Documentation
TenantThrift docs
How TenantThrift connects to your tenant, exactly what it stores, the security model, and how billing works — everything on one page.
How it connects
TenantThrift never installs anything in your environment. The connection is two standard Azure mechanisms, both fully under your control:
- Admin consent. A tenant admin approves our multi-tenant application once. Azure creates a service principal (an "enterprise app") in your tenant that represents TenantThrift. No secrets are exchanged — the credential stays on our side, scoped to exactly this app.
- Reader assignment. You assign the built-in
Reader role to that service principal on each subscription you
want scanned — one
azcommand that the app shows you, and that you run yourself:
az role assignment create \ --assignee <app-id> \ --role Reader \ --scope /subscriptions/<subscription-id>
Prefer the Azure portal? Subscription → Access control (IAM) → Add role assignment → role Reader → members: User, group, or service principal → search TenantThrift → Review + assign. Same result, no terminal.
The app verifies access with one click, and the first scan starts right after. Scans read resource metadata, cost data and (for VMs) runtime metrics — in memory, during the scan. What gets persisted is the bounded list below, nothing else.
Permissions — the complete list
- Microsoft Graph, delegated
User.Read— the minimum required for the consent flow to exist. We never read your directory. - Azure RBAC: built-in Reader on the subscriptions you choose — this is what the scan uses. No write role, no custom role, no Key Vault access, no data-plane access to storage accounts or databases.
TenantThrift cannot change, delete, start or stop anything in your tenant. Every fix is guidance — the exact command shown for you to review and run yourself.
What we store
Hosted on EU infrastructure (Frankfurt). The complete inventory:
- Account: your email, organization name, plan, trial end date. Payment details live at Stripe — we only hold customer/subscription IDs.
- Connection: tenant ID (GUID), display name, subscription IDs (GUIDs), scan schedule, report recipient addresses, budgets, ignored findings.
- Per scan: findings (title, category, severity, resource ID + name, estimated savings, fix guidance), totals by category/severity, bounded cost aggregates — spend totals and trend, rollups by subscription / resource type / resource group / tag, the top 200 resources by cost, and up to 50 VMs with usage for the commitment comparison — plus one PDF report in a private bucket.
Explicitly never stored: credentials of any kind, metric time series, log content, network data, or a full resource inventory. Client-credential tokens for your tenant live for about an hour in worker memory and are never persisted.
Security model
- Read-only, forever. Reader is the only role we ever ask for.
- Your kill switch. Delete the TenantThrift enterprise app in your tenant (or remove the Reader assignment) and access ends instantly — no ticket, no waiting for us.
- Tenant isolation. Every row is scoped to your organization and enforced with row-level security; report PDFs live in a private bucket and are served through short-lived signed URLs after an access check.
- Team roles. Admin (billing, team, connections), Editor (scans, schedules, ignores), Reader (view only) — invite colleagues in Settings → Team.
- EU hosting. Database, storage and processing in Frankfurt; subprocessors are listed in the DPA.
Working with it
- Findings — searchable and filterable (subscription, resource group, category, severity); each finding opens guidance with the exact command and, where relevant, options like Azure's native auto-shutdown. Ignore findings with a reason to keep your numbers honest.
- Cost explorer — spend, forecast and trend, rollups by type / group / subscription / tag, and a filterable list of your top billed resources.
- Commitments — Reservation and Savings-Plan prices compared against each VM's real runtime, so you commit to what you actually use.
- Reports — a PDF per scan (download, share via 7-day link, or mailed to any recipients after scheduled scans) plus CSV export. See a sample report →
- Schedules & budgets — daily/weekly/monthly scans at your hour; budget alerts per subscription, resource group, tag or total.
Billing & plans
Every organization starts with a 14-day free trial of the full product — no credit card. After that: Personal (€19/mo, 1 subscription), Business (€39/mo, 5 subscriptions), MSP (€99/mo, unlimited). Payment runs through Stripe; upgrades, downgrades and cancellation are self-service in Settings → Billing. When a trial or plan lapses, scans pause — your data stays readable.
Cancelling & deleting
- Cancel the plan — runs to the end of the paid period, then scans pause. Nothing is deleted.
- Delete a connection — removes its scans, findings and stored PDF reports immediately.
- Delete the organization (Settings → Organization) — removes every connection, all derived data and your account.
- Revoke on your side — deleting the enterprise app in your tenant cuts our access regardless of anything above.