Cloud Cost Control
Cloud Cost Control
Breadcrumbs

Azure Cost Control

Azure Cost Control

Status: GA | Audience: Customers and partners | Owner: SoftwareOne BI & Data Solutions

A FinOps platform for managing, optimizing, and monitoring Azure cloud spend, part of the Cloud Cost Control (CCC) suite from SoftwareOne (formerly Crayon). The product gives you visibility across tenants, subscriptions, resource types, regions, and tags, and surfaces concrete optimization actions across reservations, savings plans, right-sizing, unused resources, and Azure Hybrid Use Benefit.

Customer value at a glance

  • Fast savings discovery: most customers identify substantial monthly Azure savings within the first 90 days.

  • Finance-ready reporting: realized savings are tracked so finance can see actual cost reductions on the bill.

  • Actionable optimization: recommendations cover reservations, savings plans, right-sizing, unused resources, and Azure Hybrid Use Benefit.

On this page

Quick navigation: scan the page by section, then expand the report pages or FAQ items when you need details.

  • What it does

  • Who it is for

  • The twelve report pages

  • AI anomaly detection

  • AHUB Windows Server license optimization

  • Sustainability cloud emissions tracking

  • What we need to onboard you

  • Known limitations

  • FAQ

  • Offboarding and support

What it does

Azure Cost Control reads your Azure billing and consumption data and produces a Power BI report covering twelve dimensions of your cloud estate. Every page shares a header with the same key metrics (cost, savings potential, percentages) and a last-refresh timestamp. A right-side filter panel slices data by target currency, tenant, subscription, resource type, region, and tag.

The optimization categories surfaced across the platform are reservation purchase recommendations with break-even analysis, Savings Plan recommendations by subscription with hourly commitment modeling, right-sizing of over-provisioned resources, identification of unused or idle resources, and Azure Hybrid Use Benefit coverage gaps with an executable remediation script.

Read-only by design: Azure Cost Control produces recommendations and a PowerShell script for AHUB, but it does not directly change your Azure estate. Your team reviews and executes any changes in Azure.

Who it's for

The platform makes sense for customers running Azure at enough scale that optimization is a real finance conversation, typically organizations with multiple subscriptions, mixed workloads, and meaningful annual Azure spend. Below that, the optimization math still works, but the engagement overhead doesn't always pay back.

The people who use it day-to-day are FinOps practitioners running monthly optimization reviews, cloud architects evaluating reservation purchases, finance teams handling chargeback and forecasting, and sustainability leads who need carbon accounting from cloud consumption.

The twelve report pages

The product is delivered as a Power BI report. Each page answers a different question. Expand the sections below for details.

1. Savings Potential

The executive summary and primary landing page. Header shows cost over the last 30 days, total monthly savings potential in EUR, and that potential as a percentage of spend.

A waterfall chart breaks the path from current monthly cost to optimized monthly cost by subtracting savings in each category: AHUB, Savings Plans, Unused Resources, Right Sizing, and Reserved Instances. Below the waterfall, a month-over-month bar chart compares previous cost to actual cost, so customers can see whether last quarter's optimization work is showing up in this quarter's bill.

Four ranked breakdowns highlight the top opportunity in each category: top RI savings by SKU, top Savings Plan opportunities by subscription, top unused resources by cost, and top right-sizing candidates by resource.

2. Realized Savings

Tracks savings already achieved. Header shows cost last month, realized savings in EUR, and the savings rate as a percentage. A time-series chart over a configurable lookback (default 1 year) shows whether the savings trend is sustained or eroding, and a category breakdown attributes savings to Compute, Database, Storage, and other resource types.

This is the page customers send to their finance teams when justifying the engagement.

3. Reserved Instances

Detailed RI purchase recommendations with break-even modeling. The big number at the top is total potential savings percentage from reservations across the estate.

The break-even chart plots RI commitment cost against on-demand cost over time, with a dashed line marking the month at which cumulative RI spend becomes cheaper than on-demand. Below it: total projected on-demand cost, total RI purchase cost, and break-even term in months.

The recommendation table lists every proposed reservation with subscription, SKU, region, quantity, EUR savings, percentage savings, and break-even month. Filterable by term (1Y, 3Y), scope (Single, Shared), and lookback period.

4. Savings Plans

Compute Savings Plan opportunities split by subscription. A donut chart shows the split between potential cost and potential savings; a horizontal bar chart ranks subscriptions by Savings Plan opportunity so customers can prioritize.

