Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yasu.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Connect your Azure account to Yasu by creating a Service Principal with read-only permissions. This enables Yasu to analyze your cloud costs and provide optimization recommendations.
Security First: Yasu uses a Service Principal with read-only permissions. We cannot modify, create, or delete any Azure resources.

Subscription-Level Setup (All Billing Account Types)

This guide covers connecting Azure subscriptions to Yasu using subscription-level RBAC roles. This setup method works for all Azure billing account types, including:
  • Pay as You Go (Individual subscriptions)
  • Microsoft Customer Agreement (MCA)
  • Enterprise Agreement (EA)
  • Azure Cloud Solution Provider (CSP)
Universal Setup: Subscription-level RBAC roles provide access to cost data and resources for all billing account types. Simply create a Service Principal and assign roles at the subscription scope - no billing account ID or enrollment number is required.

Prerequisites

Before connecting your Azure account, ensure you have:
  • Administrative access to your Azure subscription (or permissions to create Service Principals and assign RBAC roles)
  • Subscription Owner or User Access Administrator role to assign permissions
  • Access to Azure Portal or Azure CLI
  • PowerShell or Azure CLI installed (for automated setup)

Quick Setup via Azure CLI

The fastest way to connect your Azure account is through Azure CLI commands.
1

Open Azure Connection Dialog

  1. Log in to your Yasu dashboard at app.yasu.cloud
  2. Create a workspace (if you haven’t already):
    • After logging in, you’ll be prompted to create a new workspace
    • Enter your workspace name and click Create
    • You’ll be redirected to the Onboarding page
  3. On the Onboarding page, Click the Connect button next to Azure
This opens the Azure connection dialog with step-by-step instructions.
2

Step 1: Create Service Principal

In the dialog, you’ll see an Azure CLI command to create a Service Principal:
  1. Copy the command from the dialog (it is pre-filled with your account ID)
  2. Open Azure Cloud Shell or your local terminal with Azure CLI installed
  3. Paste and run the command
The command creates a Service Principal named yasu-cost-optimizer-{your-account-id} and returns a JSON output like:
{
  "appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "displayName": "yasu-cost-optimizer-...",
  "password": "XXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
  1. Copy the entire JSON output and paste it into the text box in the dialog — the credentials will be auto-filled from it
  2. Click Next
Important: Save this output securely. The password (client secret) is only shown once and cannot be retrieved again.
3

Step 2: Assign Roles

The dialog will prompt you to enter the subscription ID where your Azure resources are hosted:
  1. Enter your Azure Subscription ID in the provided field
  2. The dialog will automatically regenerate the three role assignment commands with your subscription ID and App ID filled in
  3. Copy the commands for your platform (Bash/Linux/macOS or PowerShell)
  4. Run the commands in your Azure terminal and wait for a successful response — they assign the following roles to your Service Principal:
    • Reader — read access to subscription resources
    • Cost Management Reader — access to cost and billing data
    • Advisor Reviews Reader — access to Azure Advisor recommendations
Multiple subscriptions: If your resources span more than one subscription, change the subscription ID in the dialog to your second subscription and run all three commands again. Repeat for each additional subscription.
Role assignments may take up to 5 minutes to propagate. Wait a few minutes before proceeding.
4

Step 3: Connect

Your credentials have been auto-filled from the JSON output you pasted in Step 1. Review the pre-filled values:
  • Tenant ID
  • Service Principal App ID (Client ID)
  • Client Secret
Click Connect. Yasu will validate the connection and, once confirmed, automatically advance to the Invite Members step.
5

Wait for Verification

Yasu will automatically verify your connection:
  • Authentication test - Verifies Service Principal credentials
  • Permission check - Confirms required roles are assigned
This typically takes 10-30 seconds. If validation fails, check your credentials and ensure role assignments have propagated (wait 5 minutes after assigning roles).
6

Connection Complete

Once verified, the dialog will close and you’ll see:
  • Azure connection: Active
  • Onboarding progress: Automatically advances to the next step
Your first cost-saving insights will appear within 5-10 minutes after connection.

Manual Setup via Azure Portal

If you prefer to set up the Service Principal manually through the Azure Portal:
1

Create Application Registration

  1. Navigate to Azure PortalMicrosoft Entra ID (Azure Active Directory)
  2. Go to App registrations+ New registration
  3. Set Name: yasu-cost-optimizer-{your-account-id}
  4. Select Accounts in this organizational directory only
  5. Click Register
  6. Copy the following values (you’ll need them later):
    • Application (client) ID
    • Directory (tenant) ID
2

Generate Client Secret

  1. In the app registration, go to Certificates & secrets
  2. Click + New client secret
  3. Enter a Description: Yasu Access Key
  4. Select Expires: Choose 24 months (recommended)
  5. Click Add
  6. Copy the secret Value immediately - it won’t be shown again
Important: If this secret expires, you’ll need to create a new one and update it in Yasu before expiration. Set a reminder for 30 days before expiration.
3

