Previously we relied on direct storage container connection strings for downloading billing exports from Azure. We used to look this access key up using the `Storage Account Contributor` role. This is not the most restrictive method for us to pull customer data, it's also not traceable to a specific service principal.

We have now added RBAC role support for `Storage Container Blob Reader` which allows us to download billing exports using the specific service account credentials that the customer shares with us. This is a much better way for Cost management to authenticate with Customers and is the preferred method going forward. FWIW we have not disabled the old method (since that might break customers today) but any customer integration going forward should use this new authentication method instead.

The UI wizard should be updated to change the `Storage Account Contributor` role to `Storage Blob Data Reader` instead.

az ad sp create-for-rbac n "CostManagement" --role "Storage Blob Data Reader"  -scope  {scope} --query '{"tenant": tenant, "client_id": appId, "secret": password}'

This should be updated in both the standard flow and the customise filter flow. Screen shots below to show the updates.

Standard flow:

Filter flow: