Skip to main content
Connect your Azure account to Yasu by creating a Service Principal with read-only permissions. This enables Yasu to analyze your cloud costs and provide optimization recommendations.
Security First: Yasu uses a Service Principal with read-only permissions. We cannot modify, create, or delete any Azure resources.

Subscription-Level Setup (All Billing Account Types)

This guide covers connecting Azure subscriptions to Yasu using subscription-level RBAC roles. This setup method works for all Azure billing account types, including:
  • Pay as You Go (Individual subscriptions)
  • Microsoft Customer Agreement (MCA)
  • Enterprise Agreement (EA)
  • Azure Cloud Solution Provider (CSP)
Universal Setup: Subscription-level RBAC roles provide access to cost data and resources for all billing account types. Simply create a Service Principal and assign roles at the subscription scope - no billing account ID or enrollment number is required.

Prerequisites

Before connecting your Azure account, ensure you have:
  • Administrative access to your Azure subscription (or permissions to create Service Principals and assign RBAC roles)
  • Subscription Owner or User Access Administrator role to assign permissions
  • Access to Azure Portal or Azure CLI
  • PowerShell or Azure CLI installed (for automated setup)

Quick Setup via Azure CLI

The fastest way to connect your Azure account is through Azure CLI commands.
1

Open Azure Connection Dialog

  1. Log in to your Yasu dashboard at app.yasu.cloud
  2. Create a workspace (if you haven’t already):
    • After logging in, you’ll be prompted to create a new workspace
    • Enter your workspace name and click Create
    • You’ll be redirected to the Onboarding page
  3. On the Onboarding page, Click the Connect button next to Azure
This opens the Azure connection dialog with step-by-step instructions.
2

Step 1: Create Service Principal

In the dialog, you’ll see an Azure CLI command to create a Service Principal:
  1. Copy the command from the dialog (it will be pre-filled with your account ID)
  2. Open Azure Cloud Shell (recommended) or your local terminal with Azure CLI installed
  3. Paste and run the command
The command will create a Service Principal named yasu-cost-optimizer-{your-account-id} and output:
  • appId (Client ID)
  • password (Client Secret)
  • tenant (Tenant ID)
Important: Save these credentials securely. The client secret will only be shown once.
3

Step 2: Assign Roles

The dialog shows three role assignment commands. For each subscription you want to connect:
  1. Copy each role assignment command from the dialog
  2. Replace placeholders:
    • Replace <APP_ID> with your appId from Step 1
    • Replace <SUB_ID> with your Azure subscription ID
  3. Run each command in Azure CLI:
    • Reader - Grants read access to subscription resources
    • Cost Management Reader - Grants access to view cost and billing data
    • Advisor Reviews Reader - Grants access to view Azure Advisor recommendations
Role assignments may take up to 5 minutes to propagate. Wait a few minutes before testing the connection.
4

Step 3: Enter Credentials

After completing Steps 1 and 2, enter your credentials in the dialog:
  1. Tenant ID - The tenant value from Step 1
  2. Service Principal App ID - The appId value from Step 1
  3. Client Secret - The password value from Step 1
  4. Click Connect Azure
The system will validate your credentials and test the connection.
5

Wait for Verification

Yasu will automatically verify your connection:
  • Authentication test - Verifies Service Principal credentials
  • Permission check - Confirms required roles are assigned
This typically takes 10-30 seconds. If validation fails, check your credentials and ensure role assignments have propagated (wait 5 minutes after assigning roles).
6

Connection Complete

Once verified, the dialog will close and you’ll see:
  • Azure connection: Active
  • Onboarding progress: Automatically advances to the next step
Your first cost-saving insights will appear within 5-10 minutes after connection.

Manual Setup via Azure Portal

If you prefer to set up the Service Principal manually through the Azure Portal:
1

Create Application Registration

  1. Navigate to Azure PortalMicrosoft Entra ID (Azure Active Directory)
  2. Go to App registrations+ New registration
  3. Set Name: yasu-cost-optimizer-{your-account-id}
  4. Select Accounts in this organizational directory only
  5. Click Register
  6. Copy the following values (you’ll need them later):
    • Application (client) ID
    • Directory (tenant) ID
2

Generate Client Secret

  1. In the app registration, go to Certificates & secrets
  2. Click + New client secret
  3. Enter a Description: Yasu Access Key
  4. Select Expires: Choose 24 months (recommended)
  5. Click Add
  6. Copy the secret Value immediately - it won’t be shown again
Important: If this secret expires, you’ll need to create a new one and update it in Yasu before expiration. Set a reminder for 30 days before expiration.
3

