Onboarding Guide

From your first sign-in to your first cost recommendation — in under 30 minutes.

Also available in the Platform

This guide mirrors the Setup guide inside the Zation FinOps Platform at platform.zation.io → Settings → Tenants. You can follow either — both result in the same App Registration and role assignments.

Prerequisites

Before you start, make sure you have:

• An active Microsoft Entra ID tenant
• A Global Administrator account for the initial App Registration and admin consent
• For Azure FinOps: Owner or User Access Administrator on the Tenant Root Group (Management Group)
• For Microsoft 365 FinOps: a Microsoft 365 tenant connected to the same Entra ID
• About 15–20 minutes to walk through the Azure Portal steps

Permissions required for setup

The setup itself needs elevated rights (Global Administrator, Owner on the Management Group). Once setup is complete, the Zation Platform only holds read-only permissions on the assigned scopes. See Permissions for the full list.

Step 1 — Sign in to the Platform

Open platform.zation.io and click Sign in with Microsoft. On first sign-in from your tenant, Microsoft shows the consent screen for the Zation Platform multi-tenant app:

One-time admin consent

A Global Administrator grants tenant-wide consent once: tick Consent on behalf of your organization, then click Accept. This registers the Zation Enterprise application for the whole tenant — afterwards regular accounts sign in without re-consenting. The admin doesn't need their own Platform account; they can open platform.zation.io solely to grant this consent.

After accepting, the Platform automatically opens the Onboarding Wizard:

The wizard walks you through the four steps below: App Registration → Permissions → Verify. Click Get started to begin Step 2.

Step 2 — Create the App Registration

In this step you create a dedicated App Registration that the Zation Platform uses to read your data.

1. In the Azure Portal, open Microsoft Entra ID → App registrations → + New registration.
2. Configure the registration:
   • Name: Zation Platform Connector
   • Supported account types: Single tenant
   • Redirect URI: leave empty
3. Click Register.
4. From the Overview page, copy the Directory (tenant) ID and Application (client) ID, and paste them into the Setup guide form in the Platform.
5. Open Certificates & secrets → + New client secret:
   • Description: Zation Platform
   • Expires: 24 months (recommended)
6. Click Add, then copy the secret value immediately and paste it into the Setup guide.

Secret is only shown once

The client secret value is visible only at creation time. If you navigate away before copying it, you'll need to create a new secret.

Step 3 — Grant Microsoft Graph permissions

Skip this step if you don't plan to use the Microsoft 365 module. You can return to it later.

1. Inside the Zation Platform Connector App Registration, open API permissions → + Add a permission → Microsoft Graph → Application permissions.

2. Add the following permissions:

   Permission	Used for
   Directory.Read.All	Tenant directory, group memberships
   User.Read.All	License assignments per user
   Reports.Read.All	Microsoft 365 usage reports (Adoption module)
   AuditLog.Read.All	Sign-in activity for the Adoption module
   UserAuthenticationMethod.Read.All	MFA coverage in the Security tile
   Device.Read.All	Device inventory
   DeviceManagementManagedDevices.Read.All	Intune-managed devices
   Organization.Read.All	Tenant-level licensing facts
   TeamsUserConfiguration.Read.All	Teams user configuration
   CallRecords.Read.All	Teams call quality and usage metrics

3. Click Grant admin consent for <Tenant> → Yes.

Admin consent step is mandatory

Without admin consent, the permissions appear as Not granted and the Microsoft 365 sync will fail with Insufficient privileges. Granting consent requires a Global Administrator or Privileged Role Administrator.

Step 4 — Assign Azure RBAC roles

Skip this step if you don't plan to use the Azure FinOps module.

The Platform reads cost, metric, and resource data at the Management Group scope, so a single set of role assignments covers every Azure subscription in your tenant.

Roles on the Tenant Root Group

1. In the Azure Portal, open Management Groups → Tenant Root Group → Access control (IAM) → + Add role assignment.

2. Assign these built-in roles to the Zation Platform Connector service principal:

   Role	Purpose
   Reader	Resource inventory, tags, diagnostic settings
   Cost Management Reader	Cost and usage data
   Monitoring Reader	CPU, memory, I/O metrics for right-sizing
   Backup Reader	Backup policies and recovery points
   Log Analytics Reader	Workspace queries for activity-based recommendations
   Carbon Optimization Reader	Emissions data for the GreenOps module

Reservation Reader and Savings Plan Reader

These two roles are not inherited from the Management Group and must be assigned per resource.

Prerequisite for these two roles

Assigning roles on Reservations and Savings Plans requires Global Administrator AND Access management for Azure resources set to Yes under Microsoft Entra ID → Properties. The toggle can be reverted once the assignments are done.

• Reservation Reader — for each Reservation: Reservations → <Reservation> → Access control (IAM)
• Savings Plan Reader — for each Savings Plan: Savings Plans → <Savings Plan> → Access control (IAM)

PowerShell auto-setup (recommended)

The Setup guide and Onboarding Wizard in the Platform offers a download for zation-rbac-setup.ps1 that assigns all six Management Group roles plus the per-resource Reservation Reader and Savings Plan Reader assignments in one run.

# Requires: Owner or User Access Administrator on the Tenant Root Group
# Module:   Install-Module Az -Scope CurrentUser
.\zation-rbac-setup.ps1

The script prompts for the Tenant Root Group name and uses the Client ID from your App Registration. RBAC propagation can take up to 30 minutes.

Step 5 — Verify and first sync

Back in the Platform, click Verify in the Setup guide. The Platform validates the App Registration, the granted Graph permissions, and the RBAC assignments.

When verification succeeds, the initial data sync starts automatically. Depending on the size of your environment this takes 5–20 minutes. You can continue using the Platform in the meantime — recommendations appear as soon as enough data is available.

Troubleshooting

Symptom	Likely cause	Fix
Verify returns AADSTS70011	Wrong tenant signed in to Azure Portal	Sign in to the Portal with an account from the customer tenant before running the steps
Graph permissions stay Not granted	Admin consent step skipped	Open the App Registration, then API permissions → Grant admin consent for <Tenant>
Azure RBAC assignment fails on a Reservation	Access management for Azure resources toggle is off	Set the toggle to Yes under Microsoft Entra ID → Properties, retry, then revert
Sync stays at 0% after 30 minutes	RBAC propagation still in progress	Wait up to 30 minutes; re-run Verify afterwards
Insufficient privileges on first M365 sync	Graph permission missing or not consented	Re-check the table in Step 3

Next steps

• Permissions — full reference of every role and scope Zation uses
• FAQ — common questions from new customers

---

Did this help? Send feedback to platform@zation.io.