Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool

— User assistance content is no longer updated on this site —

— For up-to-date information, check out the Apptio Help Center


Setup Advanced Features: Stage 1 - Azure Rightsizing and RI Planning

For the latest version of this help, see:

Azure Subscription level credentialing unlocks the following features within Cloudability

  • Apply resource group tags to resources within the resource groups
  • Optimization - through Rightsizing, and RIs

Currently, our platform requires the Reader role on Subscriptions in order to fetch the necessary data. We use the OAuth 2.0 Authorization Grant Flow to register our application and create a service principal within the Azure tenant. You can read more about this process here:

Before you begin...

Please use the checklist below to verify that you meet the minimum requirements for successful credentialing.


[  1  ]

You are a Cloudability Administrator



The Cloudability Administrator role gives you access to the Vendor Credentials page where you can manage your credentials.


[  2  ]

You have one of the following Azure Active Directory roles in your organization

  • Global Administrator, or
  • Application Developer, or
  • Cloud Application Administrator


This is necessary for the OAuth 2.0 Authorization Grant Flow. Your Azure Active Directory (AD) role is used to register our enterprise app within your Azure AD tenant, and create the Service Principal. 


[  3  ]

You are an Owner (or higher) on the Subscription you are credentialing



This is necessary for the OAuth 2.0 Authorization Grant Flow. You need to be at least an Owner on the Subscription so that permissions can be attached to the Service Principal through IAM. 


Steps to enable Reader role on a Subscription

The following steps assume that you have already added an Azure EA to Cloudability's Vendor Credentials page. Also, you have one or more Subscriptions listed on that page for which you would like to provide us access.

Step 1: Edit the Subscription

Click the Edit icon for the Subscription for which you would like to provide us access.


Step 2: Generate a link

Here, you have the option to select multiple Subscriptions. Clicking the Generate Link button will generate a URL for each selected Subscription that you will then use to complete the OAuth 2.0 Authorization Grant Flow for each of those Subscriptions.

Click the Generate Links button


Select the Subscription(s) for which to generate link(s)


Click Ok, once you have completed your selections


Step 3: Click on each generated link

A link is generated for each Subscription that you selected in the previous step. Click on each link to complete registering our application and creating a service principal.

Click on each link


Step 3a: Complete the OAuth 2.0 flow triggered from the link

Sign into your Azure portal


Consent complete

After logging in, you may get a message similar to the one below. If so, then you need to provide consent to the application through your Azure AD, under Enterprise applications.


Otherwise, you will see a prompt that, once you click Accept, will complete the consent process.


Verify successful consent in the Azure portal

Active Directory

You can verify that the application has been successfully consented to by checking the Enterprise applications section in your Azure Active Directory.


Subscription IAM

Additionally, you can check whether the service principal is a Reader on the subscription.


Step 4: Return to the Vendor Credentials page to verify credentials

You may see a yellow or green check box, in the Advanced Features column, for the Subscription.

  • A green check box for a Subscription indicates that Cloudability has,
    • a Reader role on the Subscription (through our service principal)
  • A yellow check box implies that Cloudability has an incomplete credential, such as
    • the credential process could have started (i.e., we have a record in our database) but there are no permissions attached to that credential
  • A red status color for the credential implies that there's an error with the credential.

Note: We can now unlock all Advanced Features through our Service Principal (this requires the service principal to be a Reader on Subscriptions). The permissions box will show as a yellow checkbox but this is ok.


Re-verify the credential by clicking on the circular arrow


A check mark is displayed briefly upon successful verification


In some cases, you may need to refresh the browser to fetch new changes


Finally, click on the Details button to view the updated permissions


Verify that Cloudability has Reader permissions on the Subscription



1. How do I know if I have successfully credentialed my Subscription?

Ignore the color of the checkboxes. All you need to do is check whether you have the Reader role on the subscription.

A Reader role on the subscription is currently identified by the management:Reader permission.

We're looking to update this to subscription:ReadSubscription.


2. Why are some permissions boxes green, while others yellow?

Short answer: We need only the Reader role on subscriptions. As long as we have this permission, Advanced Features are unlocked for that Subscription.

We're working to fix the experience around the status of permissions, and their colors.


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


Article is closed for comments.