To successfully export Azure cost data to storage, both the user creating the export and the system-managed identity created by Azure need the correct roles. This ensures Azure can write to your storage account on schedule without permission errors.
π€ 1. Grant Permissions to the User Creating the Export
The user (or service principal) setting up the export must be able to:
- Create the export job
- Assign roles to the managed identity
β Required Roles:
- Owner of the subscription or storage account, or
- Cost Management Contributor on the subscription plus
User Access Administrator or custom role withMicrosoft.Authorization/roleAssignments/writeon the storage account
β οΈ Important:
- If the storage account is firewalled or in another resource group, the user needs explicit permission at the storage scope.
- Without these rights, the export setup will fail with an βUnauthorizedβ error when Azure tries to assign the managed identityβs role.
π 2. Grant Permissions to the Exportβs Managed Identity
Azure creates a system-assigned managed identity for each export. This identity must have Storage Blob Data Contributor on the container where export data is stored.
π Azure Will Do This Automatically If:
- The user creating the export has permission to assign roles on the storage account.
π§ If Not Assigned Automatically:
- Go to the export job and find the managed identity name (e.g.,
Export_<GUID>). - Navigate to your storage account > Containers.
- Click Access Control (IAM) > Add Role Assignment.
- Assign Storage Blob Data Contributor to the exportβs identity at the container scope.
π 3. If You Change or Delete the Export
When updating the destination or deleting the export:
- Azure will attempt to remove the old role assignment.
- The user must have
Microsoft.Authorization/roleAssignments/deletepermissions (included in Owner).
If Azure lacks this permission, manually remove the leftover role assignment via the portal or CLI.
β Summary
| Role | Who Needs It | Scope |
|---|---|---|
| Owner or Cost Management Contributor + User Access Administrator | Person setting up the export | Subscription and Storage Account |
| Storage Blob Data Contributor | Exportβs managed identity | Container in the Storage Account |
Once these roles are granted, Azure Cost Management can reliably write data to storage as scheduled.