Provider-Managed Azure Subscriptions: Cost Control and Commitment Clarity
As a Microsoft Cloud Solution Architect supporting enterprise customers, I occasionally encounter a specific scenario where customers with an Enterprise Agreement (EA) or Microsoft Customer Agreement (MCA-E) allow a service provider (SP) to manage one or more of their Azure subscriptions via the SP’s tenant. This setup has notable implications for cost and commitment management, which I’ll explore in this article. Recommended prerequisite reading: Microsoft Cost Management: Billing & Trust Relationships Explained Scenario Overview A customer signs a contract with a service provider to outsource the management of certain resources. The customer retains full control over resource pricing and expects the usage of these resources to contribute towards their Microsoft Azure Consumption Commitment (MACC). To achieve this, the customer associates one or more Azure subscriptions with a Microsoft Entra ID tenant owned and managed by the SP. In our example, this is “Subscription B.” The SP gains full RBAC access to the subscription and its resources, while the billing relationship remains tied to the customer’s billing account (EA) or billing profile (MCA-E). Let’s have a look at the implications from both the customers and the service providers perspective: Customers perspective Cost & Pricing All cost in Subscription B that occurs because of resource usage are tied and therefore billed to the customers billing account (EA) or billing profile (MCA-E). The prices used for the usage are based on the negotiated customer price list associated with the billing account (EA) /profile (MCA-E). The Azure resource consumption of Subscription B plus any eligible Marketplace offer consumption within the subscription contributes to the MACC of the customer. Customer has full cost visibility of Subscription B via Azure Cost Analysis on the billing account/billing profile level. Commitments (Reservations / Savings Plans) Shared commitments at the billing account/billing profile level are utilized by matching resources in Subscription B. Commitments scoped to Subscription B or lower can only be purchased by the customer, if the customer has RBAC rights on the subscription and the global billing policy allows purchases for subscription owner / reservation purchasers. Service Provider Perspective Cost & Pricing The service provider is responsible for managing Subscription B’s resources and the associated costs. Subscription B’s actual and amortized cost view is limited for the service provider as they have only access at the subscription level. The service provider has no direct access to the customer price (Price Sheet) or invoice information. Commitments (Reservations / Savings Plans) The service provider can purchase commitments scoped at Subscription B or lower (resource group) if the global customer’s billing policy allows purchases for subscription owners / reservation purchasers. The associated costs of the commitment are attributed to the customer’s billing account/profile. Shared or management group scoped commitments purchased by the service provider based on their own billing account / billing profile do not apply to Subscription B. Key take aways Decoupled Ownership: Customers can separate subscription management from billing ownership, enabling flexible operational models. Cost Control: Customers retain full visibility and control over pricing, cost allocation, and commitment utilisation—even when subscriptions are managed by a service provider. Governance and Policy Alignment: Successful implementation depends on clear billing policies and RBAC configurations that align with both customer and provider responsibilities.Understanding the Total Cost of Ownership
Whether you're just beginning your journey in Azure or are already managing workloads in the cloud, it's essential to ground your strategy in proven guidance. The Microsoft Cloud Adoption Framework for Azure offers a comprehensive set of best practices, documentation, and tools to help you align your cloud adoption efforts with business goals. One of the foundational steps in this journey is understanding the financial implications of cloud migration. When evaluating the migration of workloads to Azure, calculating the Total Cost of Ownership (TCO) is a crucial step. TCO is a comprehensive metric that includes all cost components over the life of the resource. A well-constructed TCO analysis can provide valuable insights that aid in decision-making and drive financial efficiencies. By understanding the comprehensive costs associated with moving to Azure, you can make informed choices that align with your business goals and budget. Here is a breakdown of the main elements that you need to build your own TCO: 1. Current infrastructure configuration: Servers: details about your existing servers, including the number of servers, their specifications (CPU, memory, storage), and operating systems. Databases: information about your current databases, such as the type, size, and any associated licensing costs. Storage: type and amount of storage you are currently using, including any redundancy or backup solutions. Network Traffic: Account for outbound network traffic and any associated costs. 2. Azure Environment Configuration: Virtual Machines (VMs): appropriate Azure VMs that match your current server specifications. This has to be based on CPU, memory, storage, and region. Storage Options: type of storage (e.g., Standard HDD, Premium SSD), access tiers, and redundancy options that align with your needs. Networking: networking components, including virtual networks, load balancers, and bandwidth requirements. 3. Operational Costs: Power and Cooling: Estimate the costs associated with power and cooling for your on-premises infrastructure. IT Labor: Include the costs of IT labor required to manage and maintain your current infrastructure. Software Licensing: Account for any software licensing costs that will be incurred in both the current and Azure environments. Once you have more clarity of these inputs you can complement your analysis with other tools depending on your needs. The Azure Pricing Calculator is well suited to providing granular cost estimation for different Azure services and products. However, if the intent is to estimate cost and savings during migrations, Azure Migrate business case feature should be the preferred approach as it will allow the user to perform detailed financial analysis (TCO/ROI) for the best path forward and assess readiness to move workloads to Azure with confidence. Understand your Azure costs The Azure pricing calculator is a free cost management tool that allows users to understand and estimate costs of Azure Services and products. It serves as the only unauthenticated experience that allows you to configure and budget the expected cost of deploying solutions in Azure The Azure pricing calculator is key for properly adopting Azure. Whether you are in a discovery phase and trying to figure out what to use, what offers to apply or in a post purchase phase where you are trying to optimize your environment and see your negotiated prices, the azure pricing calculator fulfills both new users and existing customers' needs. The Azure pricing calculator allows organizations to plan and forecast cloud expenses, evaluate different configurations and pricing models, and make informed decisions about service selection and deployment options. Decide, plan, and execute your migration to Azure Azure Migrateis Microsoft’s free platform for migrating to and modernizing in Azure. It provides capabilities for discovery, business case (TCO/ROI), assessments, planning and migration in a workload agnostic manner. Customers must have an Azure account and create a migration project within the Azure portal to get started. Azure Migrate supports various migration scenarios, including for VMware and Hyper-V virtual machines (VM), physical servers, databases, and web apps. The service offers accurate appliance based and manual discovery options, to cater to customer needs. The Azure Migrate process consists of three main phases: Decide, Plan, and Execute. In the Decide phase, organizations discover their IT estate through several supported methods and can get a dependency map for their applications to help collocate all resources belonging to an application. Using the data discovered, one can also estimate costs and savings through the business case (TCO/ROI) feature. In the Plan phase, customers can assess for readiness to migrate, get right-sized recommendations for targets in Azure and tools to use for their migration strategy (IaaS/PaaS). Users can also create a migration plan consisting of iterative “waves” where each wave has all dependent workloads for applications to be moved during a maintenance window. Finally, the Execute phase focuses on the actual migration of workloads to a test environment in Azure in a phased manner to ensure a non-disruptive and efficient transition to Azure. A crucial step in the Azure Migrate process is building a business case prior to the move, which helps organizations understand the value Azure can bring to their business. The business case capability highlights the total cost of ownership (TCO) with discounts and compares cost and savings between on-premises and Azure including end-of-support (EOS) Windows OS and SQL versions. It provides year-on-year cash flow analysis with resource utilization insights and identifies quick wins for migration and modernization with an emphasis on long-term cost savings by transitioning from a capital expenditure model to an operating expenditure model, paying only for what is used. Understanding the Total Cost of Ownership (TCO) is essential for making informed decisions when migrating workloads to Azure. By thoroughly evaluating all cost components, including infrastructure, operational, facilities, licensing and migration costs, organizations can optimize their cloud strategy and achieve financial efficiencies. Utilize tools like the Azure Pricing Calculator and Azure Migrate to gain comprehensive insights and ensure a smooth transition to the cloud.
