Azure Permissions for Waste Detection

Two Levels of Scanning

Scamallteoir detects Azure waste at two levels:

1. Cost-Based Detection (works now)

Using your existing Cost Management Reader role, we analyse daily resource group spending to find:

• Idle resource groups — spending small amounts with no real workload
• Storage without compute — likely orphaned disks or blobs
• Networking without compute — leftover VNets, load balancers, etc.

2. Inventory-Level Scanning (requires Reader)

With the Reader role, we can query Azure Resource Graph to identify specific resources:

• Orphaned managed disks — disks not attached to any VM
• Unassociated public IPs — static IPs not bound to any resource

Why Reader Is Needed

Azure Resource Graph requires the Microsoft.Resources/resources/read permission to enumerate resources. The Reader built-in role includes this permission and is the minimum role needed.

Adding the Reader Role

1. Open the Azure Portal and go to Subscriptions
2. Select the subscription connected to Scamallteoir
3. Click Access control (IAM) in the left menu
4. Click Add → Add role assignment
5. Search for Reader and select it
6. Click Next, then Select members
7. Search for your Scamallteoir service principal (App Registration name)
8. Select it and click Review + assign

Security Note

The Reader role is read-only — it cannot modify, create, or delete any resources. It is the minimum permission needed for inventory-level scanning.

What Works Without Reader

All cost monitoring features work with just Cost Management Reader:

• Daily cost reports and anomaly detection
• Resource group cost breakdown
• Cost-based waste detection (idle RGs, storage/networking without compute)
• Email and Slack notifications