To connect an Azure subscription to MontyCloud using your own Service Principal, you first create the Service Principal in Azure, give it the permissions MontyCloud needs, and create a secret for it.
This guide walks you through all three steps:
- Create the Service Principal (App Registration)
- Give it permissions on your subscription
- Create a secret for it
Once you finish, follow the companion guide "How to Find Your Azure Service Principal Details" to collect the four values and enter them into MontyCloud.
Before You Begin
You need:
- Access to the Azure Portal
- Permission to create App Registrations in your organization's directory (the Application Developer role or higher in Microsoft Entra ID)
- Permission to assign roles on the subscription you want to connect (the Owner or User Access Administrator role on that subscription)
The Service Principal and the subscription must be in the same organization (tenant). Create the Service Principal in the same directory that contains the subscription you plan to connect.
A note on names: Microsoft renamed Azure Active Directory to Microsoft Entra ID. They are the same service. Depending on when your portal was last updated, you may see either name — the steps below work for both.
Step 1 — Create the Service Principal (App Registration)
In Azure, you create a Service Principal by registering an application. Registering an application automatically creates an identity that MontyCloud can sign in as.
- Sign in to the Azure Portal.
- In the search bar at the top, type Microsoft Entra ID and select it.
- In the left-hand menu, select App registrations.
- Click + New registration.
- Enter a Name that you'll recognize later — for example, MontyCloud Onboarding.
- Under Supported account types, leave the default: Accounts in this organizational directory only.
- Leave Redirect URI blank — it isn't needed.
- Click Register.
Azure creates the application and opens its Overview page. Keep this page handy — you'll need it in the next steps.
Step 2 — Give the Service Principal Permissions
MontyCloud needs permission to create and manage a small set of resources in your subscription (for cost reporting and resource discovery). You grant these permissions by assigning a role to the Service Principal at the subscription level.
There are two ways to do this. Choose one.
Option A — Assign the Contributor role (simplest, recommended)
This is the easiest path and works for most customers. The Contributor role already includes everything MontyCloud needs.
- In the Azure Portal, search for Subscriptions and select the subscription you want to connect.
- In the left-hand menu, select Access control (IAM).
- Click + Add → Add role assignment.
- In the Role tab, search for and select Contributor. Click Next.
- In the Members tab, keep User, group, or service principal selected, then click + Select members.
- Search for the application name you created in Step 1 (e.g., MontyCloud Onboarding), select it, and click Select.
- Click Review + assign, then Review + assign again to confirm.
That's it — skip Option B and go to Step 3.
Prefer to use Owner instead? Owner also works and includes everything Contributor does. Use whichever your organization's policy allows.
Option B — Create a custom role with only the required permissions (least privilege)
If your organization's security policy requires granting the minimum permissions necessary, create a custom role with exactly the permissions MontyCloud uses — nothing more.
2B.1 — Create the custom role
- In the Azure Portal, search for Subscriptions and select the subscription you want to connect.
- In the left-hand menu, select Access control (IAM).
- Click + Add → Add custom role.
- Enter a Custom role name — for example, MontyCloud Onboarding.
- Select the JSON tab, click Edit, and replace the actions and assignableScopes sections with the values below. Replace `<your-subscription-id>` with your actual Subscription ID.
{
"Name": "MontyCloud Onboarding",
"Description": "Permissions MontyCloud needs to onboard and operate this subscription.",
"Actions": [
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceProviders/register/action",
"Microsoft.Resources/tags/write",
"Microsoft.Resources/tags/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/listAccountSas/action",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.EventGrid/systemTopics/read",
"Microsoft.EventGrid/systemTopics/write",
"Microsoft.EventGrid/systemTopics/delete",
"Microsoft.EventGrid/systemTopics/eventSubscriptions/read",
"Microsoft.EventGrid/systemTopics/eventSubscriptions/write",
"Microsoft.EventGrid/systemTopics/eventSubscriptions/delete",
"Microsoft.CostManagement/query/*",
"Microsoft.CostManagement/exports/read",
"Microsoft.CostManagement/exports/write",
"Microsoft.CostManagement/exports/action",
"Microsoft.CostManagement/exports/run/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}6. Click Save, then Review + create, then Create.