The recommendation table includes hourly EUR commitment, EUR savings, savings percentage, and a direct purchase link that takes you to the Azure portal page where you can complete the purchase. No manual transcription of SKU IDs.

5. Right Sizing

Over-provisioned resources that can be downsized. The header includes a sustainability metric: estimated monthly CO2e reduction from implementing the recommendations.

The recommendation table maps every flagged resource from its current SKU to a target SKU, with monthly EUR savings, percentage savings, current emissions, and potential emission reduction. The current-to-target mapping gives operations teams a concrete plan to act on without further interpretation.

6. Unused Resources

Idle or abandoned resources still incurring cost. The table lists subscription, resource group, resource name, SKU, region, and monthly EUR savings if removed or deallocated.

These tend to be the easiest wins in the first month. Customers regularly find orphaned managed disks and dev VMs that someone forgot to deallocate sitting in the table.

7. Cost Overview

A breakdown of where the money is going, not how to save it. A quarterly stacked bar chart shows spend by resource category (Compute, Database, Network, Recovery Service, Storage, Other). A world map shows cost distribution by region. A time-series chart layers forecasted cost on top of realized cost for budgeting purposes.

Finance teams use this for chargeback and capacity planning. The Detailed View toggle exposes resource-level granularity when needed.

8. Cost Anomalies

AI-powered anomaly detection. Covered in more depth below.

9. Current Reservations

Inventory management for active and historical reservations. Active reservation count and quantity at the top; an expiration bar chart grouped by year and month for renewal planning; SKU distribution across the reservation portfolio; and a full detail table with subscription, display name, SKU, term, provisioning state, applied scope, start date, expiry date, and quantity.

The expiration view is what stops you from accidentally letting a large reservation lapse.

10. Cloud Emissions Preview

Sustainability tracking. Covered in more depth below.

11. AHUB Overview

Windows Server license optimization. Covered in more depth below.

12. AHUB Operational

The execution counterpart to AHUB Overview — a ready-to-use PowerShell script that enables AHUB on the recommended VMs, plus a detail table showing how packages should be redistributed.

AI anomaly detection

AI anomaly detection is the platform's anomaly detection layer, powered by Azure OpenAI. It scans your trailing cost data, identifies unexpected spikes, and produces a natural-language explanation of each anomaly along with recommendations to prevent recurrence.

The page shows:

  • Estimated anomaly cost per month over time, so you can see when spikes occurred

  • Estimated anomaly cost by Azure product, so you can see which services are responsible

  • An expandable detail table organized by year/month with the product, the estimated excess cost, the baseline average for comparison, and the AI-generated explanation

Example: a typical Anomaly explanation is not just “your costs went up.” It identifies what changed, where, and what to do about it, for example, attributing a storage cost spike to snapshot accumulation on a specific subscription and recommending a review of the snapshot retention policy on the affected resource group.

Filter by target currency and configurable date range.

AHUB Windows Server license optimization

Azure Hybrid Use Benefit lets you apply existing Windows Server licenses to Azure VMs to reduce per-hour compute cost. Most customers under-utilize the benefit because tracking which VMs are covered, which are eligible, and how to redistribute packages for optimal coverage is operationally tedious.

The platform handles this in two pages.

AHUB Overview shows whether you're compliant with your Windows Datacenter Edition Agreement, your current AHUB coverage versus the optimal coverage, the additional EUR you could save by redistributing packages, and a license utilization gauge against your available Microsoft CIS Suite Datacenter and Standard packages.

AHUB Operational gives you the execution path. Right-click → Copy Value on the PowerShell script element and you have a ready-to-run script that enables AHUB on the recommended VMs, with the tenant ID and full VM identifier list embedded. The detail table shows how packages should be redistributed across VMs for optimal coverage.

This is one of the highest-ROI pages for customers with significant Windows Server estate. Running the AHUB script is usually a same-day exercise that recovers meaningful monthly spend.

Sustainability cloud emissions tracking

The Cloud Emissions page (preview) tracks the environmental impact of your Azure consumption using Microsoft's emissions data. Note the one-month delay, Microsoft publishes emissions data with a lag, so the latest month available is always last month.

The page shows emissions last month in kg CO2e, the potential emission reduction available through right-sizing recommendations (and that reduction as a percentage), a monthly trend line in tonnes CO2e, year-to-date cumulative emissions with a monthly average, and an average monthly change percentage so you can see whether emissions are trending up or down. A table at the bottom lists the top emitting resources by scope, with subscription, resource group, resource name, and emissions value.

