azure billing role assignment name

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign Enterprise Agreement roles to service principals

• 8 contributors

You can manage your Enterprise Agreement (EA) enrollment in the Azure portal . You can create different roles to manage your organization, view costs, and create subscriptions. This article helps you automate some of those tasks by using Azure PowerShell and REST APIs with Microsoft Entra ID service principals.

If you have multiple EA billing accounts in your organization, you must grant the EA roles to Microsoft Entra ID service principals individually in each EA billing account.

Before you begin, ensure that you're familiar with the following articles:

• Enterprise agreement roles
• Sign in with Azure PowerShell
• How to call REST APIs with Postman

Create and authenticate your service principal

To automate EA actions by using a service principal, you need to create a Microsoft Entra app identity, which can then authenticate in an automated manner.

Follow the steps in these articles to create and authenticate using your service principal.

• Create a service principal
• Get tenant and app ID values for signing in

Here's an example of the application registration page.

Find your service principal and tenant IDs

You need the service principal's object ID and the tenant ID. You need this information for permission assignment operations later in this article. All applications are registered in Microsoft Entra ID in the tenant. Two types of objects get created when the app registration is completed:

• Application object - The application ID is what you see under Enterprise Applications. The ID should not be used to grant any EA roles.
• Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Microsoft Entra ID. The object ID is used to grant EA roles to the service principal.

Open Microsoft Entra ID, and then select Enterprise applications .

Find your app in the list.

Select the app to find the application ID and object ID:

Go to the Microsoft Entra ID Overview page to find the tenant ID.

The value of your Microsoft Entra tenant ID looks like a GUID with the following format: 11111111-1111-1111-1111-111111111111 .

Permissions that can be assigned to the service principal

Later in this article, you'll give permission to the Microsoft Entra app to act by using an EA role. You can assign only the following roles to the service principal, and you need the role definition ID, exactly as shown.

• An EnrollmentReader role can be assigned to a service principal only by a user who has an enrollment writer role. The EnrollmentReader role assigned to a service principal isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.
• A DepartmentReader role can be assigned to a service principal only by a user who has an enrollment writer or department writer role.
• A SubscriptionCreator role can be assigned to a service principal only by a user who is the owner of the enrollment account (EA administrator). The role isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.
• The EA purchaser role isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.

When you grant an EA role to a service principal, you must use the billingRoleAssignmentName required property. The parameter is a unique GUID that you must provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID.

A service principal can have only one role.

Assign enrollment account role permission to the service principal

Read the Role Assignments - Put REST API article. While you read the article, select Try it to get started by using the service principal.

Use your account credentials to sign in to the tenant with the enrollment access that you want to assign.

Provide the following parameters as part of the API request.

billingAccountName : This parameter is the Billing account ID . You can find it in the Azure portal on the Cost Management + Billing overview page.

billingRoleAssignmentName : This parameter is a unique GUID that you need to provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID.

api-version : Use the 2019-10-01-preview version. Use the sample request body at Role Assignments - Put - Examples .

The request body has JSON code with three parameters that you need to use.

The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the Azure portal.

Notice that 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e is a billing role definition ID for an EnrollmentReader.

Select Run to start the command.

A 200 OK response shows that the service principal was successfully added.

Now you can use the service principal to automatically access EA APIs. The service principal has the EnrollmentReader role.

Assign EA Purchaser role permission to the service principal

For the EA purchaser role, use the same steps for the enrollment reader. Specify the roleDefinitionId , using the following example:

"/providers/Microsoft.Billing/billingAccounts/1111111/billingRoleDefinitions/ da6647fb-7651-49ee-be91-c43c4877f0c4"

Assign the department reader role to the service principal

Read the Enrollment Department Role Assignments - Put REST API article. While you read the article, select Try it .

departmentName : This parameter is the department ID. You can see department IDs in the Azure portal on the Cost Management + Billing > Departments page.

For this example, we used the ACE department. The ID for the example is 84819 .

api-version : Use the 2019-10-01-preview version. Use the sample at Enrollment Department Role Assignments - Put .

