Login Get Started

Get Started with Azure

Automated setup for secure, read-only access to your Azure Cost Management exports for cloud carbon emissions tracking.

Production Ready 5–30 minutes depending on deployment method

What Gets Created

The setup script provisions the following resources in your Azure tenant.

Service Principal

Tailpipe Enterprise Application with read-only blob storage and monitoring access.

Storage Account

Standard LRS StorageV2 account with a dedicated container for cost export data.

Cost Management Exports

Daily cost exports at billing scope (MCA/EA) or per-subscription (CSP).

Azure Policy

DeployIfNotExists policy to auto-create exports on new subscriptions (CSP only).

Automation Account

Daily runbook for provider registration on new subscriptions (CSP only).

RBAC Configuration

Storage Blob Data Reader and Monitoring Reader roles with least-privilege scoping.

Prerequisites

  • Azure CLI version 2.50.0 or later
  • Global Administrator or Application Administrator role (to create service principals)
  • Owner or Contributor at Management Group or Subscription level
  • Billing Profile Contributor for billing-scope exports (MCA/EA only)
  • Active Azure session (az login)

Quick Start

Download the setup script

Clone the open-source repository from GitHub.

# Clone the repository
git clone https://github.com/tivarri/tailpipe-cloud-data-export.git
cd tailpipe-cloud-data-export/azure

Login and run the setup

Login to Azure, then choose the mode that suits your workflow.

# Login to Azure
az login
Interactive 
# Interactive mode (recommended)
chmod +x setup-tailpipe.sh
./setup-tailpipe.sh
Automated 
# Non-interactive mode (CI/CD)
export LOCATION="uksouth"
./setup-tailpipe.sh
Dry Run 
# Dry run — preview only
DRY_RUN=1 ./setup-tailpipe.sh

Share configuration

The script outputs a JSON configuration summary containing the tenant ID, service principal details, storage account information, and export configuration. Share this with your Tailpipe Account Manager to complete the setup.

Configuration Options

All configuration is controlled via environment variables. Set these before running the script.

Variable Default Description
LOCATION prompted Azure region for resources (e.g. uksouth, westeurope)
ENTERPRISE_APP_ID UAT App ID Tailpipe application ID (production ID provided during onboarding)
MANAGEMENT_GROUP_ID Auto-detected Target management group for RBAC and policy scoping
BILLING_SCOPE Auto-detected Billing profile resource ID for billing-scope exports
STORAGE_SUBID Auto-detected Subscription ID for storage account placement
DRY_RUN 0 Set to 1 to preview changes without executing
SKIP_AUTOMATION 0 Set to 1 to skip Automation Account creation
SKIP_POLICY 0 Set to 1 to skip Azure Policy creation

Production Deployment

# Production deployment
export ENTERPRISE_APP_ID="f5f07900-0484-4506-a34d-ec781138342a"
export LOCATION="uksouth"
./setup-tailpipe.sh

Security Features

Built with security best practices. Your infrastructure stays under your control.

Read-Only Access

Service principal has only Blob Data Reader and Monitoring Reader roles.

Managed Identity

Azure AD authentication — no secrets or passwords are generated or stored.

Least Privilege RBAC

Each resource gets only the minimum permissions required for its function.

Audit Trail

All operations logged in Azure Activity Log for full audit visibility.

User-Controlled

Fully reversible — run the cleanup script to remove all Tailpipe resources.

Automatic Subscription Detection

The script automatically detects your subscription type and configures the optimal export strategy:

MCA / Enterprise Agreement

Billing-scope export covering all subscriptions, with per-subscription fallback if billing access is unavailable.

CSP / Partner

Per-subscription exports with automatic Azure Policy and Automation Account for new subscription handling.

Removal & Cleanup

The integration is fully reversible. Run the cleanup script to remove all Tailpipe resources from your Azure tenant. 

# Remove all Tailpipe resources
chmod +x cleanup-tailpipe.sh
./cleanup-tailpipe.sh

Cleanup Options

# Preview cleanup without deleting
DRY_RUN=1 ./cleanup-tailpipe.sh

# Keep service principal
KEEP_SP=1 ./cleanup-tailpipe.sh

# Keep storage account and data
KEEP_STORAGE=1 ./cleanup-tailpipe.sh

For full cleanup documentation, see the Azure setup guide on GitHub.

Need help with setup?

Check our integration FAQs or get in touch with our team.

View FAQs Contact Support
GitHub Documentation