A practitioner's guide to accelerating FinOps with GitHub Copilot and FinOps hubs
ℹ️ Quick implementation overview Setup time: ~30 minutes for basic configuration Target audience: FinOps practitioners, finance teams, engineering managers Prerequisites: Azure subscription with FinOps hubs deployed, VS Code, GitHub Copilot Key enabler: FinOps Hub Copilot v0.11 release Key benefits 🎯 Democratized analytics Non-technical team members can perform advanced cost analysis without KQL expertise. ⚡ Faster insights Natural language eliminates query writing overhead and accelerates time-to-insights. 📋 FinOps Framework alignment All queries map directly to validated FinOps Framework capabilities. 🔒 Enterprise ready Built on proven FinOps hub data foundation with security and governance controls. FinOps practitioners face a common challenge: bridging the gap between complex cost data and actionable business insights. While FinOps hubs provide a comprehensive, analytics-ready foundation aligned with the FinOps Framework, accessing and analyzing this data traditionally requires deep technical expertise in KQL and schema knowledge. This guide demonstrates how to perform sophisticated cost analysis using natural language queries using GitHub Copilot in VS Code connected to FinOps hubs 0.11 via the Azure MCP server. This approach democratizes advanced analytics across FinOps teams, supporting faster decision-making and broader organizational adoption of FinOps practices. ℹ️ Understanding the technology stack The Model Context Protocol (MCP) is an open standard that enables AI agents to securely connect to external data sources and tools. The Azure MCP server is Microsoft's implementation that provides this connectivity specifically for Azure resources, while GitHub Copilot acts as the AI agent that translates your natural language questions into the appropriate technical queries. Understanding the foundation: FinOps hubs and natural language integration FinOps hubs serve as the centralized data platform for cloud cost management, providing unified cost and usage data across clouds, accounts, and tenants. The integration with GitHub Copilot through the Azure MCP server introduces a natural language interface that maps practitioner questions directly to validated KQL queries, eliminating the technical barrier that often limits FinOps analysis to specialized team members. Note: The FinOps toolkit also includes Power BI reports, workbooks, alerts, and an optimization engine for advanced analytics and automation. See the FinOps toolkit overview for the full set of capabilities. Key capabilities and technical foundation ℹ️ About the FinOps toolkit ecosystem The FinOps toolkit also includes Power BI reports, workbooks, and an optimization engine for advanced analytics and automation. See the FinOps toolkit overview for the full set of capabilities. FinOps hubs provide several critical capabilities that enable practitioner success: 📊 Data foundation Centralized cost and usage data across multiple cloud providers, billing accounts, and organizational units Native alignment with the FinOps Framework domains and FOCUS specification Analytics-ready data model optimized for performance at scale without complexity overhead 🔗 Integration capabilities Multiple access patterns: Power BI integration, Microsoft Fabric compatibility, and direct KQL access for advanced scenarios Natural language query interface through Azure MCP server integration with Copilot ⚙️ Technical architecture The Azure MCP server acts as the translation layer, implementing the open Model Context Protocol to enable secure communication between AI agents (like GitHub Copilot) and Azure resources. For FinOps scenarios, it specifically provides natural language access to Azure Data Explorer databases containing FinOps hubs data, converting practitioner questions into validated KQL queries while maintaining enterprise authentication and security standards. Mapping FinOps Framework capabilities to natural language queries The integration supports the complete spectrum of FinOps Framework capabilities through natural language interfaces. Each query type maps to specific Framework domains and validated analytical patterns: 💡 Quick reference Each prompt category leverages pre-validated queries from the FinOps hubs query catalog, ensuring consistent, accurate results across different practitioners and use cases. 🔍 Understand phase capabilities Capability Natural language example Business value Cost allocation and accountability "Show me cost allocation by team for Q1" Instant breakdown supporting chargeback discussions Anomaly detection and management "Find any cost anomalies in the last 30 days" Proactive identification of budget risks Reporting and analytics "What are our top resource types by spend?" Data-driven optimization focus areas ⚡ Optimize phase capabilities Capability Natural language example Business value Rate optimization "How much did we save with reservations last month?" Quantification of commitment discount value Workload optimization "Show me underutilized resources" Resource efficiency identification Governance enforcement "Show me resources without proper tags" Policy compliance gaps 📈 Operate phase capabilities Capability Natural language example Business value Forecasting and planning "Forecast next quarter's cloud costs" Proactive budget planning support Performance tracking "Show month-over-month cost trends" Operational efficiency measurement Business value quantification "Calculate our effective savings rate" ROI demonstration for stakeholders Practical implementation: Real-world scenarios and results The following examples demonstrate how natural language queries translate to actionable FinOps insights. Each scenario includes the business context, Framework alignment, query approach, and interpretable results to illustrate the practical value of this integration. ℹ️ Sample data notation All cost figures, dates, and resource names in the following examples are illustrative and provided for demonstration purposes. Actual results will vary based on your organization's Azure usage, billing structure, and FinOps hub configuration. Effective cost allocation and accountability FinOps Framework alignment Domain: Understand usage and cost Capabilities: Allocation, Reporting and analytics Business context Finance teams require accurate cost allocation data to support budget planning and accountability discussions across organizational units. Natural language query What are the top resource groups by cost last month? Query results and business impact The natural language prompt maps to a validated allocation query that aggregates effective cost by resource group, providing the foundational data for chargeback and showback processes. Resource group Effective cost haven $36,972.85 leap $15,613.96 ahbtest $6,824.54 vnet-hub-001 $1,560.13 ... ... 