Assign RBAC Roles

The Service Principal needs the following roles at the Subscription scope:
  1. Navigate to Subscriptions → Select your subscription
  2. Go to Access control (IAM)+ AddAdd role assignment
  3. Assign each role one by one: Role 1: Reader
    • Role: Select Reader
    • Assign access to: User, group, or service principal
    • Select members: Search for and select your yasu-cost-optimizer-* app
    • Click Review + assign
    Role 2: Cost Management Reader
    • Repeat the process with Cost Management Reader role
    Role 3: Monitoring Reader
    • Repeat the process with Monitoring Reader role
Role assignments may take up to 5 minutes to propagate. Wait a few minutes before testing the connection.
4

Complete Connection in Yasu

  1. Return to the Onboarding page in Yasu
  2. Click Connect next to Azure to open the connection dialog
  3. Follow Steps 1-3 in the dialog:
    • Create Service Principal using the provided Azure CLI command
    • Assign roles using the provided commands (replace placeholders)
    • Enter credentials: Tenant ID, Service Principal App ID, and Client Secret
  4. Click Connect Azure to complete the connection

What the Service Principal Needs

The Service Principal is granted the following read-only RBAC roles at the subscription scope:
RolePurposePermissions
ReaderRead all Azure resources*/read
Cost Management ReaderAccess cost and billing dataMicrosoft.Consumption/*/read, Microsoft.CostManagement/*/read
Advisor Reviews ReaderAccess Azure Advisor recommendationsMicrosoft.Advisor/*/read

Troubleshooting

Common causes:
  1. Wrong tenant ID - Verify you’re using the correct Directory (tenant) ID
  2. Wrong client ID - Check the Application (client) ID matches your app registration
  3. Wrong client secret - The secret may have expired or been regenerated
  4. Secret expired - Create a new client secret and update it in Yasu
Solution:
# Verify credentials work
az login --service-principal \
  --username {client-id} \
  --password {client-secret} \
  --tenant {tenant-id}

# If failed, reset credentials
az ad app credential reset --id {client-id}
What to check:
  1. Missing role assignments - Verify all three roles are assigned (Reader, Cost Management Reader, Advisor Reviews Reader)
  2. Role propagation delay - Azure role assignments can take up to 5 minutes to propagate
  3. Wrong scope - Ensure roles are assigned at the Subscription level, not Resource Group level
Solution:
# Check current role assignments
az role assignment list --assignee {client-id} --all

# Add missing role
az role assignment create \
  --assignee {client-id} \
  --role "Cost Management Reader" \
  --scope "/subscriptions/{subscription-id}"

# Wait 5 minutes for propagation
What to check:
  1. Wrong subscription ID - Verify the subscription ID is correct
  2. Service Principal not granted access - The SP needs Reader role at subscription scope
  3. Subscription disabled - Check subscription state in Azure Portal
Solution:
# List available subscriptions
az account list --output table

# Verify subscription exists and is enabled
az account show --subscription {subscription-id}

# Grant access to subscription
az role assignment create \
  --assignee {client-id} \
  --role "Reader" \
  --scope "/subscriptions/{subscription-id}"
What to check:
  1. Cost Management API access - Verify Cost Management Reader role is assigned at subscription scope
  2. Data delay - Cost data may take 24-48 hours to appear after first connection
  3. Subscription billing - Ensure the subscription has active billing and resources
  4. Role propagation - Wait 5 minutes after assigning roles before testing the connection
Solution:
  • Verify Cost Management Reader role is assigned at the subscription level
  • Wait 24-48 hours for initial cost data sync
  • Check that the subscription has incurred charges (not in free/trial period)
  • For organization-wide cost visibility, consider using the MCA/EA/CSP setup guides
What it means: Too many API calls in a short time period.Solution:
  • Yasu automatically implements exponential backoff
  • Large subscriptions may take longer to fully scan
  • Wait for the full sync cycle (up to 6 hours for large subscriptions)
What to do:
  1. Create a new client secret in Azure Portal (App Registration → Certificates & secrets)
  2. Update the secret in Yasu before the old one expires:
    • Go to SettingsIntegrations → Your Azure connection
    • Click Update Client Secret or Retry connection
    • Enter the new secret value along with Tenant ID and Client ID
    • Save changes
Important: Update the secret at least 30 days before expiration to avoid service interruption.
What it means: Cost data may take time to appear after connecting.Common causes:
  • Cost data typically takes 24-48 hours to appear after subscription creation
  • Cost Management API may require additional time for first-time access
  • Subscription may not have incurred any charges yet
Solution:
  • Wait 24-48 hours after connecting for initial cost data sync
  • Verify the subscription has active resources and billing activity
  • Check that Cost Management Reader role is correctly assigned at subscription scope
  • Ensure the subscription is not in a trial or free tier period

Done!

That’s it! You have successfully connected your Azure account to Yasu. Once verified, Yasu will start analyzing your Azure billing, resource usage, and performance metrics to provide optimization insights.