The billing role definition ID of db609904-a47f-4794-9be8-9bd86fbffd8a is for a department reader.

Now you can use the service principal to automatically access EA APIs. The service principal has the DepartmentReader role.

Assign the subscription creator role to the service principal

Read the Enrollment Account Role Assignments - Put article. While you read it, select Try It to assign the subscription creator role to the service principal.

Provide the following parameters as part of the API request. Read the article at Enrollment Account Role Assignments - Put - URI Parameters .

billingRoleAssignmentName : This parameter is a unique GUID that you need to provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID/UUID Generator website to generate a unique GUID.

enrollmentAccountName : This parameter is the account ID . Find the account ID for the account name in the Azure portal on the Cost Management + Billing page.

For this example, we used the GTM Test Account. The ID is 196987 .

api-version : Use the 2019-10-01-preview version. Use the sample at Enrollment Department Role Assignments - Put - Examples .

The billing role definition ID of a0bcee42-bf30-4d1b-926a-48d21664ef71 is for the subscription creator role.

A 200 OK response shows that the service principal has been successfully added.

Now you can use the service principal to automatically access EA APIs. The service principal has the SubscriptionCreator role.

Verify service principal role assignments

Service principal role assignments are not visible in the Azure portal. You can view enrollment account role assignments, including the subscription creator role, with the Billing Role Assignments - List By Enrollment Account - REST API (Azure Billing) API. Use the API to verify that the role assignment was successful.

Troubleshoot

You must identify and use the Enterprise application object ID where you granted the EA role. If you use the Object ID from some other application, API calls will fail. Verify that you’re using the correct Enterprise application object ID.

If you receive the following error when making your API call, then you may be incorrectly using the service principal object ID value located in App Registrations. To resolve this error, ensure you're using the service principal object ID from Enterprise Applications, not App Registrations.

The provided principal Tenant Id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and principal Object Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx are not valid

Get started with your Enterprise Agreement billing account .

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

• Preparing search index...
• The search index is not available
• Public/Protected
• BillingRoleAssignments

Interface BillingRoleAssignments

Package version

Interface representing a BillingRoleAssignments.

Implemented by

• BillingRoleAssignmentsImpl

delete ByBilling Account

Delete bybilling profile, delete byinvoice section, get bybilling account, get bybilling profile, get byinvoice section, list bybilling account, list bybilling profile, list byinvoice section.

• delete ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >

Deletes a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

billingAccountName: string

The ID that uniquely identifies a billing account.

billingRoleAssignmentName: string

The ID that uniquely identifies a role assignment.

Optional options: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams

The options parameters.

Returns Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >

• delete ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingProfileResponse >

Deletes a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

billingProfileName: string

The ID that uniquely identifies a billing profile.

Optional options: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams

Returns promise < billingroleassignmentsdeletebybillingprofileresponse >.

• delete ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByInvoiceSectionResponse >

Deletes a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

invoiceSectionName: string

The ID that uniquely identifies an invoice section.

Optional options: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams

Returns promise < billingroleassignmentsdeletebyinvoicesectionresponse >.

• get ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingAccountResponse >

Gets a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByBillingAccountOptionalParams

Returns promise < billingroleassignmentsgetbybillingaccountresponse >.

• get ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingProfileResponse >

Gets a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByBillingProfileOptionalParams

Returns promise < billingroleassignmentsgetbybillingprofileresponse >.

• get ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsGetByInvoiceSectionResponse >

Gets a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams

Returns promise < billingroleassignmentsgetbyinvoicesectionresponse >.

• list ByBilling Account ( billingAccountName : string , options ?: BillingRoleAssignmentsListByBillingAccountOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByBillingAccountOptionalParams

Returns pagedasynciterableiterator < billingroleassignment >.