What these permissions are for:
Permission group | What MontyCloud uses it for |
Resource groups (read / write / delete) | Create and later clean up the resource group that holds MontyCloud's resources |
Subscription read | Read basic subscription details |
Resource provider registration | Turn on the Azure services MontyCloud relies on |
Tags (write / delete) | Tag MontyCloud-created resources so they're easy to identify |
Authorization read | Read role information needed for some checks |
Storage accounts + blobs | Create and read the storage that holds your cost reports |
Event Grid system topics | Detect resource changes and new cost files in near real time |
Cost Management | Read cost data and set up the cost export |
Advanced (Azure CLI): If you prefer the command line, you can create the same role with az role definition create --role-definition <file.json> using the JSON above. Then assign it with az role assignment create.
2B.2 — Assign the custom role to your Service Principal
- Still in the subscription's Access control (IAM) page, click + Add → Add role assignment.
- In the Role tab, find and select the custom role you just created (MontyCloud Onboarding). Click Next.
- In the Members tab, click + Select members, search for your application (e.g., MontyCloud Onboarding), select it, and click Select.
- Click Review + assign, then confirm.
Note: It can take a minute or two for a new role assignment to take effect across Azure. If validation in MontyCloud fails right after assigning, wait a moment and try again.
Step 3 — Create a Secret
The secret is the password MontyCloud uses to sign in as your Service Principal.
- In the Azure Portal, go to Microsoft Entra ID → App registrations → select your application.
- In the left-hand menu, select Certificates & secrets.
- Open the Client secrets tab.
- Click + New client secret.
- Enter a Description — for example, MontyCloud onboarding.
- Choose an expiry period (Azure offers 6, 12, or 24 months, or a custom period). MontyCloud will remind you before it expires so you can update it in time.
- Click Add.
- The new secret appears in the list. Copy the value from the *Value* column right away and save it somewhere safe.
Important: copy the secret value immediately. Azure shows the secret value only once — right after you create it. If you leave this page without copying it, the value is hidden for good and you'll have to create another secret.
What's Next?
You now have a Service Principal with the right permissions and a secret. Next:
- Open the companion guide "How to Find Your Azure Service Principal Details."
- Collect the four values: Azure Tenant ID, Service Principal ID, Service Principal Secret, and Service Principal Secret Expiry Date.
- Enter them on the Service Principal Details step of the MontyCloud Connect Subscription wizard, and click Validate Credentials.
Keep your Service Principal in place while connected. MontyCloud uses it for ongoing operations. If you delete the Service Principal or let its secret expire, MontyCloud loses access to the subscription until you provide a new secret. You stay in full control of the Service Principal at all times — MontyCloud never modifies or deletes it.
Troubleshooting
"I don't see *App registrations* in the menu." - You need the Application Developer role (or higher) in Microsoft Entra ID. Ask your Azure administrator to grant it.
"I can't add a role assignment on the subscription." - You need the Owner or User Access Administrator role on the subscription. Ask your Azure administrator to assign the role for you, or to grant you access.
"MontyCloud says permissions are missing, even though I assigned a role."
- A new role assignment can take a minute or two to take effect. Wait a moment and click Validate Credentials again.
- Confirm you assigned the role at the subscription level (not at a resource group).
- If you used a custom role, make sure all the actions in the JSON above were saved.
"Which is better — Contributor or the custom role?" - Both work. Contributor is simpler and fine for most customers. The custom role grants only the specific permissions MontyCloud uses, which suits organizations with strict least-privilege policies.
Need Help?
If you run into any issues, contact MontyCloud support at support@montycloud.com.