ShareGate Overcast will consume billing data and metrics coming from your Azure subscriptions using a permissions delegation model.
What this means is that ShareGate Overcast requires that you login with an Organizational (Azure AD) or Personal (Microsoft) user account. ShareGate Overcast then uses the permission delegation to impersonate your user and access your Azure resources. That means that it will have the same access on Azure resources as the user who is logged in.
ShareGate Overcast requires a user with the Reader Azure role definition on your subscriptions The Reader role only gives access to the control-plane on Azure. As such, this role does not grant any access to your data-plane (ex: data stored inside SQL databases or in storage accounts blobs or tables).
From a technical point of view, ShareGate Overcast uses the Azure REST APIs to connect on your behalf and perform queries. These queries are performed against the Billing APIs as well as the various resources that are analyzed in order to determine recommendations on how to reduce costs.
How to grant permissions
Step 1: Go to the Azure portal and list your tenant Subscriptions.
Step 2: Select a subscription that you want ShareGate Overcast to analyze, then select the Access control (IAM) screen.
Step 3: Add a new role, then select the reader role. Choose the Active Directory account you want to associate with the role and save.
Read more on Microsoft Azure role-based access controls here.
Creating a dedicated account
If you wish, you can create a dedicated user account to access ShareGate Overcast with a restricted set of permissions. While this has the additional burden of requiring to manage a separate set of permissions, it can limit what actions ShareGate Overcast can take in your environment.
Currently, ShareGate Overcast only uses Azure's Reader scope to recover billing and resource information. In the future, however, new features may required additional permissions in order to be used. At this time however, there are no plans to add such features.
In all cases, any actions that are taken to modify Azure in any way would be fully documented in Azure's audit log.
Any additional questions or concerns with authorizations for ShareGate Overcast should be directed to our support team. They will be happy to help in any way possible. We take security very seriously at ShareGate Overcast and make it a top priority for our entire team.