Managed Discounts Connection Process — Azure

Purpose

To enable secure access to billing, usage, and optimization services in your Azure environment.

Who Needs to Attend

• A team member with Owner or User Access Administrator rights at the subscription or management group level.
• A team member who can:
  • Execute Azure CLI scripts.
  • Grant delegated consent to external applications.
  • Create App Registrations and Service Principals.

Capabilities Required

• Ability to assign roles (Reader, Billing Reader, Contributor).
• Ability to create and manage App Registrations.
• Ability to approve delegated permissions and consent flows.

Process Summary

Establishing the Azure connection involves two components, each with its own setup method:

1. Primary Connection (Script-Based)

You will run a provided Azure CLI script in your environment. This script will:

• Register an Azure AD Application.
• Create a Service Principal.
• Assign the necessary roles to enable billing and resource metadata access.

Roles Assigned by Script:

• Reader — to access subscription resource metadata
• Billing Reader — to access billing and usage data
• Tag Contributor (optional) — enables automated tagging

2. Supplemental Connection (Consent to Optimization App)

You will grant delegated consent for an optimization application that enables purchasing and management of discount instruments. This consent process is typically performed through the Azure Portal or a short consent link provided in onboarding.

Roles Assigned by Consent:

• Contributor — to purchase/manage Reserved Instances and Savings Plans
• Reader — to collect optimization data

Permissions Required Across Both App Registrations

Read-only — billing, usage, and resource visibility

• Includes access to billing and usage data through Billing Reader
• Includes access to subscription resource metadata through Reader

Write (optional) — resource tagging

• Tag write access is configurable and limited to automation workflows through Tag Contributor

Purchase-only — discount instruments (Reservations, Savings Plans)

• Limited to purchasing and managing Reservations and Savings Plans via the Contributor role; does not include modify or delete rights for other resources

No permissions to create, modify, or delete workloads, configurations, or customer-managed resources outside of purchasing and tagging activities.

Roles and Key Actions

# Roles assigned
Reader
Billing Reader
Tag Contributor (optional)
Contributor (for discount purchases only)

# Key actions under Contributor scope
Microsoft.Consumption/*
Microsoft.CostManagement/*
Microsoft.Compute/reservationOrders/purchase/action
Microsoft.Compute/reservationOrders/read
Microsoft.Compute/reservationOrders/*

Security Notes

• You retain full control over the roles and permissions.
• You can revoke access at any time through Azure Portal role assignments or by removing delegated consent.