Security & Azure Permissions

Everything your IT team needs to know before granting access.

TL;DR for IT Admins

1 permission requested: user_impersonation on the Azure Resource Manager API
Read-only in practice: the app reads resource metadata, metrics, and costs — it never creates, deletes, or modifies resource configurations
Optional write: start/stop VMs and databases only when explicitly triggered by the user via the scheduling feature
No Graph API access: we don't read your Active Directory, emails, or files
EU-only infrastructure: all data is processed and stored in Sweden (EU)
Data deletion: users can delete all their data at any time from the Account page

Permission Requested

Scope	API	Type	Consent
`user_impersonation`	Azure Resource Manager	Delegated	Admin or User (depends on tenant policy)
`offline_access`	Microsoft Identity	Delegated	User

We do not request any Microsoft Graph permissions (no access to emails, files, Active Directory, or user management).

What We Read (and Why)

Subscriptions

List your accessible subscriptions and their display names.

GET /subscriptions

Why: to let you choose which subscriptions to scan.

Resource Inventory (Azure Resource Graph)

Query resource metadata — types, SKUs, locations, configurations. We detect orphaned/unused resources like unattached disks, idle load balancers, deallocated VMs, etc.

POST /providers/Microsoft.ResourceGraph/resources

Why: this is the core of the audit — finding resources that cost money but aren't being used.

Metrics (Azure Monitor)

Read CPU, memory, disk I/O, network, and DTU utilization metrics over the last 7–30 days.

GET /{resourceId}/providers/microsoft.insights/metrics

Why: to identify oversized VMs, databases, and App Service plans that can be downsized.

Cost Data (Cost Management)

Query your last month's spend per subscription (aggregate totals, no line-item details).

POST /subscriptions/{id}/providers/Microsoft.CostManagement/query

Why: to show spend trends and prioritize optimization recommendations by cost impact.

Reservations

List reservation orders and their utilization rates (7-day and 30-day averages).

GET /providers/Microsoft.Capacity/reservationOrders

Why: to detect unused or underutilized reservations that represent wasted commitment spend.

Log Analytics

Query workspace ingestion volumes (per-table breakdown, daily trends). We do not read log contents.

POST /{workspaceId}/api/query

Why: to identify noisy tables driving up your Log Analytics bill.

Azure Retail Prices (public API)

Fetch public pricing for VMs, disks, SQL, and other services. This API is public and requires no authentication.

GET https://prices.azure.com/api/retail/prices

Why: to calculate potential savings when recommending a resize or tier change.

What We Can Write (Optional, User-Triggered Only)

The scheduling feature allows users to start/stop resources on a schedule to save costs. These actions are never automatic — they require explicit user configuration and can be disabled at any time.

Additional setup required: Start/stop actions — and any operation beyond read-only — require the Contributor role to be assigned on the target resources or resource group. The default Reader role used for audits does not grant write permissions. You must explicitly configure this additional role in Azure before using the scheduling feature.

Resource Type	Actions	API Version
Virtual Machines	Start, Deallocate	2024-03-01
VM Scale Sets	Start, Deallocate	2024-03-01
AKS Clusters	Start, Stop	2024-01-01
MySQL Flexible Server	Start, Stop	2023-06-30
PostgreSQL Flexible Server	Start, Stop	2023-06-30
Container Instances	Start, Stop	2024-03-01
Synapse SQL Pools	Resume, Pause	2024-03-01
Fabric Capacities	Resume, Suspend	2024-03-01

We never create, delete, resize, or modify the configuration of any Azure resource.

What We Don't Do

✕ Access your Active Directory, users, groups, or roles
✕ Read emails, files, or SharePoint data
✕ Create, delete, or reconfigure Azure resources
✕ Read log contents (only ingestion volumes)
✕ Access Key Vaults, secrets, or certificates
✕ Store your Azure credentials (tokens are encrypted with AES-256-GCM and auto-expire)
✕ Share or sell your data to third parties

Data Handling

Storage

MongoDB Atlas — Stockholm, Sweden (EU)
Backend servers — Fly.io Stockholm (EU)
No data leaves the EU

Encryption

In transit: TLS 1.2+ everywhere
At rest: AES-256-GCM for tokens
Sessions expire after 24 hours

Retention

Audit reports: kept until user deletes
Tokens: auto-expire, deleted on logout
Analytics: anonymized aggregates only

Deletion

Self-service: Account page → "Delete all my data"
Or email: contact@cloudiceberg.com
Personal data erased, anonymized stats retained

Granting Access (For IT Admins)

If your organization requires admin consent for third-party applications, an Azure AD administrator can approve Cloud Iceberg for all users in the tenant:

Go to Azure Portal → Entra ID → Enterprise Applications
Search for "Cloud Iceberg" (or the app's Client ID)
Click Permissions → Grant admin consent
Review the permission (user_impersonation on Azure Management) and approve

After admin consent, users in your tenant can sign in without any additional approval prompt.

Need help? Contact us at contact@cloudiceberg.com — we're happy to join a quick call with your IT team.