🎯 Key takeaway Natural language queries eliminate the need for complex KQL knowledge while maintaining data accuracy. Finance teams can now perform sophisticated cost allocation analysis without technical barriers. Learn more: Introduction to cost allocation Proactive cost anomaly detection and management FinOps Framework alignment Domain: Understand usage and cost Capabilities: Anomaly management, Reporting and analytics Business context Proactive anomaly detection enables rapid response to unexpected cost changes, supporting budget adherence and operational efficiency. Natural language query Are there any unusual cost spikes or anomalies in the last 12 months? Query results and business impact The system applies time series analysis to identify significant cost deviations, automatically calculating percentage changes and flagging potential anomalies for investigation. Date Daily cost % change vs previous day 2025-06-03 $971.36 -59.54% 2025-06-01 $2,370.16 -4.38% 2025-04-30 $2,302.10 -5.56% 2025-04-02 $2,458.45 +5.79% ... ... ... ⚠️ Warning: Analysis insight The 59% cost reduction on June 3rd indicates a significant operational change, such as workload migration or resource decommissioning, requiring validation to ensure expected behavior. 🎯 Key takeaway Automated anomaly detection enables proactive cost management by identifying unusual spending patterns before they impact budgets, supporting rapid response to operational changes. Learn more: Anomaly management Accurate financial forecasting and budget planning FinOps Framework alignment Domain: Quantify business value Capabilities: Forecasting, Planning and estimating Business context Accurate financial forecasting supports budget planning processes and enables proactive capacity and cost management decisions. Natural language query Forecast total cloud cost for the next 90 days based on the last 12 months. Query results and business impact The forecasting algorithm analyzes historical spending patterns and applies trend analysis to project future costs, providing both daily estimates and aggregate totals for planning purposes. Date Forecasted cost 2025-06-04 $2,401.61 2025-07-01 $2,401.61 2025-08-01 $2,401.61 2025-09-01 $2,401.61 ... ... Total forecasted 90-day spend: $216,145.24 🎯 Key takeaway Natural language forecasting queries provide accurate financial projections based on validated historical analysis, enabling confident budget planning without requiring data science expertise. Learn more: Forecasting Reporting and analytics capabilities FinOps Framework alignment Domain: Understand usage and cost Capabilities: Reporting and analytics Business context Executive reporting requires consistent, reliable cost trend analysis to support strategic decision-making and budget performance tracking. Natural language query Show monthly billed and effective cost trends for the last 12 months. Query results and business impact Month Billed cost Effective cost 2024-06 $46,066.39 $46,773.85 2024-07 $72,951.41 $74,004.08 2024-08 $73,300.31 $74,401.81 2024-09 $71,886.30 $72,951.26 ... ... ... Learn more: Reporting and analytics Resource optimization analysis FinOps Framework alignment Domain: Optimize usage and cost Capabilities: Workload optimization, Reporting and analytics Business context Prioritizing optimization efforts requires understanding which resource types drive the most cost, enabling focused improvement initiatives with maximum business impact. Natural language query What are the top resource types by cost last month? Query results and business impact Resource type Effective cost Fabric Capacity $34,283.52 Virtual machine scale set $15,155.59 SQL database $2,582.99 Virtual machine $2,484.34 ... ... Learn more: Workload optimization Implementation methodology This section provides a systematic approach to implementing natural language FinOps analysis using the technical foundation established above. Prerequisites and environment validation Before proceeding with implementation, ensure you have: ✅ Azure subscription with appropriate FinOps hub deployment permissions ✅ Node.js runtime environment (required by Azure MCP Server) ✅ Visual Studio Code with GitHub Copilot extension ✅ Azure CLI, Azure PowerShell, or Azure Developer CLI authentication configured Access validation methodology Step 1: Verify FinOps hub deployment Confirm hub deployment status and data ingestion through the FinOps hubs setup guide Step 2: Validate database access Test connectivity to the hub database using Azure Data Explorer web application or Azure portal Step 3: Confirm schema availability Verify core functions (Costs, Prices) and databases (Hub, Ingestion) are accessible with current data Expected Database Structure Hub database: Public-facing functions including Costs, Prices, and version-specific functions (e.g., Costs_v1_0) Ingestion database: Raw data tables, configuration settings (HubSettings, HubScopes), and open data tables (PricingUnits) FOCUS-aligned data: All datasets conform to FinOps Open Cost and Usage Specification standards Learn more: FinOps hubs template details Azure MCP server configuration ℹ️ What is Azure MCP Server? The Azure Model Context Protocol (MCP) server is a Microsoft-provided implementation that enables AI agents and clients to interact with Azure resources through natural language commands. It implements the open Model Context Protocol standard to provide secure, structured access to Azure services including Azure Data Explorer (FinOps hub databases). Key capabilities and service support The Azure MCP server provides comprehensive Azure service integration, particularly relevant for FinOps analysis: 🔍 FinOps-relevant services Azure Data Explorer: Execute KQL queries against FinOps hub databases Azure Monitor: Query logs and metrics for cost analysis Resource groups: List and analyze organizational cost structures Subscription management: Access subscription-level cost data 🔧 Additional Azure services Azure Storage, Cosmos DB, Key Vault, Service Bus, and 10+ other services Full list available in the Azure MCP Server tools documentation Installation methodology The Azure MCP Server is available as an NPM package and VS Code extension. For FinOps scenarios, we recommend the VS Code extension approach for seamless integration with GitHub Copilot. Option 1: VS Code extension (recommended) Install the Azure MCP server extension from VS Code Marketplace The extension automatically configures the server in your VS Code settings Open GitHub Copilot and activate Agent Mode to access Azure tools Option 2: Manual configuration Add the following to your MCP client configuration: { "servers": { "Azure MCP Server": { "command": "npx", "args": ["-y", "@azure/mcp@latest", "server", "start"] } } } Authentication requirements Azure MCP Server uses Entra ID through the Azure Identity library, following Azure authentication best practices. It supports: Azure CLI: az login (recommended for development) Azure PowerShell: Connect-AzAccount Azure Developer CLI: azd auth login Managed identity: For production deployments The server uses DefaultAzureCredential and automatically discovers the best available authentication method for your environment. Technical validation steps Step 1: Authentication verification Confirm successful login to supported Azure tools Step 2: Resource discovery Validate MCP Server can access your Azure subscription and FinOps hub resources Step 3: Database connectivity Test query execution against FinOps hub databases Integration with development environment VS Code configuration requirements: GitHub Copilot extension with Agent Mode capability Azure MCP Server installation and configuration FinOps hubs copilot instructions and configuration files The FinOps Hub Copilot v0.11 release provides pre-configured GitHub Copilot instructions specifically tuned for FinOps analysis. This release includes: AI agent instructions optimized for FinOps Framework capabilities GitHub Copilot configuration files for VS Code Agent Mode Validated query patterns mapped to common FinOps scenarios Azure MCP Server integration guides for connecting to FinOps hub data Verification methodology: Open Copilot Chat interface (Ctrl+Shift+I / Cmd+Shift+I) Activate Agent Mode and select tools icon to verify Azure MCP Server availability Execute connectivity test: "What Azure resources do I have access to?" Expected response validation: Successful authentication confirmation Azure subscription and resource enumeration FinOps hub database connectivity status Progressive query validation Foundational test queries: Complexity level Validation query Expected behavior Basic "Show me total cost for last month" Single aggregate value with currency formatting Intermediate "What are my top 10 resource groups by cost?" Tabular results with proper ranking Advanced "Find any costs over $1000 in the last week" Filtered results with anomaly identification Query execution validation: KQL translation accuracy against FinOps hub schema Result set formatting and data type handling Error handling and user feedback mechanisms Operational best practices for enterprise implementation Query optimization and performance considerations Data volume management: Implement temporal filtering to prevent timeout scenarios (Azure Data Explorer 64MB result limit) Use summarization functions for large datasets rather than detailed row-level analysis Apply resource-level filters when analyzing specific environments or subscriptions Schema consistency validation: Reference the FinOps hub database guide for authoritative column definitions Verify data freshness through ingestion timestamp validation Validate currency normalization across multi-subscription environments Query pattern optimization: Leverage the FinOps hub query catalog for validated analytical patterns Customize costs-enriched-base query foundation for organization-specific requirements Implement proper time zone handling for global operational environments Security and access management Authentication patterns: Utilize Azure CLI integrated authentication for development environments Implement service principal authentication for production automation scenarios Maintain principle of least privilege for database access permissions Data governance considerations: Ensure compliance with organizational data classification policies Implement appropriate logging for cost analysis queries and results Validate that natural language prompts don't inadvertently expose sensitive financial data Comprehensive query patterns by analytical domain The following reference provides validated natural language prompts mapped to specific FinOps Framework capabilities and proven KQL implementations. Technical note: Each pattern references validated queries from the FinOps hub query catalog. Verify schema compatibility using the FinOps hub database guide before implementation. Cost visibility and allocation patterns Analytical requirement FinOps Framework alignment Validated natural language query Executive cost trend reporting Reporting and analytics "Show monthly billed and effective cost trends for the last 12 months." Resource group cost ranking Allocation "What are the top resource groups by cost last month?" Quarterly financial reporting Allocation / Reporting and analytics "Show quarterly cost by resource group for the last 3 quarters." Service-level cost analysis Reporting and analytics "Which Azure services drove the most cost last month?" Organizational cost allocation Allocation / Reporting and analytics "Show cost allocation by team and product for last quarter." Optimization and efficiency patterns Analytical requirement FinOps Framework alignment Validated natural language query Resource optimization prioritization Workload optimization "What are the top resource types by cost last month?" Commitment discount analysis Rate optimization "Show reservation recommendations and break-even analysis for our environment." Underutilized resource identification Workload optimization "Find resources with low utilization that could be optimized or decommissioned." Savings plan effectiveness Rate optimization "How much did we save with savings plans compared to pay-as-you-go pricing?" Tag compliance monitoring Data ingestion "Show me resources without required cost center tags." Anomaly detection and monitoring patterns Analytical requirement FinOps Framework alignment Validated natural language query Cost spike identification Anomaly management "Find any unusual cost spikes or anomalies in the last 30 days." Budget variance analysis Budgeting "Show actual vs. budgeted costs by resource group this quarter." Trending analysis Reporting and analytics "Identify resources with consistently increasing costs over the last 6 months." Threshold monitoring Anomaly management "Alert me to any single resources costing more than $5,000 monthly." Governance and compliance patterns Analytical Requirement FinOps Framework Alignment Validated Natural Language Query Policy compliance validation Policy and governance "Show resources that don't comply with our tagging policies." Approved service usage Policy and governance "List any non-approved services being used across our subscriptions." Regional compliance monitoring Policy and governance "Verify all resources are deployed in approved regions only." Cost center accountability Invoicing and chargeback "Generate chargeback reports by cost center for last quarter." Key takeaway: These validated query patterns provide a comprehensive foundation for FinOps analysis across all Framework capabilities. Use them as templates and customize for your organization's specific requirements. Troubleshooting and optimization guidance Common query performance issues ⚠️ Warning: Performance considerations Azure Data Explorer has a 64MB result limit by default. Proper query optimization avoids timeouts and ensures reliable performance. If using Power BI, use DirectQuery to connect to your data. Large dataset timeouts Symptom: Queries failing with timeout errors on large datasets Solution: Add temporal filters ✅ Recommended: "Show costs for last 30 days" ❌ Avoid: "Show all costs" Framework alignment: Data ingestion Memory limit exceptions Symptom: Exceeding Azure Data Explorer 64MB result limit Solution: Use aggregation functions ✅ Recommended: "Summarize costs by month" ❌ Avoid: Daily granular data for large time periods Best practice: Implement progressive drill-down from summary to detail Schema validation errors Symptom: Queries returning empty results or unexpected columns Solution: Verify hub schema version compatibility using the database guide Validation: Test with known queries from the query catalog Query optimization best practices Temporal filtering ✅ Recommended: "Show monthly costs for Q1 2025" ❌ Avoid: "Show all historical costs by day" Aggregation-first approach ✅ Recommended: "Top 10 resource groups by cost" ❌ Avoid: "All resources with individual costs" Multi-subscription handling ✅ Recommended: "Costs by subscription for production environment" ❌ Avoid: "All costs across all subscriptions without filtering" Conclusion The integration of FinOps hubs with natural language querying through