the department. No action is required in the Azure portal.
- Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
- Select Manage in the left pane.
- On the Enrollment tab, select the enrollment that you want to manage.
- Select the Department tab and then select Add Administrator.
- In the Add Department Administrator box, select the authentication type and then type the user's email address.
- If the user should have read-only access to cost and usage data, under Read-only, select Yes. Otherwise, select No.
- Select the departments that you want to grant department administrative permission to.
- Select Add to create the account.
Direct enterprise administrators can assign department administrator access in the Azure portal. For more information, see Add a department administrator in the Azure portal.
Assign enrollment account scope access
Access to the enrollment account scope requires account owner (AO view charges) access in the EA portal. The account owner can view costs and usage data associated with the subscriptions created from that enrollment account. No action is required in the Azure portal.
- Sign in to the EA portal at https://ea.azure.com with an enterprise administrator account.
- Select Manage in the left pane.
- On the Enrollment tab, select the enrollment that you want to manage.
- Select the Account tab and then select Add Account.
- In the Add Account box, select the Department to associate the account to, or leave it as unassigned.
- Select the authentication type and type the account name.
- Type the user's email address and then optionally type the cost center.
- Select on Add to create the account.
After completing the steps above, the user account becomes an enrollment account in the Enterprise portal and can create subscriptions. The user can access cost and usage data for subscriptions that they create.
Direct enterprise administrators can assign account owner access in the Azure portal. For more information, see Add an account owner in the Azure portal.
Assign management group scope access
Access to view the management group scope requires at least the Cost Management Reader (or Reader) permission. You can configure permissions for a management group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the management group to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.
- Assign the Cost Management Reader (or reader) role to a user at the management group scope.
For detailed steps, see Assign Azure roles using the Azure portal.
Assign subscription scope access
Access to a subscription requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a subscription in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the subscription to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.
- Assign the Cost Management Reader (or reader) role to a user at the subscription scope.
For detailed steps, see Assign Azure roles using the Azure portal.
Assign resource group scope access
Access to a resource group requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a resource group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the resource group to enable access for others. And for Azure EA accounts, you must also have enabled the AO view charges setting in the EA portal.
- Assign the Cost Management Reader (or reader) role to a user at the resource group scope.
For detailed steps, see Assign Azure roles using the Azure portal.
Cross-tenant authentication issues
Currently, Cost Management has limited support for cross-tenant authentication. In some circumstances when you try to authenticate across tenants, you may receive an Access denied error in cost analysis. This issue might occur if you configure Azure role-based access control (Azure RBAC) to another tenant's subscription and then try to view cost data.
To work around the problem: After you configure cross-tenant Azure RBAC, wait an hour. Then, try to view costs in cost analysis or grant Cost Management access to users in both tenants.
Next steps
- If you haven't already completed the first quickstart for Cost Management, read it at Start analyzing costs.
FAQs
Can you use Azure cost management to view costs associated to management? ›
Azure Cost Management lets you analyze past cloud usage and expenses, and predict future expenses. You can view costs in a daily, monthly, or annual trend, to identify trends and anomalies, and find opportunities for optimization and savings.
Does Microsoft have access to my data in Azure? ›Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered into Azure.
Who can use Azure cost management? ›You don't need to pay additional costs to use Azure cost management. It is available for all AWS (Amazon Web Services) users. New Azure accounts require a 48-hour waiting time before they can access full features of Azure Cost Management.
Who can use the Azure TCO? ›To get an idea of how those savings will impact your company, business owners can use the Microsoft Azure Total Cost of Ownership (TCO) tool to calculate their savings using a cloud-based ERP.
What are contributor permissions? ›Contributors are a group of collaborators within a project, component, registration, or preprint. Projects and components have individual contributor lists and permissions levels, so you can control who can access and modify your work.
What is delegated access in Azure? ›In Azure AD, you can delegate Application creation and management permissions in the following ways: Restricting who can create applications and manage the applications they create. By default in Azure AD, all users can register applications and manage all aspects of applications they create.
What can delegated permissions be assigned to for Azure role based access control? ›Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
Does Microsoft still have access database? ›Is Microsoft Access still available in 2022? Microsoft Access is still available and continues to be supported. A proven product for 25+ years it is still the most widely used desktop, team, and small/medium sized business database product.
Does Microsoft have access to my data? ›Microsoft collects data to help you do more. To do this, we use the data we collect to provide, improve, and develop our products and services, and to provide you with personalized experiences. If you use products like Outlook.com, Skype, OneDrive, or Xbox, you likely have a personal Microsoft account.
Is Microsoft discontinuing Azure? ›We're retiring Azure VMs (classic) on September 1, 2023 - Azure Virtual Machines | Microsoft Learn. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
What is Microsoft conditional access? ›
Conditional access is the tool used by Azure AD to bring together signals, make decisions, and enforce organizational policies. Help keep your organization secure using conditional access policies only when needed.
