StratoLens LogoStratoLens

Permissions & Data Tier

Grant the two opt-in Azure roles that unlock utilization, wastage, expiry, and SKU details. Open the drawer from the Permissions & Data Tier button in the Commitments dashboard header, or from the Grant permissions button on the inventory-only banner.

On This Page

Required access

Granting these roles requires EA Admin or billing admin access in your Azure tenant. Standard subscription Owner is not sufficient, the Reservations and Savings Plans blades use a separate provider-scope RBAC system.

What Each Tier Unlocks

StratoLens has two operating modes:

Base
Default. Inventory and monthly cost only. Grant the two optional Azure roles below to unlock the full data set.
Enhanced
Both roles active. Full data set available, including utilization, wastage, expiry, SKU, and scope. The Permissions & Data Tier button is hidden from the dashboard header in this mode.

Partial state during rollout

If only one of the two roles is granted, the dashboard shows a (partial tier) label. The granted side gets full data and the other side stays in inventory-only. Grant the remaining role to reach enhanced.

The two roles are:

Reservations Reader
Azure built-in role at scope /providers/Microsoft.Capacity. Unlocks enhanced data for reservations.
Savings plan reader
Azure built-in role at scope /providers/Microsoft.BillingBenefits. Unlocks enhanced data for savings plans.

Provider-scope roles, not subscription IAM

Both roles live at provider scope, so they're assigned from the Reservations and Savings Plans top-level Azure portal blades rather than the subscription IAM blade. The Azure CLI also works at provider scope.

Prerequisites

  • EA Admin or billing admin access in the Azure tenant, required to grant either role.
  • Either Azure Portal access or Azure CLI / Cloud Shell access. Both paths achieve the same result.
  • The scanner managed identity Object ID, which the drawer auto-populates for you.

Grant via Azure Portal

The drawer's Azure Portal tab walks through both roles. The scanner managed identity name is shown in a muted box at the top of the tab so you know which identity to grant access to.

Reservations Reader

  1. In the Azure Portal, search for and open the Reservations top-level blade.
  2. Click Role Assignment in the top toolbar.
  3. Select the Reservations Reader role.
  4. Add the StratoLens scanner managed identity (the name shown in the drawer).
  5. Save.

Savings plan reader

  1. Search for and open the Savings Plans top-level blade.
  2. Click Role Assignment in the top toolbar.
  3. Select the Savings plan reader role.
  4. Add the StratoLens scanner managed identity.
  5. Save.

Hand off to your billing admin

If you don't have EA Admin or billing admin access yourself, the drawer's Azure CLI tab provides paste-ready, pre-populated az role assignment create commands you can send to your billing admin to run in Azure Cloud Shell.

Verify Access

Click Verify access at the bottom of the drawer to run a live diagnostic. The check calls both Azure APIs once and reports per-role status, then shows a follow-up alert summarizing whether you landed in base, partial, or enhanced tier.

Verification is read-only

Verify access does not trigger a scan or modify any state. You can run it as many times as needed. The result is reset when the drawer closes, so re-opening starts fresh.

Enhanced-tier data appears on the next scan

Verification confirms the role grant is in place; it doesn't pull the enhanced data on the spot. Wait for the next scheduled scan (default cadence: every 8 hours) or run an on-demand scan from the Scans page to see the data sooner.

Cleanup Before Uninstall

If you grant these two roles, you're responsible for revoking them before deleting the StratoLens managed identity. Otherwise the role assignments remain in Azure as orphaned "Identity not found" entries. The StratoLens uninstall process does not have permission to remove its own provider-scope role assignments by design (least privilege).

From the Azure Portal:

  1. Open the Reservations top-level blade and click Role Assignment. Find the StratoLens scanner managed identity and remove its Reservations Reader assignment.
  2. Open the Savings Plans top-level blade, click Role Assignment, and remove the same identity's Savings plan reader assignment.
  3. Once both assignments are removed, you can safely delete the StratoLens managed identity.

Troubleshooting

The Verify access button says "Forbidden" for one role even though I just assigned it.

Answer

Azure RBAC propagation for provider-scope roles can take anywhere from 5 minutes to an hour. Wait and click Verify access again. If it still fails after an hour, check that the role was assigned to the managed identity shown in the drawer, not to a different identity.

I don't have EA Admin or billing admin access. Can someone else grant the roles?

Answer

Yes. Open the drawer's Azure CLI tab, copy the pre-populated commands, and send them to your billing admin to run in Azure Cloud Shell.

For Microsoft's official reference, the drawer's Learn more about Azure reservation RBAC link opens the current Microsoft Learn page in a new tab.

← Previous: RecommendationsNext: Settings →