Assign RBAC Roles

The Service Principal needs the following roles at the Subscription scope:
  1. Navigate to Subscriptions → Select your subscription
  2. Go to Access control (IAM)+ AddAdd role assignment
  3. Assign each role one by one: Role 1: Reader
    • Role: Select Reader
    • Assign access to: User, group, or service principal
    • Select members: Search for and select your yasu-cost-optimizer-* app
    • Click Review + assign
    Role 2: Cost Management Reader
    • Repeat the process with Cost Management Reader role
    Role 3: Monitoring Reader
    • Repeat the process with Monitoring Reader role
Role assignments may take up to 5 minutes to propagate. Wait a few minutes before testing the connection.
4

Complete Connection in Yasu

  1. Return to the Onboarding page in Yasu
  2. Click Connect next to Azure to open the connection dialog
  3. Follow Steps 1-3 in the dialog:
    • Create Service Principal using the provided Azure CLI command
    • Assign roles using the provided commands (replace placeholders)
    • Enter credentials: Tenant ID, Service Principal App ID, and Client Secret
  4. Click Connect Azure to complete the connection

What the Service Principal Needs

The Service Principal is granted the following read-only RBAC roles at the subscription scope:
RolePurposePermissions
ReaderRead all Azure resources*/read
Cost Management ReaderAccess cost and billing dataMicrosoft.Consumption/*/read, Microsoft.CostManagement/*/read
Advisor Reviews ReaderAccess Azure Advisor recommendationsMicrosoft.Advisor/*/read

Troubleshooting

Common causes:
  1. Wrong tenant ID - Verify you’re using the correct Directory (tenant) ID
  2. Wrong client ID - Check the Application (client) ID matches your app registration
  3. Wrong client secret - The secret may have expired or been regenerated
  4. Secret expired - Create a new client secret and update it in Yasu
Solution:
# Verify credentials work
az login --service-principal \
  --username {client-id} \
  --password {client-secret} \
  --tenant {tenant-id}

# If failed, reset credentials
az ad app credential reset --id {client-id}
What to check:
  1. Missing role assignments - Verify all three roles are assigned (Reader, Cost Management Reader, Advisor Reviews Reader)
  2. Role propagation delay - Azure role assignments can take up to 5 minutes to propagate
  3. Wrong scope - Ensure roles are assigned at the Subscription level, not Resource Group level
Solution:
# Check current role assignments
az role assignment list --assignee {client-id} --all

# Add missing role
az role assignment create \
  --assignee {client-id} \
  --role "Cost Management Reader" \
  --scope "/subscriptions/{subscription-id}"

# Wait 5 minutes for propagation
What to check:
  1. Wrong subscription ID - Verify the subscription ID is correct
  2. Service Principal not granted access - The SP needs Reader role at subscription scope
  3. Subscription disabled - Check subscription state in Azure Portal
Solution:
# List available subscriptions
az account list --output table

# Verify subscription exists and is enabled
az account show --subscription {subscription-id}

# Grant access to subscription
az role assignment create \
  --assignee {client-id} \
  --role "Reader" \
  --scope "/subscriptions/{subscription-id}"
What to check:
  1. Cost Management API access - Verify Cost Management Reader role is assigned at subscription scope
  2. Data delay - Cost data may take 24-48 hours to appear after first connection
  3. Subscription billing - Ensure the subscription has active billing and resources
  4. Role propagation - Wait 5 minutes after assigning roles before testing the connection
Solution:
  • Verify Cost Management Reader role is assigned at the subscription level
  • Wait 24-48 hours for initial cost data sync
  • Check that the subscription has incurred charges (not in free/trial period)
  • For organization-wide cost visibility, consider using the MCA/EA/CSP setup guides
What it means: Too many API calls in a short time period.Solution:
  • Yasu automatically implements exponential backoff
  • Large subscriptions may take longer to fully scan
  • Wait for the full sync cycle (up to 6 hours for large subscriptions)
What to do:
  1. Create a new client secret in Azure Portal (App Registration → Certificates & secrets)
  2. Update the secret in Yasu before the old one expires:
    • Go to SettingsIntegrations → Your Azure connection
    • Click Update Client Secret or Retry connection
    • Enter the new secret value along with Tenant ID and Client ID
    • Save changes
Important: Update the secret at least 30 days before expiration to avoid service interruption.
What it means: Cost data may take time to appear after connecting.Common causes:
  • Cost data typically takes 24-48 hours to appear after subscription creation
  • Cost Management API may require additional time for first-time access
  • Subscription may not have incurred any charges yet
Solution:
  • Wait 24-48 hours after connecting for initial cost data sync
  • Verify the subscription has active resources and billing activity
  • Check that Cost Management Reader role is correctly assigned at subscription scope
  • Ensure the subscription is not in a trial or free tier period

Done!

That’s it! You have successfully connected your Azure account to Yasu. Once verified, Yasu will start analyzing your Azure billing, resource usage, and performance metrics to provide optimization insights.