The scope selector toggles between Scope 1 (direct), Scope 2 (indirect), Scope 3 (value chain), and a combined view. Most customers report on Scope 2 for cloud workloads, but the platform supports all three for full carbon accounting.

What we need to onboard you

Azure onboarding is different from the M365 product. Rather than a single consent click, Azure Cost Control uses a PowerShell onboarding script to automate setup and validation. The script creates a read-only service principal and applies the required access across Azure management, billing, reservations, and savings plans based on how your Azure estate is structured: Enterprise Agreement, CSP, MCA, or a mix.

Get in touch with your SoftwareOne account team to scope the engagement. Typical inputs we'll need:

Input

Why we need it

Required?

Customer name, country, and reporting currency

Defines the customer record and report currency.

Required

Billing account or Enterprise Agreement details

Identifies the commercial scope and available billing data.

Required

Subscriptions or management groups in scope

Controls which Azure resources are included in reporting and optimization.

Required

Tenant IDs for each tenant containing in-scope subscriptions

Needed for access setup and data collection across tenants.

Required

Email addresses for dashboard access

Used to provision report access for customer and partner users.

Required
Before you run the onboarding script

Recommended environment: Azure Cloud Shell (shell.azure.com). Cloud Shell already has the required Azure tooling available, avoids local execution policy issues, and starts from an authenticated Azure session.

If you run the script locally, use PowerShell 5.1 or PowerShell 7.x and allow signed scripts for the current user:

PowerShell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

The script creates a local working folder, typically C:\crayon on Windows or ~/crayon on Linux/macOS, and installs missing PowerShell modules when possible.

Module

Purpose

Az.Accounts

Azure authentication and account management

Az.Reservations

Azure reservations management

Az.BillingBenefits

Savings plans and billing benefits

Az.Resources

Resource management and RBAC

Az.Billing

Billing account management

Microsoft.Graph.Authentication

Microsoft Graph authentication

Microsoft.Graph.Applications

App registration management

Microsoft.Graph.Identity.DirectoryManagement

Directory operations

Bastion or air-gapped hosts: pre-install the modules before running the script. Use Save-Module on an internet-connected machine and copy the modules across, or use Azure Cloud Shell instead.

Required permissions

The person running the script must have enough access to create the service principal, assign read-only roles, and validate billing access.

Requirement

Details

Entra ID role

Global Administrator or Application Administrator

Elevated access

Enable Entra ID → Properties → Access management for Azure resources → Yes before running the script. Remove elevated access immediately after onboarding.

Management group access

Management Group Reader as a minimum.

Resource providers

Permission to register Microsoft.Management, Microsoft.Capacity, and Microsoft.BillingBenefits.

Agreement-specific requirements:

  • Enterprise Agreement (EA): Enterprise Administrator role in the EA portal. The enrollment must be onboarded to the Azure portal for modern billing API access.

  • Microsoft Customer Agreement (MCA): Billing Account Owner or Billing Profile Owner role.

  • Cloud Solution Provider (CSP): Admin Agent role in Partner Center.

What the script does

  1. Authenticates using interactive browser by default, with device code available for headless or bastion environments. A tenant ID can be specified when needed.

  2. Lists billing accounts and lets you select the relevant account. Agreement type is auto-detected where possible.

  3. Runs pre-flight checks to validate required permissions before creating anything. If blocking issues are found, the script exits cleanly without creating resources.

  4. Creates a service principal named CrayonCloudEconomicsReader in Entra ID, with a configurable secret expiry. The default is 36 months.

  5. Assigns read-only roles across the required scopes.

  6. Exports CSV files containing the onboarding details and client secret.

  7. Validates access by testing the created service principal against the configured role assignments.

Role

Scope

Reader

Management group root

Cost Management Reader

Management group root

Reservations Reader

Microsoft.Capacity provider

Savings Plan Reader

Microsoft.BillingBenefits provider

Carbon Optimization Reader

Management group root

Reader

Individual savings plans, where applicable

Enrollment Reader or Billing Account Reader

Billing account, depending on agreement type
Output files and secure transfer

The script exports two CSV files. Treat the secret file as sensitive credential material.

File

Contents

Sensitivity

CrayonCloudEconomics-<TenantName>-<Date>.csv

Tenant ID, tenant name, domain, country code, agreement type, App ID, and secret expiry.