• list ByBilling Profile ( billingAccountName : string , billingProfileName : string , options ?: BillingRoleAssignmentsListByBillingProfileOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByBillingProfileOptionalParams

• list ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , options ?: BillingRoleAssignmentsListByInvoiceSectionOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByInvoiceSectionOptionalParams

Generated using TypeDoc

• Azure Native
• BillingRoleAssignmentByEnrollmentAccount

Azure Native v2.36.0, Apr 8 24

azure-native.billing.BillingRoleAssignmentByEnrollmentAccount

Explore with Pulumi AI

On this page

• Request a Change

The role assignment Azure REST API version: 2019-10-01-preview. Prior API version in Azure Native 1.x: 2019-10-01-preview.

Example Usage

Putenrollmentaccountsubscriptioncreatorroleassignment, create billingroleassignmentbyenrollmentaccount resource.

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources .

Constructor syntax

The following reference example uses placeholder values for all input properties .

BillingRoleAssignmentByEnrollmentAccount Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

The BillingRoleAssignmentByEnrollmentAccount resource accepts the following input properties:

All input properties are implicitly available as output properties. Additionally, the BillingRoleAssignmentByEnrollmentAccount resource produces the following output properties:

An existing resource can be imported using its type token, name, and identifier, e.g.

To learn more about importing existing cloud resources, see Importing resources .

Package Details

• AnsibleFest
• Webinars & Training

• Collection Index
• Collections in the Azure Namespace
• Azure.Azcollection
• azure.azcollection.azure_rm_roleassignment_info module – Gets Azure Role Assignment facts

azure.azcollection.azure_rm_roleassignment_info module – Gets Azure Role Assignment facts 

This module is part of the azure.azcollection collection (version 1.19.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core . To check whether it is installed, run ansible-galaxy collection list .

To install it, use: ansible-galaxy collection install azure.azcollection . You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_rm_roleassignment_info .

New in azure.azcollection 0.1.2

Gets facts of Azure Role Assignment.

Requirements 

The below requirements are needed on the host that executes this module.

python >= 2.7

The host that executes this module must have the azure.azcollection collection installed via galaxy

All python packages listed in collection’s requirements-azure.txt must be installed via pip on the host that executes modules from azure.azcollection

Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters 

For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login .

Authentication is also possible using a service principal or Active Directory user.

To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

How to authenticate using the az login command.

Return Values 

Common return values are documented here , the following are the fields unique to this module:

Yunge Zhu(@yungezz)

Paul Aiton(@paultaiton)

Collection links 

• Issue Tracker
• Repository (Sources)

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for MCA billing roles in azurerm_role_assignment #15211

keesvandenhoekict commented Feb 1, 2022

• 👍 34 reactions

b-c-lucas commented Mar 14, 2022 • edited

Sorry, something went wrong.

eastlondoner commented Jul 7, 2022 • edited

circa10a commented Feb 13, 2024

Circa10a commented feb 26, 2024.

omerfsen commented Mar 7, 2024

Omerfsen commented apr 2, 2024.

FrancoisPoinsot commented Apr 3, 2024

No branches or pull requests

• Collapse All

Get-AzRoleAssignment

In this Azure PowerShell article, we will discuss the syntax and usage of the Get-AzRoleAssignment PowerShell cmdlet with a few examples.

Table of Contents

Syntax of Get-AzRoleAssignment

Wrapping up.

Get-AzRoleAssignment is an excellent Azure PowerShell cmdlet that can get you the lists of all the role assignments under your subscription or a specific scope.

Below is the syntax of the Get-AzRoleAssignment Azure PowerShell cmdlet.

Let’s discuss some examples of implementation of the Get-AzRoleAssignment PowerShell command.

You can execute the Azure PowerShell cmdlet below to help you get the list of all the role assignments under my current subscription.

After executing the above PowerShell command, I got the below output.

You can see the output below

You can also use the below Azure PowerShell command to get the list of role assignments under the specified service principal “http://tsinfotechnologies.com”.

Execute the below PowerShell command that can help you to get the list of role assignments under a specified tsinfo website scope.

You may also like following the articles below

• New-AzRoleAssignment
• Get-AzRoleDefinition
• Get-AzResource

In this Azure article, we have discussed the syntax and usage of the Get-AzRoleAssignment Azure PowerShell cmdlet. Thanks for reading this article !!!

I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .