Skip to main content
Azure Cost & Risk Review

See exactly where your Azure bill is leaking.

Start with a free read-only check — it reads your Azure configuration and cost data, not your application data, and shows where spend is leaking, plus security and reliability risks. Then book the full fixed-fee review, led by a Principal Cloud Architect with 14+ years at enterprise scale. Nothing is changed. You stay in control.

Start the free read-only check →How It Works ↓

Want the full review instead? Book your Azure cost review →

Running on AWS? Try the AWS Cost & Risk Review →

Principal Cloud Architect · 14+ years · enterprise scale across 56 countries. No sales pitch — just a straight read on your Azure setup.

What You Get

Five pillars. One report. Plain English findings.

Cloud Spend Analysis

We identify idle and over-provisioned resources, reservation and savings-plan gaps, untiered storage, and whether your tagging is good enough to allocate costs accurately.

Security and Identity Posture

We check Defender for Cloud coverage, public network exposure on PaaS, Key Vault protection, encryption, and standing privileged access — without reading any of your data.

Reliability and Operations

We check zone redundancy, backups, and failover, plus whether Azure Policy, diagnostics, and monitoring are in place before your customers notice something's wrong.

How It Works

Three steps. Under 60 minutes.

01

Grant read-only access

A Microsoft Entra tenant admin grants consent and assigns Reader + Cost Management Reader at the subscription scope. SCAI requests no access to your data — only the two read-only roles you assign.

02

We run the audit

Our engine reads configuration and cost signals across 5 Well-Architected pillars. No data leaves your tenant — only configuration and cost state is read. Typically completes in 30–60 minutes.

03

Read your report

You receive an interactive report and a PDF by email. Findings are grouped by severity and pillar, with plain English explanations and A$ impact for each opportunity.

Start your free audit

Find both in the Azure portal under Subscriptions, or Microsoft Entra ID → Overview for the tenant ID.

Alternative Paths

Not ready to grant consent yet? No problem.

The self-serve path works for most teams. If your environment or security policy requires a different approach, two alternatives are available.

1Free · 20 minutes

Guided Setup Call

“Our security team requires approval before granting app consent.”

That’s a reasonable policy and a common one. Book a 20-minute call and we’ll walk through exactly what the read-only access can and can’t do, and which roles you assign — every permission explained before a tenant admin grants consent.

  • You review the access and roles with us before consenting
  • Your tenant admin grants consent — we never touch your portal
  • Audit runs once consent is verified and the roles are in place
  • Not billable — this is a setup walkthrough, not a paid session
Book a setup walkthrough →

Prefer email? info@scaitechnologies.com

2Open source · No cross-account access

Run It Locally

“I can’t register an external app in our tenant.”

Run our open-source CLI tool in your own environment using your own Azure credentials. No external app or consent required — the tool never leaves your machine.

  • Runs locally with your own Azure credentials — no app registration or consent needed
  • Checks 5 Well-Architected pillars: cost, security, reliability, operational excellence, performance
  • Outputs a self-contained HTML report you can open in any browser
  • Python + azure-identity — inspect every line of source before running

# Install and run

pip install -r requirements.txt

python azure_analyzer.py --subscription <your-subscription-id>

Ask us about running it locally →

Questions? info@scaitechnologies.com

Security and Data Handling

Your data stays where it is.

The read-only access reads Azure configuration and cost metadata — not your files, not your databases, not your application data. It cannot create, modify, or delete anything. You assign Reader and Cost Management Reader yourself when you grant consent, and remove them as soon as your report is ready.

What the read-only access can see

Configuration checks only

  • Whether your storage accounts allow public network access — not the contents of your blobs or files
  • Whether your sign-ins and Defender for Cloud plans are configured — not your users' passwords or credentials
  • Whether your SQL databases and disks are encrypted — not the data inside your databases
  • Your Azure cost and usage totals from Cost Management — not itemized transaction data or business records
  • Whether diagnostic settings, Key Vault protection, and Advisor are enabled — not the contents of your logs
  • VM sizes, SKUs, and utilisation metrics — not what your applications are doing or what data they process

What it cannot do

  • Create, modify, or delete any resource
  • Access the contents of any blob, file, or queue
  • Read any database, application data, or secrets
  • Make API calls that change your configuration
  • Elevate beyond the Reader and Cost Management Reader roles you assign

SCAI requests no Microsoft Graph data permissions — only the Reader and Cost Management Reader roles you assign at the subscription scope. If a permission is not one of those two roles, the access does not have it.

How the read-only access works

When a tenant administrator grants consent, Azure registers SCAI's read-only application (service principal) in your Microsoft Entra tenant. You then assign it Reader and Cost Management Reader at the subscription scope — nothing more. SCAI requests no Microsoft Graph data permissions; all access is the RBAC you grant.

Consent is proven by a Microsoft-signed sign-in, not a self-asserted form: before any scan runs, SCAI verifies that the consenting tenant matches the one you submitted and that the read-only roles are actually in place. The report is delivered only to an address in your tenant's verified domain. You can remove the roles or the application at any time and access is revoked immediately.

What happens to your data

During the audit

SCAI's audit function authenticates as the consented read-only application, runs read-only Resource Graph, Monitor, Advisor, and Cost Management calls, and processes the responses in memory. Raw API responses are not stored. Only processed findings — configuration state, not data contents — are written to a private storage bucket in Sydney (ap-southeast-2).

After the audit

  • Your findings report is stored in SCAI's private storage for 90 days, then automatically deleted.
  • Your email address and company name are stored to allow us to send your report and follow-up communications.
  • No findings data or account configuration data is shared with third parties.
Your rights under the Privacy Act 1988 (Cth): You may request deletion of your data at any time by emailing privacy@scaitechnologies.com. SCAI will confirm deletion within 30 days.

How to revoke access

We recommend removing the access immediately after you have reviewed your report. Doing so does not affect your access to your report — the findings are stored on our end.

Option 1 — Remove the role assignments (recommended)

  1. 1.Open your subscription in the Azure portal → Access control (IAM) → Role assignments
  2. 2.Find the SCAI Cloud Audit app under Reader and Cost Management Reader
  3. 3.Remove both assignments

Option 2 — Entra ID → Enterprise applications: find SCAI Cloud Audit and delete the application to revoke it entirely.

Quick reference

Common security questions answered plainly.

Can SCAI change anything in my subscription?

No. The access is read-only — Reader plus Cost Management Reader. It cannot create, modify, or delete resources.

Can SCAI see my data — databases, files, secrets?

No. The access reads configuration and cost state, not data contents. Your application data, database contents, and blob/file contents are never accessed.

Can SCAI access my tenant after the audit is done?

Only while the roles remain assigned. Remove the Reader and Cost Management Reader assignments or delete the enterprise application in Entra ID and access is fully revoked.

Where is my data stored?

Sydney (ap-southeast-2), private encrypted storage. 90-day retention, then automatically deleted.

Who can see my findings?

Only SCAI's authorised staff and the automated audit system. Findings are not shared with any third party.

What if I don't want to register an external app at all?

Run our open-source Azure CLI tool locally in your own environment using your own credentials. No external app or cross-tenant access is required — it produces a self-contained report.

Is this Privacy Act compliant?

Yes. Data is stored in Australia, retained for 90 days, and deletable on request under the Privacy Act 1988 (Cth). Email privacy@scaitechnologies.com to request deletion.

Common Questions

Questions?

Can you change anything in my Azure subscription?

No. SCAI's app is granted strictly read-only access — Reader plus Cost Management Reader at the subscription scope. It cannot create, modify, or delete any resource. You assign those roles yourself when you grant consent, and you can remove them at any time.

Who has to grant access?

A Microsoft Entra (Azure AD) tenant administrator. Granting consent registers SCAI's read-only service principal in your tenant — the Azure equivalent of deploying a read-only role. If you're not an admin, forward the consent link to whoever administers your tenant.

Does my data leave my tenant?

No. The audit reads configuration and cost metadata via Azure Resource Graph, Azure Monitor, Advisor, and Cost Management — not your application data, databases, or files. Only the generated findings report is stored, in SCAI's private, encrypted storage in Sydney (ap-southeast-2).

How do I revoke access after the audit?

Remove the Reader and Cost Management Reader role assignments from the SCAI Cloud Audit app, or delete its enterprise application (service principal) entirely, in Entra ID → Enterprise applications. Access is fully revoked the moment you do — your report stays available.

Do I have to pay anything?

The read-only check and its report are free. We offer paid follow-up services — an Azure Cost & Risk Review, a Remediation Sprint, and a Managed FinOps retainer — but only if you want them.

What does the audit actually check?

Five Azure Well-Architected pillars: Cost Optimization (idle and over-provisioned resources, reservations, storage tiering), Security (Defender plans, public network exposure, Key Vault, identity), Reliability (zone redundancy, backups, failover), Operational Excellence (policy, diagnostics, monitoring), and Performance Efficiency. Findings are scored and prioritised by severity and A$ impact.

Is this Privacy Act compliant?

Yes. The findings report is stored in Australia, encrypted at rest, and deletable on request under the Privacy Act 1988 (Cth). Email privacy@scaitechnologies.com to request deletion.