Skip to main content
Use this path when you want CloudEval to evaluate an existing Azure subscription or a scoped set of resource groups. This is the Cloud sync path. It reads deployed Azure resources and exports template snapshots for analysis. It is different from the infrastructure-as-code path, which starts from source files before deployment.

What you need

  • An Azure service principal with least-privilege access to the resource groups you want to evaluate
  • The following values:
    • client ID
    • client secret
    • tenant ID
    • subscription ID
Use the Azure Cloud sync permissions guide to create a custom CloudEval Live Sync Reader role. Normal Cloud sync does not need Contributor.

Create the connection

  1. Open Connections in CloudEval.
  2. Choose Add connection.
  3. Select Azure as the provider.
  4. Choose Cloud sync as the source type.
  5. Confirm that the service principal has the least-privilege role on the target scope.
  6. Enter the service principal credentials.
  7. Add target resource groups that match the role assignment scope.
  8. Create the connection. CloudEval validates the credentials during creation.

Create a project from the connection

After the connection is saved:
  1. Create a new project.
  2. Select the Azure connection you just created.
  3. Start the sync.
CloudEval will pull the available infrastructure data into the project and make it available for reports and sharing.

Create it from the CLI

Use the CLI when you want connection and project creation in one repeatable command. The same least-privilege role and resource-group scope still apply: 
cloudeval projects create \
  --cloud-sync \
  --azure-tenant-id "$AZURE_TENANT_ID" \
  --azure-client-id "$AZURE_CLIENT_ID" \
  --azure-client-secret "$AZURE_CLIENT_SECRET" \
  --azure-subscription-id "$AZURE_SUBSCRIPTION_ID" \
  --resource-group rg-app \
  --name "Production Cloud sync" \
  --format json \
  --output ./cloudeval-project.json
Repeat --resource-group for each scoped group the service principal can read. The CLI also reads AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_SUBSCRIPTION_ID from the environment when the matching flags are omitted.

What success looks like

  • Connection test passes.
  • Project shows synced infrastructure data.
  • Cost and architecture reports can run from the project or the Reports page.
  • Network relationships are richer when the role also has Microsoft.Network/networkWatchers/topology/action on the Network Watcher scope.

Common failure points

  • Wrong tenant or subscription ID
  • Expired client secret
  • Service principal access that does not match the subscription or resource group scope
  • Missing Microsoft.Resources/deployments/exportTemplate/action, which can make report inputs incomplete
  • Missing Network Watcher topology access, which can make relationship enrichment sparse

Next step

Continue to Run your first reports, or use Connections and sync troubleshooting if the connection test fails.
Last modified on May 22, 2026