GitHub Copilot and Azure MCP Server represents a transformative advancement in cloud financial management accessibility. By eliminating technical barriers traditionally associated with cost analysis, this approach enables broader organizational adoption of FinOps practices while maintaining analytical rigor and data accuracy. Key takeaways for implementation success Foundation building Start with the basics: Ensure robust FinOps hub deployment with clean, consistent data ingestion Validate authentication and connectivity before advancing to complex scenarios Begin with basic queries and progressively increase complexity as team familiarity grows Business value focus Align with organizational needs: Align query patterns with organizational FinOps maturity and immediate business needs Prioritize use cases that demonstrate clear ROI and operational efficiency gains Establish feedback loops with finance and business stakeholders to refine analytical approaches Scale and governance planning Design for enterprise success: Implement appropriate access controls and data governance from the beginning Design query patterns that perform well at organizational scale Establish monitoring and alerting for cost anomalies and policy compliance Future considerations As natural language interfaces continue to evolve, organizations should prepare for enhanced capabilities including: 🔮 Advanced analytics Multi-modal analysis: Integration of cost data with performance metrics, compliance reports, and business KPIs Predictive analytics: Advanced forecasting and scenario modeling through conversational interfaces 🤖 Automated intelligence Automated optimization: Natural language-driven resource rightsizing and commitment recommendations Cross-platform intelligence: Unified analysis across cloud providers, SaaS platforms, and on-premises infrastructure The democratization of FinOps analytics through natural language interfaces positions organizations to make faster, more informed decisions about cloud investments while fostering a culture of cost consciousness across all teams. Success with this integration requires both technical implementation excellence and organizational change management to maximize adoption and business impact. Learn more about the FinOps toolkit and stay updated on new capabilities at the FinOps toolkit website.News and updates from FinOps X 2024: How Microsoft is empowering organizations
Last year, I shared a broad set of updates that showcased how Microsoft is embracing FinOps practitioners through education, product improvements, and innovative solutions that help organizations achieve more. with AI-powered experiences like Copilot and Microsoft Fabric. Whether you’re an engineer working in the Azure portal or part of a business or finance team collaborating in Microsoft 365 or analyzing data in Power BI, Microsoft Cloud has the tools you need to accelerate business value for your cloud investments.What’s new in FinOps toolkit 0.5 – August 2024
In August, the FinOps toolkit 0.5 added support for Power BI reports on top of Cost Management exports without needing to deploy FinOps hubs; expanded optimization options in workbooks; improved optimization, security, and resiliency in Azure Optimization Engine; a new FOCUS article to help compare with actual/amortized data; and many smaller fixes and improvements across the board.News and updates from FinOps X 2025: Transforming FinOps in the era of AI
AI is central to nearly every corner of business and technology. It's no surprise that FinOps X 2025 was loaded with news about how AI is changing everything. Learn about how FinOps tools and solutions are evolving in the era of AI!
How to control your Azure costs with Governance and Azure Policy
Azure resources can be configured in many ways, including ways which affect their performance, security, reliability, available features and ultimately cost. The challenge is, all these resources and configurations are completely available to us by default. As long as someone has permission, they can create any resource and configuration they like. This implicit “anything goes” gives our technical teams the freedom to decide what’s best. Like a kid in a toy shop, they will naturally favour the biggest, fastest and coolest toys. The immediate risk of course, is building beyond business requirements. Too much SKU, too much resilience, too much performance and too high cost. Left unchecked, and we risk increasingly challenging and long-term issues: Over-delivering will quickly become the norm. Excessive resources configurations will become the habitual default in all environments. Teams will become mis-aligned from wider business requirements. Teams will become used to working in a frictionless environment, and challenge any restrictions. FinOps teams will be stuck in endless cost optimisation work. You may already be feeling the pain. Trapped in a cycle of repetitive, reactive cost optimisation work, seeing the same repeat offenders and looking for a way out. To break (or prevent) the cycle, a new approach is needed. We must switch priorities from detection and removal, to prevention and control. We must keep waste out. We must avoid over-provisioning. We can achieve this with governance. What is governance Governance is a collection of rules, processes and tools that control how an organization consumes IT resources. It ensures our teams deploy resources that align to certain business goals, like security, cost, resource management and compliance. Governance rules are like rules for a boardgame. They define how the game should be played, no matter who is playing the game. This is important. It aligns everyone to our organization's rules regardless of role, position, seniority and authority. It helps ensures people play by the rules rather than their rules. Try playing Monopoly with no rules. What’s going to happen? I will pass go, and I will collect 200 dollars. For Microsoft Azure, and the cloud in general, governance is centered around controlling how resources can and cannot be configured. Storage Accounts should be configured like this. Virtual Machines must be configured like that. Disks can’t be configured with this. It's as much about keeping wrong configurations out, as the right configurations in. When we enforce configurations that meet our goals and restrict those that don’t, we drastically increase our chance of success. Why governance matters for FinOps Almost all over-provisioning and waste can be traced back to how a resource is configured. From SKU, to size, redundancy and additional features, if it’s not needed it’s being wasted. That’s all over-provisioning and waste is; Resources, properties and values that we don’t need. Too much SKU, like Premium Disks Standard HDD/SSD. Too much redundancy, like Storage Accounts with GRS when LRS is fine. Too many features, like App Gateways with WAF but it’s disabled. Have a think for a moment. What over-provisioning have you seen in the past? Was it one or two resource properties causing the problems? Whatever you’ve seen, with governance we can stop it happening again. When we control how resources get configured, we can control over-provisioning and waste, too. We can determine configurations we don’t need through our optimization efforts, and then create rules that define the configurations we do need: “We don’t need Premium SSD disks.” becomes “Disks must be Standard HDD/SSD.” “We don’t need Storage Accounts with GRS.” becomes “Storage Accounts must use LRS.” “We don’t need WAF enabled Application Gateways” becomes “Application Gateways should be Standard SKUs” These rules effectively remove the option to build beyond requirements. They will help teams avoid building too much/too big, stay within their means, hold them a bit more accountable and protect us from future overspend. Detection becomes Prevention. Removal becomes Control. Over time, we will: Help our teams deliver just enough. Raise and improve awareness of over-configurations and waste. Help keep waste out once it’s found. Reduce the chances over-provisioning in future. Steadily reduce the need for ongoing Cost Optimisation efforts. Free up time for other FinOps stuff. This is why governance is a natural evolution from cost optimization, and why it’s critical for FinOps teams who want to be more proactive and spend less time cleaning up after tech teams. How can we natively govern Microsoft Azure? In Microsoft Azure, we can use the native governance service Azure Policy to help control our environments. We can embed our governance rules into Azure itself and have Azure Policy do the heavy lifting of checking, reporting and enforcing. Azure Policy has many useful features: Supports over 74000 resource properties, including all that generate costs. Can audit resources, deny deployments and even auto-resolve resources as they come into Azure. Provides easy reporting of compliance issues, saving time on manual checks. Checks every deployment from every source. From Portal to Terraform, it’s got you covered. Supports different scopes from Resource Groups to Management Groups, allowing policies to be used at any scale. Supports parameters, making policies re-usable and quick to modify when responding to change in requirements. Exemptions can be used on resources we want to ignore for now. Supports different enforcement modes, for safe rollout of new policies. It comes at no additional cost. Free! These features make Azure Policy an extremely flexible and powerful tool that can help control resources, properties and values at any scale. We can: Create Policies for almost any cost-impacting value. SKUs, Redundancy Tiers, Instance Sizes, you name it… Use different effects based on how ‘strict’ the rule should be. For example, we can use Deny (resource creation) for resource missing “Must have” attributes, and Audit to check if resources are still compliant with “Should have” attributes. Use a combination of effects, enforcement modes and exemptions to control the rollout of new policies. Reuse the Policies on multiple environments (like development versus production), with different values and effects depending on the environment's needs. Quickly change the values when needed. When requirements change, the parameters can be modified with little effort. How to avoid unwanted Friction A common concern with governance is that it will create friction, interrupt work and slow teams down. This is a valid concern, and Azure Policy’s features allow for a controlled and safe rollout. With a good plan there is no need to worry. Consider the following: Start with Audit-Only policies and non-production environments. Start with simpler resources and regular/top offenders. Test policies in sandboxes before using them in live environments. Use the ‘Do not Enforce’ mode when first assigning Deny policies. This treats them as Audit-only, allowing review before being enforced. Always parameterize Effects and Values, for quick modification when needed. Use exemptions when there are sensitive resources that are best to ignore for now. Work with your teams and agree to a fair and balanced approach. Governance is for everyone and should include everyone where possible. The biggest challenge of all may be breaking habits formed over years of freedom in the Cloud. It’s natural to resist change, especially when it takes away our freedom. Remember, it’s friction where it’s needed, Interuption where it’s needed, slow down where it’s needed. They key to getting teams onboard is delivering the right message. Why are we doing this? How will they benefit? How does it help them? How could they be impacted if you do nothing? This needs to be more than “To meet our FinOps goals”. That’s your goal, not theirs. They won’t care. Try something like: We keep seeing over-utilization and waste and are spending an additional ‘X amount’ of time and money trying to remove it. This is now impacting our ability invest properly into our IT teams, affecting other departments and impacting our overall growth. If we can get over-spend reduced and under control, we can re-invest where you need it; tooling, people, training and anything else that makes your lives better. We want to implement governance rules and policies that will prevent issues reoccurring. With your insights and support we can achieve this faster, avoid unwanted impact, and can re-invest back into our IT teams once done. Sound good to you?! This is far more compelling and gives them reason to get onboard and help out. How to start your FinOps governance journey Making the jump from workload optimization into governance might initially sound challenging, but it’s actually pretty straightforward. Consider the typical workload optimization cycle: Discover potential misconfiguration, optimization and waste cleanup opportunities. Compare to actual business requirements. Optimize workload to meet those business requirements. A governance practice extends this to the following: Identify potential misconfigurations, optimization and waste cleanup opportunities. Compare to actual business requirements. Optimize workload to meet those business requirements. Create an Azure Policy based on how the resource should have originally been configured, and how it should remain in future. Thats it, one extra step. Most of the hard work has already happened in steps 1-3, in the workload optimization we’ve already been doing. Step 4 simply turns the optimization into rule that says “This resource must be like this from now on”, preventing it happening again. Let's do it again with a real resource, an Azure Disk: Identify Premium SSD Disks in non-production environment. Compare to business requirements, which confirms Standard HDD is fine. Change Disk SKU from Premium to Standard HDD. Create Azure Policy that only allows Disks with Standard HDD in the environment and denies other SKUs. Done. No more Premium SSDs in this environment again. Prevention and Control. The real work lies in being able to understand and identify how resources become over-provisioned and wasteful. Until then we will struggle to optimize, let alone govern. The Wasteful Eight There's so many resources and properties available. Understanding all the ways they can create waste can be challenging. Fortunately, we can group resource properties into eight main categories, which make our efforts a bit easier. Lets look at the Wasteful Eight: Category Examples Over-provisioned SKUs - Disks with Premium SSD instead of Standard HDD/SSD. - App Service Plans with Premium SKU, instead of Standard. - Azure Bastion with Premium SKU, instead of Developer. Too much redundancy - Storage Accounts configured with GRS, when LRS is fine. - Recovery