How do I create a conditional access policy in Office 365? ›Sign in to the Microsoft Endpoint Manager admin center, select Endpoint Security > Conditional Access > New Policy. Provide a Name for your specific Conditional Access policy. On the New Policy tab, under Users and groups, choose Specific users included.
How do I check cost management in Azure portal? ›To get started analyzing your Azure Monitor charges, open Cost Management + Billing in the Azure portal. Select Cost Management > Cost analysis. Select your subscription or another scope. You might need additional access to cost management data.
Which Azure tool has a set of tools for monitoring allocating and optimization as your cost? ›Azure Advisor is a tool that analyzes Azure configurations and uses telemetry to provide practical, tailored recommendations on how to better optimize resources and maximize value for money.
How do I access cost Explorer? ›To open Cost Explorer
Sign in to the AWS Management Console and open the AWS Cost Management console at https://console.aws.amazon.com/cost-management/home . This opens the Cost dashboard that shows you the following: Your estimated costs for the month to date. Your forecasted costs for the month.
Cost management is required in the manufacturing industry where the raw material is used to produce the finished product. There is some process involved to convert the raw material into a finished product.
Who is responsible for cost management in project management? ›Project managers are responsible for cost project management. As part of their role, they must estimate total costs, plan the budget, monitor spend, and prepare for potential risks. A project manager must remain vigilant throughout the cost management process to ensure they stay within budget and improve profitability.
What is required to use as your cost management? ›Planning, communication, motivation, appraisal, and decision-making are the features that make managing costs an important business procedure. Resource allocation, cost estimation, cost budgeting, and cost control are the major functions of the cost management process.
What is TCO database? ›Gartner defines total cost of ownership (TCO) a comprehensive assessment of information technology (IT) or other costs across enterprise boundaries over time.
What are some challenges with using TCO? ›A frequently lobbed criticism about TCO is that the methodology isn't comprehensive enough and typically fails to include soft, or hidden, costs such as the training required when new users are added to a system.
What authenticates and authorizes users to use Azure resources under a tenant? ›
Use OAuth access tokens for authentication
Azure Storage accepts OAuth 2.0 access tokens from the Azure AD tenant associated with the subscription that contains the storage account.
They are related, but decidedly not the same thing. Identity management relates to authenticating users. Access management relates to authorizing users.
What is identity and access management? ›Identity and access management (IAM) ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator.
What is a user assigned managed identity? ›A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances.
What are the three types of role Basic Access Control in Microsoft Azure? ›The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.
What is Azure role-based access control? ›Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Which role-based access control should you assign to User1? ›The solution must use the principle of least privilege. Which role-based access control (RBAC) role should you assign to User1? Incorrect Answers: A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
What can you use to assign permissions to an IAM user? ›Adding IAM identity permissions (console) You can use the AWS Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy.
What are two types of access for IAM user? ›Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task. Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account.
What are permissions in IAM? ›The permissions for a session are the intersection of the identity-based policies for the IAM entity (user or role) used to create the session and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow.
What are the three types of share permissions? ›
There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files.
What are the three levels of share permissions? ›Basically, share permissions apply more generally to files, folders, and have three different levels of sharing: Full Control, Change, and Read.
What is the difference between delegated and application permissions? ›Delegated permissions, also called scopes, allow the application to act on behalf of the signed-in user. Application permissions, also called app roles, allow the app to access data on its own, without a signed-in user.
Why does Azure have two access keys? ›If possible, use Azure Key Vault to manage your access keys. If you are not using Key Vault, you will need to rotate your keys manually. Two access keys are assigned so that you can rotate your keys. Having two keys ensures that your application maintains access to Azure Storage throughout the process.
What is the difference between role-based access control and rule based access control? ›Rule-based access controls are preventative – they don't determine access levels for employees. Instead, they work to prevent unauthorized access. Role-based models are proactive – they provide employees with a set of circumstances in which they can gain authorized access.
Who can use Azure Cost Management? ›You don't need to pay additional costs to use Azure cost management. It is available for all AWS (Amazon Web Services) users. New Azure accounts require a 48-hour waiting time before they can access full features of Azure Cost Management.
How do you grant admin permission to applications in Azure? ›Search for and select Azure Active Directory. Select Enterprise applications. Under Manage, select User settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to .
How do I give permission to an App in Microsoft? ›Select Start > Settings > Privacy & security. Select an App permission (for example, Location) then choose which apps can access it.
How do I grant permissions in Azure API? ›Select Azure Active Directory > App registrations, and then select your client application. Select API permissions > Add a permission > Microsoft Graph > Application permissions.