Write Permissions Setup: Separate vs Shared

Overview

This guide walks you through the steps to enable write permissions for your Azure cloud account in Spotto.

Steps to Enable Write Permissions

1. Go to Cloud Accounts in the Spotto Portal

2. Select your Azure cloud account or create a new one

3. Configure your read access credentials (if not already configured)

4. In the Write Permissions Configuration section:

   • Enable the "Enable write access" toggle
   • Optionally enable "Use separate credentials for write operations" for enhanced security (recommended)

5. If using separate credentials, enter the Write Access Credentials:

   • Client ID
   • Client Secret
   • Secret Expires At

6. In the Write Permissions section, select which permissions you want to enable:

   • Dismiss Azure Advisor Recommendations
   • Storage Inventory write provisioning (future scope; current inventory automation is reader-only)

7. Expand the Custom Role for Least Privilege section and copy the JSON template

8. Create the custom role in Azure using the template (see Custom Roles)

9. Click Validate to verify credentials and permissions

10. Click Update to save your configuration

Spotto will verify that your service principal has the required permissions for the features you selected.

Credential Configuration Options

Spotto offers two ways to configure write permissions, each with different security implications:

Same Credentials Approach

• Uses your existing read access credentials for write operations
• Simpler to set up and manage
• Trade-off: A compromised credential has both read and write access
• Suitable for: Development, testing, or low-risk environments

Separate Credentials Approach (Recommended)

• Uses dedicated service principals for read and write operations
• Enhanced security through credential isolation
• Follows the principle of least privilege
• Suitable for: Production environments and security-conscious deployments

If using separate credentials, create two service principals:

Read-Only Service Principal:

• Name: Spotto AI Read
• Roles: Reader, Billing Reader
• Used for: Continuous monitoring and analysis

Write Access Service Principal:

• Name: Spotto AI Write
• Roles: Custom role with only the permissions needed for enabled features
• Used for: Automated actions based on your selections

Creating a Separate Write Access Service Principal

If you choose to use separate credentials, follow these steps to create a dedicated write access service principal:

1. Create an Entra ID Application

1. Go to the Azure Portal and sign in
2. Search for Entra ID and click on "Microsoft Entra ID"
3. On the left menu, expand Manage and click on App registrations
4. Click New registration
5. Enter a name, e.g., Spotto AI Write
6. Under Supported account types, choose Accounts in this organizational directory only
7. Leave the Redirect URI blank, then click Register

After registration, record the following details:

• Application (client) ID
• Directory (tenant) ID

2. Create a Client Secret

1. In the App Registration you just created, go to Manage > Certificates & secrets
2. Under Client secrets, click New client secret
3. Enter a description (e.g., SpottoWriteSecret) and choose an expiry period (recommended: 12 months)
4. Click Add

info

Copy the Client Secret Value immediately — it won't be shown again.

Also record the Secret Expires At date.

3. Assign Required Roles

For each write permission you want to enable, assign the appropriate custom role to your write access service principal:

• For Dismiss Azure Advisor Recommendations: Create and assign the custom role
• For Storage Inventory write provisioning (future scope): see Storage Inventory access model

See Custom Roles for Least Privilege for detailed instructions on creating roles with minimal permissions.

Troubleshooting

Validation fails after assigning roles

What you're seeing: Spotto reports validation failed when you click Validate Credentials. Likely causes: Wrong tenant/app IDs, secret value copied incorrectly, or Azure role propagation delay. How to fix:

1. Re-check Application ID, Tenant ID, and secret value.
2. Confirm the role assignment is at the subscription scope.
3. Wait 5–10 minutes and validate again.

I’m not sure whether to use shared vs separate credentials

What you're seeing: You’re blocked choosing between “same credentials” and “separate credentials”. Likely causes: It’s unclear who should own write credentials and what audit constraints you have. How to fix:

1. Use separate credentials when you want tighter audit boundaries and faster revocation.
2. Use shared credentials when you want simpler operations and you’re comfortable with the same identity for read/write.
3. If you have strict governance requirements, prefer separate credentials and a least-privilege custom role.

Next Steps

After configuring write permissions:

• Review Security Best Practices to ensure proper credential management
• Learn about Custom Roles for Least Privilege to minimize permissions
• If you encounter issues, see Troubleshooting

For further assistance, please Contact Us.