Documentation

TenantThrift docs

How TenantThrift connects to your tenant, exactly what it stores, the security model, and how billing works — everything on one page.

How it connects

TenantThrift never installs anything in your environment. The connection is two standard Azure mechanisms, both fully under your control:

  1. Admin consent. A tenant admin approves our multi-tenant application once. Azure creates a service principal (an "enterprise app") in your tenant that represents TenantThrift. No secrets are exchanged — the credential stays on our side, scoped to exactly this app.
  2. Reader assignment. You assign the built-in Reader role to that service principal on each subscription you want scanned — one az command that the app shows you, and that you run yourself:
az role assignment create \
  --assignee <app-id> \
  --role Reader \
  --scope /subscriptions/<subscription-id>

Prefer the Azure portal? Subscription → Access control (IAM)Add role assignment → role Reader → members: User, group, or service principal → search TenantThriftReview + assign. Same result, no terminal.

The app verifies access with one click, and the first scan starts right after. Scans read resource metadata, cost data and (for VMs) runtime metrics — in memory, during the scan. What gets persisted is the bounded list below, nothing else.

Permissions — the complete list

  • Microsoft Graph, delegated User.Read — the minimum required for the consent flow to exist. We never read your directory.
  • Azure RBAC: built-in Reader on the subscriptions you choose — this is what the scan uses. No write role, no custom role, no Key Vault access, no data-plane access to storage accounts or databases.

TenantThrift cannot change, delete, start or stop anything in your tenant. Every fix is guidance — the exact command shown for you to review and run yourself.

What we store

Hosted on EU infrastructure (Frankfurt). The complete inventory:

  • Account: your email, organization name, plan, trial end date. Payment details live at Stripe — we only hold customer/subscription IDs.
  • Connection: tenant ID (GUID), display name, subscription IDs (GUIDs), scan schedule, report recipient addresses, budgets, ignored findings.
  • Per scan: findings (title, category, severity, resource ID + name, estimated savings, fix guidance), totals by category/severity, bounded cost aggregates — spend totals and trend, rollups by subscription / resource type / resource group / tag, the top 200 resources by cost, and up to 50 VMs with usage for the commitment comparison — plus one PDF report in a private bucket.

Explicitly never stored: credentials of any kind, metric time series, log content, network data, or a full resource inventory. Client-credential tokens for your tenant live for about an hour in worker memory and are never persisted.

Security model

  • Read-only, forever. Reader is the only role we ever ask for.
  • Your kill switch. Delete the TenantThrift enterprise app in your tenant (or remove the Reader assignment) and access ends instantly — no ticket, no waiting for us.
  • Tenant isolation. Every row is scoped to your organization and enforced with row-level security; report PDFs live in a private bucket and are served through short-lived signed URLs after an access check.
  • Team roles. Admin (billing, team, connections), Editor (scans, schedules, ignores), Reader (view only) — invite colleagues in Settings → Team.
  • EU hosting. Database, storage and processing in Frankfurt; subprocessors are listed in the DPA.

Working with it

  • Findings — searchable and filterable (subscription, resource group, category, severity); each finding opens guidance with the exact command and, where relevant, options like Azure's native auto-shutdown. Ignore findings with a reason to keep your numbers honest.
  • Cost explorer — spend, forecast and trend, rollups by type / group / subscription / tag, and a filterable list of your top billed resources.
  • Commitments — Reservation and Savings-Plan prices compared against each VM's real runtime, so you commit to what you actually use.
  • Reports — a PDF per scan (download, share via 7-day link, or mailed to any recipients after scheduled scans) plus CSV export. See a sample report →
  • Schedules & budgets — daily/weekly/monthly scans at your hour; budget alerts per subscription, resource group, tag or total.

Billing & plans

Every organization starts with a 14-day free trial of the full product — no credit card. After that: Personal (€19/mo, 1 subscription), Business (€39/mo, 5 subscriptions), MSP (€99/mo, unlimited). Payment runs through Stripe; upgrades, downgrades and cancellation are self-service in Settings → Billing. When a trial or plan lapses, scans pause — your data stays readable.

Cancelling & deleting

  • Cancel the plan — runs to the end of the paid period, then scans pause. Nothing is deleted.
  • Delete a connection — removes its scans, findings and stored PDF reports immediately.
  • Delete the organization (Settings → Organization) — removes every connection, all derived data and your account.
  • Revoke on your side — deleting the enterprise app in your tenant cuts our access regardless of anything above.