Safe to store

CrayonCloudEconomics-<TenantName>-<Date>-SECRET.csv

Tenant ID, App ID, client secret, and secret expiry.

Sensitive

Important: send both CSV files securely via deila.sensa.is to your Crayon or SoftwareOne representative. After transfer, delete the local crayon working directory from the machine where the script was run.

For most customers, the technical setup takes a few business days. The first full report with meaningful trend data is typically ready within two to four weeks, since several recommendations require a usage baseline before they're reliable.

Known limitations

Read this before acting on recommendations: Azure Cost Control is decision-support, not an automated execution platform. Validate recommendations against customer context before committing to purchases or changes.

  • No write-back for VMs or resources. AHUB has a script you can run, but the platform itself does not modify anything in your Azure estate. Reservation purchases, Savings Plan commitments, and right-sizing actions all happen in the Azure portal under your control.

  • Recommendations are based on historical usage. Lookback periods are configurable, but planned product launches, migrations, or workload changes should be factored in manually before committing to multi-year reservations.

  • Emissions data has a one-month lag. This is a Microsoft limitation, not ours. The Cloud Emissions page will always show last month's data as the latest available. Data will arrive between 18–23 for last month.

  • Anomaly detector explanations are AI-generated. They are typically accurate and useful, but they are not infallible. For high-value anomalies, validate the underlying data before acting.

  • Multi-cloud cost views are not part of this product. Azure Cost Control covers Azure. AWS and GCP are covered by their respective CCC modules. We are actively working to consolidate the reports into one unified cost control report, but there is no confirmed timeline.

FAQ

How does Cost Guardian decide what's an anomaly?

Cost Guardian establishes a baseline per Azure service over the trailing period and flags statistically significant deviations. The AI layer (Azure OpenAI) generates the natural-language explanation by analyzing the anomaly in context: what changed, when, on which subscription, and against which baseline. The output explains why the anomaly occurred, not just that it did.

Can we trust the reservation break-even analysis enough to commit to a 3-year purchase?

The break-even math is based on your actual trailing usage and Microsoft's published reservation pricing, so the underlying numbers are reliable. A 3-year commitment is still a 3-year commitment, though. If you're planning workload migrations or major architectural changes within that window, factor those in before clicking purchase. The platform gives you the math; the business decision sits with you.

How does AHUB compliance get determined?

The platform compares allocated AHUB packages on your VMs against the eligible package count from your Microsoft license agreement, which you need to enter in the report. If allocated exceeds eligible, the compliance badge flips. If allocated is below eligible, you have headroom, which usually means a savings opportunity that the optimization view will surface.

Can we filter by tags?

Yes. Most pages support filtering by tag key and tag value, which is how customers typically isolate environments (Production, Staging, Dev), business units, or cost centers. If your tagging strategy is inconsistent, the filter is still useful — it will just expose the inconsistency.

Does the platform support Azure Stack or sovereign clouds?

Commercial Azure is fully supported. Azure Government, Azure China (21Vianet), and Azure Stack Hub are not currently in scope. If you have a specific requirement, let us know; whether we can support it depends on whether the underlying APIs are accessible to our fetching layer.

How often does the data refresh?

The default is daily, aligned with Azure's billing cycle. Cost Guardian anomaly detection runs monthly between 18–23; there is no real-time alerting layer.

Will recommendations conflict with existing reservations or savings plans?

No. The recommendation engine accounts for your existing commitment coverage. RI recommendations only flag uncovered usage, and Savings Plan recommendations are calculated on top of what is already committed. If you already have full coverage on a workload, you will not see it recommended again.

Offboarding

Contact your SoftwareOne account manager or email CloudCostControl@crayon.com. Because Azure access is granted at the subscription or billing account level rather than through a single consent application, offboarding is handled per engagement. We'll walk you through the specific access revocation steps based on how your tenant was onboarded.

Support

Need

Contact

Onboarding, offboarding, technical support

CloudCostControl@crayon.com

Demo request or commercial questions

Your SoftwareOne account team

White-label or partner enquiries

SoftwareOne BI & Data Solutions team


Sales Material

One-Pager

Azure_Cost_Control_one-pager.pptx

Maintained by the SoftwareOne BI & Data Solutions team. This page describes the customer-facing product. For internal architecture and engineering documentation, see the CCC team space in Notion.