Connecting Azure Subscriptions

• An Azure subscription you want to analyze
• Permission to create app registrations in Azure Entra ID (Azure AD)
• Permission to assign RBAC roles on the subscription

1. Go to Azure Portal → Azure Active Directory → App registrations
2. Click + New registration
3. Name it something like CostBeacon-Reader
4. Leave the redirect URI empty and click Register
5. Note the Application (client) ID and Directory (tenant) ID

1. In your app registration, go to Certificates & secrets
2. Click + New client secret
3. Set an expiration (we recommend 12 months)
4. Copy the secret value immediately — it won't be shown again
5. Store the secret securely in Azure Key Vault (recommended)

1. Go to your Azure Subscription → Access control (IAM)
2. Click + Add role assignment
3. Select the Reader role
4. Search for your app registration name (e.g., CostBeacon-Reader)
5. Click Review + assign

1. In CostBeacon, go to Azure Connections → + New Connection
2. Enter a friendly name (e.g., "Production Subscription")
3. Enter the Tenant ID and Client ID from Step 1
4. Select the auth mode and provide the client secret (or Key Vault reference)
5. Click Save — CostBeacon will validate the connection

Connection shows "Invalid"

• Verify the client ID and tenant ID are correct
• Check that the client secret hasn't expired
• Ensure the app registration has Reader access on the subscription

No subscriptions discovered

• The Reader role must be assigned at the subscription level, not just the resource group
• Run a scan manually from the Scan Jobs page after connecting