Azure Onboarding - Required Permissions
Last updated: March 23, 2026
The following RBAC roles are granted to Archera.ai Enterprise Application:
Read Access:
Storage Reader - This is to read cost and usage reports thatAzure exports to Blob storage
Billing Reader - This is to read cost and usage reports generated by Azure displaying monthly usage across all services
Reservation Reader - This is to read all existing reserved instances that exist in your Azure account
Savings Plan Reader - This is to read all existing savings plans that exist in your Azure account
One-Time Write Access: We utilize the compressed cost export feature inside Azure that adheres to the FinOps Cost Usage and Specification (FOCUS) dataset standards outlined in the article below.
This feature requires a blob storage account, so we utilize a one-time write action to create the following resources supporting this advanced cost and usage report (CUR) export mechanism.
General Write Access to buy Commitments (can be made optional with drop-down menu):
Reservation Purchaser — Required to purchase Reserved Instances on your behalf.
Savings Plan Contributor — Required to purchase Azure Savings Plans on your behalf.
Billing Contributor — Required to purchase Azure Savings Plans on EA and MCA accounts. Savings plan orders must be placed at the billing account scope, which requires contributor-level access.