Frequently Asked Questions (FAQ)

What Azure scopes do you support for onboarding?

We support onboarding at the Management Group, Subscription, and Resource Group levels.

• Documentation: Please select the specific onboarding guide for your chosen scope (Management Group, Subscription, or Resource Group) available in this documentation section, as the RBAC inheritance and specific steps vary slightly for each.

• Recommendation: For organizations with multiple subscriptions, we strongly recommend the Management Group level to centralize exports and simplify permission management.

What is the high-level architecture of this integration?

The integration follows a passive, read-only architecture using Azure Cost Management Exports.

• Data Flow: Azure writes billing data (Parquet format) to a Storage Account in your tenant. OneLens ingests this data securely.

• Resource Impact: Zero. The integration operates asynchronously on billing data and does not touch your production compute or databases.

What specific permissions does OneLens require?

We adhere to Least Privilege. We do not require Contributor or Owner access for the integration at any scope.

Can we use a Managed Identity instead of a App Registration?

Currently, the integration requires an App Registration with a Client Secret because the OneLens platform resides outside your Azure Tenant (multi-tenant SaaS).

• Security Note: Managed Identities are typically restricted to Azure-to-Azure resources within the same tenant. For cross-tenant access, an App Registration is the standard secure pattern, recommended by Microsoft. We set a safe rotation policy for the Client Secret (every 90 days).

What if we have a third-party billing partner (CSP) and do not have the Billing Account Owner role?

If you purchase Azure through a CSP or MSP, you likely do not have permissions at the Billing Account scope.

• Action: You can ask your billing partner to assign your user the Billing Account Owner role, to perform the integration. Or, the billing partner can directly assign the Billing Account Viewer roles to our App Registration and External User at the decided scope.

With the Reader role, are you able to access sensitive data?

No. The Reader role is strictly a Control Plane permission.

• What it allows: Viewing resource metadata (e.g., "There is a VM named 'production-db' with 4 vCPUs"). This is essential for us to map costs to specific resources and generate rightsizing recommendations.

• What it does NOT allow: It does not grant access to the Data Plane. We cannot read the files inside your Storage Accounts (except the specific billing container), we cannot view rows in your SQL databases, and we cannot access secrets in your Key Vaults.

Why do we need to invite an external user?

The external user ([email protected]) allows our support and engineering team to debug ingestion issues and validate configuration without requiring shared credentials. This user is assigned strictly read-only roles (Reader, Cost Management Reader, Storage Blob Data Reader).

Does the "Allow" network rule on the Storage Account expose our data?

No. The command az storage account update --default-action Allow permits network connectivity but does not bypass authentication.

• Security Layer: Access is still strictly controlled via RBAC (Identity). Only entities with the Storage Blob Data Reader role (like our App Registration) can read the data. Anonymous access is explicitly disabled on the container.

Why is "Overwrite data" enabled in the cost export?

Azure Cost Management data is cumulative for the current month and can change daily (due to reservation applications or late-arriving usage).

• Reason: Enabling "Overwrite" ensures that the daily export updates the existing file for the current month (e.g., 2023-10-01_2023-10-31) rather than creating dozens of fragmented files (e.g., _v1, _v2) for the same period.

• Benefit: This ensures data consistency, prevents duplicate processing, and significantly reduces storage costs in your account.

Why are we creating two exports (actual and amortized)?

• Actual Cost: Reconciles with your invoice.

• Amortized Cost: Smooths out Reservation (RI) and Savings Plan purchases to show daily effective burn rates.

• OneLens Requirement: We require the combined dataset Cost and usage (actual + amortized) to provide accurate recommendations.

Which Resource Providers must be registered before starting the integration?

Before starting, ensure the following are registered on the target subscriptions:

1. Microsoft.CostManagementExports

2. Microsoft.CostManagement

3. Microsoft.Billing

4. Microsoft.Storage

5. Microsoft.ContainerService (if onboarding AKS)

6. Microsoft.Insights (if onboarding AKS)

How do we handle Kubernetes (AKS) cost visibility?

Azure does not break down AKS costs by default. You must enable Cost Analysis on your clusters.

• Requirement: Clusters must be on Standard or Premium tier (Free tier is not supported).

• Command: az aks update --resource-group <rg_name> --name <cluster_name> --enable-cost-analysis

• Bulk Enable: We provide a loop script to enable this for all clusters in a resource group. You can find the same in the relevant section in the documentation.

How are tags handled?

We rely on Azure's Tag Inheritance to ensure costs are properly attributed. You should enable Tag Inheritance at the Billing Account or Subscription level so that resource group tags automatically flow down to the child resources and usage records.

How do we rotate credentials for the App Registration?

1. Generate a new Client Secret in the onelens-sa App Registration.

2. Share the new Client Secret ID and Value to the OneLens integration team over a secure encrypted channel like email.

3. Delete the old secret onelens-secret from Azure.

Our team will reach out to you for routine secret rotation as well as in the scenario of secret exposure.

What is the cost incurred for this setup?

The below analysis provides approximate costs for the setup in South India region.

Rates and references: