This topic describes how to onboard an Azure subscription with Zesty to use Commitment Manager.
You onboard using the Zesty onboarding wizard. The wizard generates a custom Azure onboarding script tailored to your organization.
The script performs the following actions:
Creates and assigns the required built-in Azure roles at the appropriate scope.
Creates an Azure storage account with Blob storage enabled for Cost Management exports.
Enables and configures Cost Management exports to write to the specified storage location.
Verifies that all required permissions are correctly configured.
The script is fully automated, non-destructive, and safe to run multiple times in Azure Cloud Shell (Bash).
This topic describes the following:
Roles assigned to Zesty: During onboarding, Zesty is assigned the Azure roles required to perform analysis and actions. These role permissions allow Zesty to read (collect billing data and monitor resources), and, when Commitment Manager is enabled, to write (manage the purchase or renewal of Savings Plans and Reserved Instances).
Prerequisites: The Azure user performing onboarding has to possess certain prerequisites.
Onboard an Azure subscription with Zesty for Commitment Manager: How to onboard from the Zesty platform
Roles assigned to Zesty
Zesty uses built-in Azure roles to perform the required read and write actions:
Read-Only Permissions (Visibility Mode)
Used for onboarding, visibility, and savings analysis. For the full permissions, see Full permissions list.
Role Name | Scope | Description |
|---|---|---|
Billing Account Reader | Billing Account | Read-only access to billing data |
Savings plan Reader | /providers/Microsoft.BillingBenefits | Read existing Savings Plans |
Reservations Reader | /providers/Microsoft.Capacity | Read existing Reserved Instances |
Active Permissions (Commitment Manager Mode)
Additional permissions are required to enable automated Azure commitment management by Zesty Commitment Manager. For the full permissions, see Full permissions list.
Role Name | Scope | Description |
|---|---|---|
Savings plan Purchaser | /providers/Microsoft.BillingBenefits | Purchase and manage Savings Plans |
Reservation Purchaser | /providers/Microsoft.Capacity | Purchase and manage Reserved Instances |
Prerequisites
To configure Zesty access to your Azure environment, the onboarding administrator must have the following permissions:
Access to the Zesty platform
For more information, contact Customer Support.All of the following Azure permissions:
Owner or Contributor on the root management group: This role can perform the following type of actions in the console:
View and manage subscriptions
Create resource groups and resources
Register Azure resource providers
Assign roles at the subscription level
Permission limitation
These permissions are required only for the administrator performing onboarding. Zesty is not granted Owner or Contributor access.
Billing Account Owner on an MCA billing account, or Enterprise Administrator on an EA billing profile: This role can perform the following type of actions in the console:
View billing accounts and billing profiles
Access all subscriptions under the billing account
Configure Azure Cost Management exports
Grant billing-level read access
Global administrator with elevated access to management groups or subscriptions. This role can perform the following type of actions in the console:
Create and manage service principals (app registrations)
Assign Azure RBAC and billing roles
Grant tenant-level access to subscriptions or management groups
Onboard an Azure subscription with Zesty for Commitment Manager
Use the Zesty onboarding wizard to generate a script that runs in the Azure Cloud Shell and creates an integration application (Azure app registration and service principal).
Azure compatibility
The integration application uses Azure AD–managed credentials and follows Azure best practices for service principal authentication.
Prerequisites
Sign in to the Azure CLI.
Log in to the Zesty platform.
Use the organization that has the Azure account to be onboarded.From the main menu, choose Organization settings > Accounts.
Click Add account.
The onboarding wizard is displayed.In the Select policy permissions screen:
Select the Azure region in which to create the Zesty resource group.
Select Commitment Manager.
You can expand it to see the permissions that will be granted.Click Next.
In the Connect your Azure account screen:
Copy the script.
Paste the script to the Azure Cloud Shell, then run it.
When it completes, the following message is displayed:
“Onboarding process is now finished! Please return to Zesty Dashboard.”After the script completes, return to the Zesty onboarding wizard and click Next.
The Zesty dashboard is displayed showing data from the newly onboarded account.
To revoke Zesty access, remove the assigned Azure roles and delete the Zesty integration application from Microsoft Entra ID.
Full permissions list
This section describes the full read-only and write permissions granted to Zesty.
Read-only permissions (Visibility)
The following table describes the read-only permissions required for visibility mode. These permissions are used to analyze Azure spending, usage, reservations, and compute resources. No write actions take place.
Permission | Description | Why Zesty uses it |
|---|---|---|
Microsoft.Compute/*/read | Read access to all Compute resource metadata | To analyze VM usage, identify coverage opportunities, and model Savings Plans/RI recommendations |
Microsoft.ContainerService/*/read | Read access to AKS cluster configurations | To analyze Kubernetes compute usage patterns for optimization and commitment analysis |
Microsoft.Insights/*/read | Access to Azure Monitor metrics | To retrieve performance and utilization metrics that impact savings recommendations |
Microsoft.Management/managementGroups/read | View management group structure | To map resources across org hierarchy for accurate cost attribution |
Microsoft.Resources/subscriptions/read | View subscription metadata | To ensure Zesty can scope analysis across all relevant subscriptions |
Microsoft.Resources/subscriptions/resourceGroups/read | View resource groups | To enable granular resource-level analysis and group-based reporting |
Microsoft.Consumption/*/read | Access to billing and consumption records | Required to analyze historical spending and calculate savings potential |
Microsoft.Billing/*/read | Read billing account information | To link subscriptions to billing scopes |
Microsoft.BillingBenefits/*/read | Read savings plans/benefits metadata | To understand existing Savings Plans and evaluate coverage |
Microsoft.BillingBenefits/savingsPlanOrders/read | Read savings plan orders | To analyze active commitments |
Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read | Read individual savings plans under an order | To evaluate remaining commitment and utilization |
Microsoft.BillingBenefits/savingsPlanOrders/*/read | Read all details under Savings Plan Orders | For complete commitment lifecycle modeling |
Microsoft.BillingBenefits/savingsPlanOrderAliases/read | Read aliases for savings plan orders | To correctly associate commitments with billing scopes |
Microsoft.Authorization/roleAssignments/read | View RBAC role assignments | To validate Zesty has the correct minimum access configuration |
Microsoft.Authorization/roleDefinitions/read | View role definitions | For troubleshooting and access verification |
Microsoft.Capacity/catalogs/read | Read reservation catalog data | To understand available SKU types for reservation recommendations |
Microsoft.Capacity/reservationOrders/read | Read reservation orders | To analyze existing Reserved Instances |
Microsoft.Capacity/reservationOrders/reservations/read | Read individual reservations | Required for evaluating RI utilization and term |
Microsoft.Capacity/reservationOrders/reservations/revisions/read | Read reservation revisions | To understand modifications and changes to RIs |
Microsoft.Capacity/*/read | Read full reservation capacity data | To support modeling of reservation purchase/renewal options |
Microsoft.CostManagement/*/read | Read cost management data | For aggregated cost reporting and anomaly detection |
Microsoft.CostManagement/benefitRecommendations/read | Read Azure benefit recommendations | Used to compare Azure-native recommendations vs. Zesty analysis |
Microsoft.Consumption/reservationRecommendationDetails/read | Read RI recommendation details | Supports Zesty's advanced commitment modeling |
Microsoft.Consumption/reservationRecommendations/read | Read base RI recommendations | Complements Zesty’s cost optimization analysis |
Microsoft.Consumption/reservationDetails/read | Read reservation usage/consumption | Used to calculate effective coverage and efficiency |
Microsoft.Consumption/reservationSummaries/read | Read RI summaries | Helps understand commitment landscape at a high level |
Microsoft.Consumption/reservationTransactions/read | Read RI transaction data | To track commitment purchases, exchanges, and refunds |
Microsoft.Billing/billingProperty/read | Read billing properties | Required to validate commitment purchasing capability |
Microsoft.Billing/billingAccounts/read | Read billing account metadata | Helps Zesty map commitments to billing scopes |
Write permissions (Commitment Manager)
The following table describes the active permissions required for Commitment Manager mode. These permissions are required only when the customer enables automated management by Zesty Commitment Manager.
Note: Zesty does not purchase, renew, or modify Savings Plans or Reserved Instances during onboarding. Commitment purchases occur only after Commitment Manager is explicitly enabled by the customer.
Permission | Description | Why Zesty uses it |
|---|---|---|
Microsoft.Consumption/register/action | Register the Microsoft.Consumption RP | Required for commitment purchase actions |
Microsoft.BillingBenefits/savingsPlanOrders/action | Perform actions on savings plan orders | Needed to create or manage Savings Plans |
Microsoft.BillingBenefits/savingsPlanOrders/write | Create or modify savings plan orders | Enables purchase, renewal, or modification of Savings Plans |
Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write | Create or modify savings plans within orders | Required for adjusting commitment levels |
Microsoft.BillingBenefits/savingsPlanOrders/*/action | Execute actions on Savings Plan Orders | Ensures full lifecycle management capability |
Microsoft.BillingBenefits/register/action | Register BillingBenefits RP | Required for managing Savings Plans programmatically |
Microsoft.Capacity/register/action | Register the Capacity RP | Necessary to handle Reserved Instances |
Microsoft.Compute/register/action | Register Compute RP | Required to create commitments for compute-based SKUs |
Microsoft.BillingBenefits/savingsPlanOrderAliases/write | Manage Savings Plan aliases | Needed for managing commitment associations |
Microsoft.Support/supporttickets/write | Create support tickets | Occasionally required by Microsoft when executing certain commitment operations |