To perform our Savings Analysis, we require limited IAM permissions on your Azure billing scope. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.
At no point in time do we have access to:
- The Azure data plane (e.g., instances, clusters, containers)
- Manipulate the Azure control plane (e.g., start or terminate an instance, cluster, or task)
- Your data, whether local or in a managed storage/datastore service
ProsperOps requires the following Azure roles:
- Enrollment Reader on the billing account (for Enterprise Agreements) or Billing Profile Reader on the billing profile (for Microsoft Customer Agreements)
- Enable billing exports
- Read aggregated compute service cost and usage history
- Billing Reader on the root management group
- Read hourly subscription cost and usage data
- Owner on a dedicated ProsperOps billing export storage account
- Configure and read billing export data