Services Vaults with GRS, when LRS is fine. - SQL Databases with Zone Redundancy enabled. Too large / too many instances. - Azure VMs with too many CPUs. - SQL Databases with too many vCores/DTUs. - Disks which are over 1024GB. Supports auto-scaling/serverless, but aren’t using it. - Application Gateway doesn’t have auto-scaling enabled. - App Service Plans without Auto-Scaling. - SQL Databases using fixed provisioning, instead of Serverless or Elastic Pools Too many backups. - Backups that are too frequent. - Backups with too long retention periods. - Non-prod backups with similar retentions as Prod. Too much logging. - Logging enabled in non-prod. - Log retentions too long. - Logging to Log Analytics instead of Storage Accounts. - Log Analytics not using cheaper table plans. Extra features that are disabled, or not being used. - Application Gateway with WAF SKU, but the WAF is disabled. - Azure Firewall with Premium SKU, but IDPS is disabled. - Storage Accounts with SFTP enabled but not used. Orphaned/Unused. - Unattached Disks - Empty App Service Plans - Unattached NAT Gateways Remember, it's only wasteful if you don't have a business need for it, like too much redundancy in a non-production/development environment. In a production environment, you're likely to need premium disks or SKUs, GRS, and longer logging and backup retention periods. Governance is about reducing spend where you don't need it, and frees up money to spend where you do need it, for better redundancy, faster response times etc. All resources will fall somewhere in the above categories. A single resource can be found in most of them. For example, an Application Gateway can: Have an over-provisioned/unused SKU (WAF vs Standard). Have auto-scaling disabled. Have too many instances. Have excessive logging enabled. Have the WAF SKU, but the WAF is for some reason disabled. Be orphaned, by having no backend VMs. Breaking down any resource like this will uncover most of its cost-impacting properties and give us a good idea of what to focus on. A few outliers are inevitable, but the vast majority will be covered. Let's explore the Application Gateway examples further, the reasons why each item is wasteful and the subsequent Policies we might consider in a non-production environment. I’ve also included some links to respective Azure Policy definitions available in GitHub (test before use!). Discovery Reason Governance Rule/Policy Allowed Values and effects if applicable Application Gateway has WAF SKU but doesn’t need it. We use another firewall product. Allowed Application Gateway SKUs Standard Deny Application Gateway isn’t configured with Auto-Scaling, creating inefficient use of instances. Auto-Scaling improves efficiency by scaling up and down as demand changes. Manual scaling is inefficient. Application Gateway should be configured with Auto-Scaling. Deny Application Gateway min/max instance counts are higher than needed. Setting Min/Max instance thresholds avoids them being too high. Particularly the min count, which might not need more than 1 instance. Allowed App Gateway Min/Max instance counts Min Count: 1 Max Count: 2 Deny Non-Prod Application Gateways have logging enabled, when it’s not needed. We don't have usage that needs to be logged in non-production environments. Non-Prod Application Gateways should avoid logging Deny Application Gateway has WAF but it’s disabled. A disabled WAF is doing nothing yet still paid for. Either use it, or change the Tier to Standard to reduce costs. Application Gateway WAF is disabled. Audit Application Gateway has no Backend Pool resources. Indicates an orphaned/unused App Gateway. It should be removed. Application Gateway has empty Backend Pool and appears Orphaned Audit Now this might seem a bit over the top. Do we really to be controlling our App Gateway min/max scaling counts? It depends. If you have a genuine problem with too many instances then yes, you probably should. The point is, you can if you need to. This simply demonstrates how powerful governance and Azure Policy can be at controlling how resources are used. A more likely starting point will be things like SKUs, Sizes, Redundancy Tiers and Logging. These are the high risk, high impact areas you’ve probably seen before and want to avoid again. Once you exhaust those it's time to jump into Cost Management and explore your most expensive resources and services. Explore the Billing Meters to see how each resources costs are broken down. This is where your money is going and where your governance rules will have the biggest impact. Where to find Azure Policies If you want to use Azure policy you're going to need some Policy Definitions. A Definition is your governance rule defined in Azure. It tells Azure what configurations you do and don't want, and how to deal with problems. It's recommended that you start with some of the in-built policies first, before creating your own. These are provided by Microsoft, available inside Azure Policy to be applied, and are maintained by Microsoft. Fortunately, there are plenty of policies to choose from: built-in, community provided, Azure Landing Zone related and a few of my own: Azure Built-in Policy Repo: https://github.com/Azure/azure-policy Azure Community Policy Repo: https://github.com/Azure/Community-Policy Azure Landing Zones Policies: https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies.md My stuff: https://github.com/aluckwell/Azure-Cost-Governance Making the search even easier is the AzAdvertizer. This handy tool brings thousands of policies into a single location, with easy search and filter functionality to help find useful ones. It even includes 'Deploy to Azure' links for quick deployment. AzAdvertizer: https://www.azadvertizer.net/azpolicyadvertizer_all.html Of the thousands of policies in AzAdvertizer, the list below is a great starting point for FinOps. These are all built-in, ready to go and will help you get familiar with how Azure Policy works: Policy Name Use Case Link Not Allowed Resource Types Block the creation of resources you don't need. Helps control when resource types can/can't be used. https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html Allowed virtual machine size SKUs Allow the use of specific VM SKUs and Sizes and block SKUs that are too big or not fit for our use-case. https://www.azadvertizer.net/azpolicyadvertizer/cccc23c7-8427-4f53-ad12-b6a63eb452b3.html Allowed App Services Plan SKUs Allow the use of specific App Service Plan SKUs. Block SKUs that are too big or not fit for our use-case. https://www.azadvertizer.net/azpolicyadvertizer/27e36ba1-7f72-4a8e-b981-ef06d5c78c1a.html [Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. Avoid Recovery Services Vaults with too much redundancy. If you don't need GRS, block it. https://www.azadvertizer.net/azpolicyadvertizer/8f09fda1-91a2-4e14-96a2-67c6281158f7.html Storage accounts should be limited by allowed SKUs Avoid too much redundancy and performance when it's not needed. https://www.azadvertizer.net/azpolicyadvertizer/7433c107-6db4-4ad1-b57a-a76dce0154a1.html Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag Disable Defender for Servers on Virtual Machines if they don't need it. Help control the rollout of Defender for Servers, avoiding machines that don't need it. https://www.azadvertizer.net/azpolicyadvertizer/080fedce-9d4a-4d07-abf0-9f036afbc9c8.html Unused App Service plans driving cost should be avoided Highlight when App Service Plans are 'Orphaned'. Either put them to use or get them deleted ASAP. https://www.azadvertizer.net/azpolicyadvertizer/Audit-ServerFarms-UnusedResourcesCostOptimization.html New policies are always being added, and existing policies improved (see the Versioning). Check back occasionally for changes and new additions that might be useful. When you get the itch to create your own, I'd suggest watching the following videos to understand the nuts and bolts of Azure Policy, and then onto Microsoft Learn for further reading. https://www.youtube.com/watch?v=4wGns611G4w https://www.youtube.com/watch?v=fhIn_kHz4hk https://learn.microsoft.com/azure/governance/policy/overview Good luck!Convert your Linux workloads while cutting costs with Azure Hybrid Benefit
