Blog Post

Azure Infrastructure Blog
4 MIN READ

Automating Azure OpenAI Cost Control Using Budgets, Action Groups, and Automation Runbooks

trisha1302's avatar
trisha1302
Icon for Microsoft rankMicrosoft
Mar 24, 2026

As organizations increasingly adopt Azure OpenAI for use cases such as generative AI, analytics, and experimentation, cost governance becomes a critical operational concern. Azure OpenAI workloads can scale quickly, and without proper controls, unmonitored usage may lead to unexpected and significant cost overruns. This blog describes a practical, enterprise-ready automation pattern to control Azure OpenAI costs by combining Azure Budgets, Action Groups, and Azure Automation Runbooks. The solution automatically enforces cost limits by disabling Azure OpenAI API access when a budget threshold is breached, while still providing a controlled and auditable manual recovery process.

Introduction

As organizations increasingly adopt Azure OpenAI for use cases such as generative AI, analytics, and experimentation, cost governance becomes a critical operational concern. Azure OpenAI workloads can scale quickly, and without proper controls, unmonitored usage may lead to unexpected and significant cost overruns.

This blog describes a practical, enterprise-ready automation pattern to control Azure OpenAI costs by combining Azure Budgets, Action Groups, and Azure Automation Runbooks. The solution automatically enforces cost limits by disabling Azure OpenAI API access when a budget threshold is breached, while still providing a controlled and auditable manual recovery process.

Solution Overview

This pattern combines three native Azure capabilities:

  • Azure Budgets (for cost monitoring and threshold detection)
  • Action Groups (to trigger automation and send notifications)
  • Azure Automation Runbooks (to enforce and recover access)

When the budget threshold is reached, an Automation Runbook is triggered to programmatically disable the Azure OpenAI API—immediately stopping further token consumption and cost growth. Access is restored using a separate manual enable runbook to ensure review and approval.

Key Objectives

  • Prevent unplanned Azure OpenAI cost overruns
  • Enforce usage discipline without manual intervention
  • Provide a controlled, auditable recovery workflow
  • Enable safe experimentation with financial guardrails

Architecture Components:

 

1. Azure Budget (Resource Group Scope)

An Azure Budget is configured at the resource group level containing the Azure OpenAI resource. The budget continuously tracks actual costs and triggers alerts when predefined percentage thresholds (for example, 80%, 90%, or 100%) are reached.

Why resource group scope?

  • Clear ownership and accountability
  • Isolated cost boundaries
  • Easier governance and rollback

2. Action Group Integration

The budget alert is connected to an Azure Action Group, which acts as the bridge between cost detection and automated enforcement.

Action Group responsibilities:

  • Trigger Azure Automation runbooks
  • Notify stakeholders via email
  • Provide centralized alert handling

3. Azure Automation Account and Runbooks

An Azure Automation Account hosts two PowerShell-based runbooks:

Runbook Name

Purpose

alert-budget-runbook-disable

Automatically disables Azure OpenAI API access

alert-budget-runbook-enable

Manually re-enables Azure OpenAI API access

The disabled runbook is directly invoked by the Action Group and executes automatically upon a budget breach. The enable runbook is executed manually after review and approval.

Automated Enforcement Flow

Step 1: Budget Threshold Breach

  • Azure Budget monitors actual cost consumption
  • When the defined threshold is crossed, a budget alert is fired

Step 2: Action Group Triggers Automation

  • The Action Group invokes the disable runbook
  • No manual intervention is required
  • Execution is logged for audit purposes

     

    Connect-AzAccount -Identity
Set-AzContext -subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx 
Set-AzCognitiveServicesAccount -ResourceGroupName "test-rg" -Name "name of openai api resource" -DisableLocalAuth $true
Set-AzCognitiveServicesAccount -ResourceGroupName "test-rg" -Name "name of openai api resource" -DisableLocalAuth $true

     

  • Once the budget gets breached action group will invokes the above disable runbook which will be integrated inside it.

     

     

     

     

Step 3: Azure OpenAI API Is Disabled

  • The runbook programmatically disables Azure OpenAI API access
  • All API calls and token consumption stop immediately
  • Further cost accumulation is prevented

Verification:

  • Navigate to Azure OpenAI → Keys and Endpoint
  • An error indicates the service is disabled

Manual Recovery: Re‑Enabling Azure OpenAI

Once the budget breach is reviewed and approved, API access can be restored manually with help of below runbook script present inside runbook alert-budget-runbook-enable.

Connect-AzAccount -Identity 
Set-AzContext -subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
Set-AzCognitiveServicesAccount -ResourceGroupName "test-rg" -Name "name of openai api resource" -DisableLocalAuth $false 
Set-AzCognitiveServicesAccount -ResourceGroupName "test-rg" -Name "name of openai api resource" -DisableLocalAuth $false

Enable Runbook – User Guide

  1. Navigate to Runbooks

          Azure Portal → Automation Account → Runbooks

     2. Select the Enable Runbook

         Choose the created runbook with name: alert-budget-runbook-enable

     3. Start the Runbook

    • Click Start
    • Optionally review the PowerShell code

    4. Monitor Execution

    • Track status in the Jobs blade
    • Confirm completion and validate API access

This manual recovery step enforces review, approval, and intentional reactivation.

Budget Configuration: Step‑by‑Step

  1. Navigate to Budgets

          Azure Portal → Resource Group → Cost Management → Budgets

      2.Create a New Budget

    • Set a budget name
    • Define the budget amount
    • Keep default time range unless otherwise required

      3.Configure Alert Conditions

    • Alert type: Actual cost
    • Thresholds: 70%, 80%, 90%, 100% (as required)
    • Action Group: linked automation action group
    • Email notifications for visibility

Benefits of This Approach

✅ Automated Cost Protection

Prevents runaway costs without relying on manual monitoring.

✅ Governance‑First Design

Clear separation between detection (Budgets), enforcement (Runbooks), and recovery (Manual enablement).

✅ Auditability and Control

All actions are logged, and service re-enablement requires deliberate approval.

✅ Scalable and Reusable Pattern

This approach can be extended to additional Azure services and environments such as Dev, Test, and Production.

Best Practices and Recommendations

  • Use early warning thresholds (70–80%) for proactive visibility
  • Limit permissions for the enable runbook to approved operators
  • Log all runbook executions for auditing
  • Periodically review budget values as usage grows
  • Combine with Azure Monitor alerts for richer insights.

References

Conclusion

This Azure Budget–driven automation pattern delivers a secure, scalable, and enterprise-ready solution for controlling Azure OpenAI costs. By integrating cost monitoring with automated enforcement and controlled recovery, teams can confidently innovate with AI while maintaining strong financial governance and accountability.

Updated Mar 24, 2026
Version 1.0
No CommentsBe the first to comment