Minimum Azure Role Required

Cloud Iceberg works with the Reader role on the subscriptions you want to scan. No Contributor or Owner access is needed for the audit. The scheduling feature (start/stop) requires Contributor on the specific resources to manage.

Feature	Minimum Role	Scope
Audit / Optimization scan	Reader	Subscription
Cost analysis	Cost Management Reader	Subscription
Reservation insights	Reader	Tenant (reservation orders)
Scheduling (start/stop)	Contributor	Resource or Resource Group

Sub-Processors

Complete list of third-party services that process data on our behalf:

Provider	Purpose	Data Processed	Location	DPA
Microsoft Entra ID	Authentication (OAuth 2.0)	Name, email, tenant ID	EU / Global	View DPA
Microsoft Azure	Resource & cost data source	Resource metadata, metrics, costs	Your Azure regions	View DPA
Microsoft Teams	Webhook notifications (optional)	Audit summaries, resource alerts	Your Teams tenant	View DPA
MongoDB Atlas	Database	User profiles, audit reports, sessions	Stockholm, Sweden (EU)	View DPA
Fly.io	Backend hosting	API requests, application logs	Stockholm, Sweden (EU)	View DPA
Netlify	Frontend hosting	Static assets only (no user data)	EU CDN	View DPA
Stripe	Payment processing	Email, name (card details handled by Stripe)	EU	View DPA
Mailgun	Transactional emails	Email address, audit summaries	EU	View DPA
PostHog	Product analytics	Usage events, anonymized metrics	EU	View DPA

Data Flow Architecture

How data flows through Cloud Iceberg — no data leaves the EU.

┌──────────────┐      OAuth 2.0       ┌──────────────────┐
│              │ ───────────────────►  │  Microsoft       │
│   Your       │  ◄─── token ───────  │  Entra ID        │
│   Browser    │                      └──────────────────┘
│              │
│              │      HTTPS           ┌──────────────────────────────────┐
│              │ ──────────────────►  │  Cloud Iceberg API               │
└──────────────┘  ◄── JSON ────────  │  Fly.io — Stockholm, Sweden (EU) │
                                      │                                  │
                                      │  ┌─────────────────────┐        │
                                      │  │ MongoDB Atlas        │        │
                                      │  │ Stockholm (EU)       │        │
                                      │  │ · User profiles      │        │
                                      │  │ · Audit reports      │        │
                                      │  │ · Encrypted tokens   │        │
                                      │  └─────────────────────┘        │
                                      └──────────┬───────────────────────┘
                                                  │
                                                  │ Read-only API calls
                                                  │ (user's own token)
                                                  ▼
                                      ┌──────────────────────┐
                                      │  Azure Resource       │
                                      │  Manager API          │
                                      │  · Resource Graph     │
                                      │  · Monitor Metrics    │
                                      │  · Cost Management    │
                                      │  · Reservations       │
                                      │  · Log Analytics      │
                                      └──────────────────────┘

Frequently Asked Questions

Can Cloud Iceberg delete or modify my Azure resources? +

No. Cloud Iceberg is read-only by default. The only write operations are start/stop actions on VMs and databases, which require you to explicitly set up a schedule. We never create, delete, resize, or reconfigure any resource.

Can other users in my organization see my data? +

No. Each user's data is scoped to their own account. There is no shared workspace or cross-user visibility. Audit results are tied to the Azure identity that ran the scan.

What happens if I revoke access? +

You can revoke Cloud Iceberg's access at any time from Entra ID → Enterprise Applications or from your Microsoft My Apps page. Once revoked:

Existing tokens immediately stop working
Scheduled automations stop executing
You can also delete all stored data from the Account page

Do you store my Azure credentials? +

We never store your Azure password. We store a refresh token (issued by Microsoft) encrypted with AES-256-GCM on our EU servers. This token allows scheduled scans to run on your behalf. It auto-expires after 24 hours and is deleted when you log out.

Why does the app need admin consent in my organization? +

Some organizations restrict third-party app access and require an Azure AD administrator to approve the app first. This is a tenant-level policy, not a Cloud Iceberg requirement. Once an admin grants consent, all users in the tenant can sign in without further approval. See the admin consent section above for step-by-step instructions.

Does Cloud Iceberg read my log data or application secrets? +

No. For Log Analytics, we only query ingestion volumes (how much data each table generates) to help you reduce costs. We never read actual log entries, Key Vault secrets, certificates, or application data.

Is Cloud Iceberg GDPR compliant? +

Yes. All infrastructure is EU-based (Sweden), we practice data minimization, and you can exercise your GDPR rights (access, rectification, erasure, portability) at any time from the Account page or by emailing contact@cloudiceberg.com. See our Privacy Policy for full details.

What Azure role does the user need? +

The Reader role on the subscriptions you want to scan is sufficient for the audit. Cost data requires Cost Management Reader. The scheduling feature (start/stop) requires Contributor on the specific resources.

Security Track Record

0 security incidents since launch. We proactively monitor for vulnerabilities and follow security best practices including encrypted storage, minimal permissions, and automatic token expiration.

If you discover a security issue, please report it to contact@cloudiceberg.com.

See also: Privacy Policy · Terms of Service