As organizations increasingly adopt hybrid and cloud-first strategies to accelerate growth, managing costs is a top priority. Azure Hybrid Benefit provides discounts on Windows and SQL server licenses and subscriptions helping organizations reduce expenses during their migration to Azure. But did you know that Azure Hybrid Benefit also extends to Linux? In this blog, we’ll explore how Azure Hybrid Benefit for Linux enables enterprises to modernize their infrastructure, reduce cloud costs, and maintain seamless hybrid operations—all with the flexibility of easily converting their existing Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES) subscriptions. We’ll also dig into the differences in entitlements between organizations using Linux, Windows Server, and SQL licenses. Whether you’re migrating workloads or running a hybrid cloud environment, understanding this Azure offer can help you make the most of your subscription investments. Leverage your existing licenses while migrating to Azure Azure Hybrid Benefit for Linux allows organizations to leverage their existing RHEL or SLES licenses to migrate to in Azure, with a cost savings of up to 76% when combined with three-year Azure Reserved Instances. This offering provides significant advantages for businesses looking to migrate their Linux workloads to Azure or optimize their current Azure deployments: Seamless conversion: Existing pay-as-you-go Linux VMs can be converted to bring-your-own-subscription billing without downtime or redeployment Cost reduction: Organizations only pay for VM compute costs, eliminating software licensing fees for eligible Linux VMs Automatic maintenance: Microsoft handles image maintenance, updates, and patches for converted RHEL and SLES images Unified management: It integrates with Azure CLI and provides the same user interface as other Azure VMs Simplified support: Organizations can receive co-located technical support from Azure, Red Hat, and SUSE with a single support ticket To use Azure Hybrid Benefit for Linux, customers must have eligible RedHat or SUSE subscriptions. For RHEL, customers need to enable their RedHat products for Cloud Access on Azure through RedHat Subscription Management before applying the benefit. Minimizing downtime and licensing costs with Azure Hybrid Benefit To illustrate the value of leveraging Azure Hybrid Benefit for Linux, let’s imagine a common use case with a hypothetical business. Contoso, a growing SaaS provider, initially deployed its application on Azure virtual machines (VMs) using a pay-as-you-go model. As demand for its platform increased, Contoso scaled its infrastructure, running a significant number of Linux-based VMs on Azure. With this growth, the company recognized an opportunity to optimize costs by negotiating a better Red Hat subscription directly with the vendor. Instead of restarting or migrating their workloads—an approach that could cause downtime and disrupt their customers' experience—Contoso leveraged Azure Hybrid Benefit for Linux VMs. This allowed them to seamlessly apply their existing Red Hat subscription to their Azure VMs without downtime, reducing licensing costs while maintaining operational stability. By using Azure Hybrid Benefit, Contoso successfully balanced cost savings and scalability while continuing to grow on Azure and provide continuous service to their customers. How does a Linux license differ from Windows or SQL? Entitlements for customers using Azure Hybrid Benefit for Linux are structured differently from those for Windows Server or SQL Server, primarily due to differences in licensing models, workload types, migration strategies, and support requirement. Azure Hybrid Benefit for Windows and SQL Azure Hybrid Benefit for Linux Azure Hybrid Benefit helps organizations reduce expenses during their migration to the cloud by providing discounts on SQL Server and Windows servers licenses with active Software Assurance. Additionally, they benefit from free extended security updates (ESUs) when migrating older Windows Server or SQL Server versions to Azure. Azure Hybrid Benefit for Windows and SQL customers typically manage traditional Windows-based workloads, including Active Directory, .NET applications, AKS, ADH, Azure Local, NC2, AVS, and enterprise databases, often migrating on-premises SQL Server databases to Azure SQL Managed Instance or Azure VMs. Windows and SQL customers frequently execute lift-and-shift migrations from on-premises Windows Server or SQL Server to Azure, often staying within the Microsoft stack. Azure Hybrid Benefit for Linux customers leverage their existing RHEL (Red Hat Enterprise Linux) or SLES (SUSE Linux Enterprise Server) subscriptions, benefiting from bring-your-own-subscription (BYOS) pricing rather than paying for Azure's on-demand rates. They typically work with enterprise Linux vendors for ongoing support. Azure Hybrid Benefit for Linux customers often run enterprise Linux workloads, such as SAP, Kubernetes-based applications, and custom enterprise applications, and are more likely to be DevOps-driven, leveraging containers, open-source tools, and automation frameworks. Linux users tend to adopt modern, cloud-native architectures, focusing on containers (AKS), microservices, and DevOps pipelines, while often implementing hybrid and multi-cloud strategies that integrate Azure with other major cloud providers. In conclusion, Azure Hybrid Benefit is a valuable offer for organizations looking to optimize their cloud strategy and manage costs effectively. By extending this benefit to Linux, Microsoft has opened new avenues for organization to modernize their infrastructure, reduce cloud expenses, and maintain seamless hybrid operations. With the ability to leverage existing RedHat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES) subscriptions, organizations can enjoy significant cost savings, seamless conversion of pay-as-you-go Linux VMs, automatic maintenance, unified management, and simplified support. Azure Hybrid Benefit for Linux not only provides flexibility and efficiency but also empowers organizations to make the most of their subscription investments while accelerating their growth in a hybrid and cloud-first world. Whether you're migrating workloads or running a hybrid cloud environment, understanding and utilizing this benefit can help you achieve your strategic goals with confidence. To learn more go to: Explore Azure Hybrid Benefit for Linux VMs - Azure Virtual Machines | Microsoft Learn
