microsoft · MSBrett · Oct 11, 2025 · Jun 27, 2025 · Jun 27, 2025 · Jun 27, 2025
@@ -0,0 +1,109 @@
+---
+ms.service: finops
+ms.author: flanakin
+author: flanakin
+ms.date: 11/01/2024
+ms.topic: how-to
+title: Configure remote hubs
+description: Learn how to configure FinOps hubs to collect cost data across multiple Azure tenants and clouds using remote hub functionality.
+---
+
+# Configure remote hubs
+
+Remote hubs enable cross-tenant cost data collection scenarios where a central tenant aggregates cost data from multiple tenants or subscriptions. In this setup, "satellite" FinOps hubs in different tenants send their processed data to a central "primary" hub for consolidated reporting and analysis.
+
+Remote hubs work across different Azure clouds, supporting:
+- Azure Commercial
+- Azure Government 
+- Azure China
+
+<br>
+
+## When to use remote hubs
+
+Consider remote hubs when you have:
+
+- Multiple Azure tenants with separate billing relationships
+- A centralized FinOps team that needs visibility across multiple organizations
+- Subsidiaries or business units in separate tenants
+- Partners or customers who want to contribute cost data to a shared analysis
+- Multi-cloud scenarios where you need cost data from different Azure cloud environments
+
+<br>
+
+## Architecture overview
+
+In a remote hub configuration:
+
+1. **Primary hub**: Central FinOps hub that receives and stores aggregated data from all tenants
+2. **Remote (satellite) hubs**: FinOps hubs in remote tenants that process local cost data and send it to the primary hub
+
+<br>
+
+## Configure the primary hub
+
+1. Deploy a standard FinOps hub in your central tenant using the regular deployment process
+2. Note the storage account name (found in the resource group after deployment)
+3. Get the Data Lake storage endpoint:
+   - Navigate to the storage account in the Azure portal
+   - Select **Settings** > **Endpoints**
+   - Copy the **Data Lake storage** URL (format: `https://storageaccount.dfs.core.windows.net/`)
+4. Get the storage account access key:
+   - Navigate to **Security + networking** > **Access keys**
+   - Copy **key1** or **key2** value
+
+<br>
+
+## Configure remote hubs
+
+When deploying remote hubs, provide the primary hub's storage details:
+
+### [Azure portal](#tab/azure-portal)
+
+1. When deploying the FinOps hub template, navigate to the **Advanced** tab
+2. Expand **Remote hub configuration**
+3. Enter the **Remote hub storage URI** from the primary hub (copy from the primary hub's storage account Settings > Endpoints > Data Lake storage)
+4. Enter the **Remote hub storage key** from the primary hub (copy from the primary hub's storage account Security + networking > Access keys > key1/2 > Key)
+5. Complete the deployment normally
+
+### [PowerShell](#tab/powershell)
+
+```powershell
+Deploy-FinOpsHub `
+    -Name MyRemoteHub `
+    -ResourceGroup MyRemoteHubResourceGroup `
+    -Location westus `
+    -RemoteHubStorageUri "https://primaryhubstore123.dfs.core.windows.net/" `
+    -RemoteHubStorageKey "abc123...xyz789=="
+```
+
+---
+
+<br>
+
+## Security considerations
+
+- **Version requirement**: Remote hubs support requires FinOps hub template version 0.4 or later
+- **Storage keys**: Treat storage keys as secrets. They provide full access to the storage account
+- **Network access**: Consider using private networking for both primary and remote hubs
+- **Key rotation**: Regularly rotate storage keys and update remote hub configurations
+- **Least privilege**: The storage key provides broad access; consider using Azure AD authentication when available
+
+<br>
+
+## Data flow and processing
+
+Remote hubs process data locally and then send processed (not raw) cost data to the primary hub. This approach:
+
+- Reduces data transfer costs
+- Maintains data sovereignty for initial processing
+- Centralizes only the final, processed cost data
+- Preserves full granularity in the primary hub
+
+<br>
+
+## Next steps
+
+- [Deploy a FinOps hub](deploy.md)
+- [Configure private networking](private-networking.md)
+- [Upgrade FinOps hubs](upgrade.md)
@@ -89,6 +89,19 @@ Public routing doesn't require configuration. If you opt for private routing, wo
 
 <br>
 
+## Plan for multiple tenants and clouds
+
+FinOps hubs support remote hub functionality for collecting cost data across multiple Azure tenants and clouds. Remote hubs enable centralized cost management for organizations with distributed billing relationships while maintaining data sovereignty during processing.
+
+Remote hubs can be used for multiple tenants in the same Azure cloud or tenants in different Azure clouds. Supported clouds are:
+- Azure Commercial
+- Azure Government
+- Azure China
+
+To configure remote hubs, see [Configure remote hubs](configure-remote-hubs.md).
+
+<br>
+
 ## Optional: Set up Microsoft Fabric
 
 Many organizations adopt Microsoft Fabric as a unified data platform to streamline data analytics, storage, and processing. FinOps hubs can use Microsoft Fabric Real-Time Intelligence (RTI) as either a primary or secondary data store. This section only applies when configuring Microsoft Fabric as a primary data store instead of Azure Data Explorer.
@@ -154,6 +167,10 @@ The core engine for FinOps hubs is deployed via an Azure Resource Manager deploy
 12. Indicate is you want public or private network routing. [Learn more](private-networking.md).
 13. If you selected private, specify the desired private network address prefix.
 14. Select the **Next** button at the bottom of the form.
+    - **Optional**: For remote hub configuration (cross-tenant scenarios), expand **Remote hub configuration** and:
+      - Enter the **Remote hub storage URI** from the primary hub
+      - Enter the **Remote hub storage key** from the primary hub
+      - For details, see [Configure remote hubs](configure-remote-hubs.md)
 15. If desired, specify more tags to add to resources.
 16. Select the **Next** button at the bottom of the form.
 17. Review the configuration summary and select the **Create** button at the bottom of the form.