This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Assign Enterprise Agreement roles to service principals
- 8 contributors
You can manage your Enterprise Agreement (EA) enrollment in the Azure portal . You can create different roles to manage your organization, view costs, and create subscriptions. This article helps you automate some of those tasks by using Azure PowerShell and REST APIs with Microsoft Entra ID service principals.
If you have multiple EA billing accounts in your organization, you must grant the EA roles to Microsoft Entra ID service principals individually in each EA billing account.
Before you begin, ensure that you're familiar with the following articles:
- Enterprise agreement roles
- Sign in with Azure PowerShell
- How to call REST APIs with Postman
Create and authenticate your service principal
To automate EA actions by using a service principal, you need to create a Microsoft Entra app identity, which can then authenticate in an automated manner.
Follow the steps in these articles to create and authenticate using your service principal.
- Create a service principal
- Get tenant and app ID values for signing in
Here's an example of the application registration page.
Find your service principal and tenant IDs
You need the service principal's object ID and the tenant ID. You need this information for permission assignment operations later in this article. All applications are registered in Microsoft Entra ID in the tenant. Two types of objects get created when the app registration is completed:
- Application object - The application ID is what you see under Enterprise Applications. The ID should not be used to grant any EA roles.
- Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Microsoft Entra ID. The object ID is used to grant EA roles to the service principal.
Open Microsoft Entra ID, and then select Enterprise applications .
Find your app in the list.
Select the app to find the application ID and object ID:
Go to the Microsoft Entra ID Overview page to find the tenant ID.
The value of your Microsoft Entra tenant ID looks like a GUID with the following format: 11111111-1111-1111-1111-111111111111 .
Permissions that can be assigned to the service principal
Later in this article, you'll give permission to the Microsoft Entra app to act by using an EA role. You can assign only the following roles to the service principal, and you need the role definition ID, exactly as shown.
- An EnrollmentReader role can be assigned to a service principal only by a user who has an enrollment writer role. The EnrollmentReader role assigned to a service principal isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.
- A DepartmentReader role can be assigned to a service principal only by a user who has an enrollment writer or department writer role.
- A SubscriptionCreator role can be assigned to a service principal only by a user who is the owner of the enrollment account (EA administrator). The role isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.
- The EA purchaser role isn't shown in the Azure portal. It's created by programmatic means and is only for programmatic use.
When you grant an EA role to a service principal, you must use the billingRoleAssignmentName required property. The parameter is a unique GUID that you must provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID.
A service principal can have only one role.
Assign enrollment account role permission to the service principal
Read the Role Assignments - Put REST API article. While you read the article, select Try it to get started by using the service principal.
Use your account credentials to sign in to the tenant with the enrollment access that you want to assign.
Provide the following parameters as part of the API request.
billingAccountName : This parameter is the Billing account ID . You can find it in the Azure portal on the Cost Management + Billing overview page.
billingRoleAssignmentName : This parameter is a unique GUID that you need to provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID / UUID Generator website to generate a unique GUID.
api-version : Use the 2019-10-01-preview version. Use the sample request body at Role Assignments - Put - Examples .
The request body has JSON code with three parameters that you need to use.
The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the Azure portal.
Notice that 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e is a billing role definition ID for an EnrollmentReader.
Select Run to start the command.
A 200 OK response shows that the service principal was successfully added.
Now you can use the service principal to automatically access EA APIs. The service principal has the EnrollmentReader role.
Assign EA Purchaser role permission to the service principal
For the EA purchaser role, use the same steps for the enrollment reader. Specify the roleDefinitionId , using the following example:
"/providers/Microsoft.Billing/billingAccounts/1111111/billingRoleDefinitions/ da6647fb-7651-49ee-be91-c43c4877f0c4"
Assign the department reader role to the service principal
Read the Enrollment Department Role Assignments - Put REST API article. While you read the article, select Try it .
departmentName : This parameter is the department ID. You can see department IDs in the Azure portal on the Cost Management + Billing > Departments page.
For this example, we used the ACE department. The ID for the example is 84819 .
api-version : Use the 2019-10-01-preview version. Use the sample at Enrollment Department Role Assignments - Put .
The billing role definition ID of db609904-a47f-4794-9be8-9bd86fbffd8a is for a department reader.
Now you can use the service principal to automatically access EA APIs. The service principal has the DepartmentReader role.
Assign the subscription creator role to the service principal
Read the Enrollment Account Role Assignments - Put article. While you read it, select Try It to assign the subscription creator role to the service principal.
Provide the following parameters as part of the API request. Read the article at Enrollment Account Role Assignments - Put - URI Parameters .
billingRoleAssignmentName : This parameter is a unique GUID that you need to provide. You can generate a GUID using the New-Guid PowerShell command. You can also use the Online GUID/UUID Generator website to generate a unique GUID.
enrollmentAccountName : This parameter is the account ID . Find the account ID for the account name in the Azure portal on the Cost Management + Billing page.
For this example, we used the GTM Test Account. The ID is 196987 .
api-version : Use the 2019-10-01-preview version. Use the sample at Enrollment Department Role Assignments - Put - Examples .
The billing role definition ID of a0bcee42-bf30-4d1b-926a-48d21664ef71 is for the subscription creator role.
A 200 OK response shows that the service principal has been successfully added.
Now you can use the service principal to automatically access EA APIs. The service principal has the SubscriptionCreator role.
Verify service principal role assignments
Service principal role assignments are not visible in the Azure portal. You can view enrollment account role assignments, including the subscription creator role, with the Billing Role Assignments - List By Enrollment Account - REST API (Azure Billing) API. Use the API to verify that the role assignment was successful.
Troubleshoot
You must identify and use the Enterprise application object ID where you granted the EA role. If you use the Object ID from some other application, API calls will fail. Verify that you’re using the correct Enterprise application object ID.
If you receive the following error when making your API call, then you may be incorrectly using the service principal object ID value located in App Registrations. To resolve this error, ensure you're using the service principal object ID from Enterprise Applications, not App Registrations.
The provided principal Tenant Id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and principal Object Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx are not valid
Get started with your Enterprise Agreement billing account .
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .
Submit and view feedback for
Additional resources
Manage Azure Role Assignments Like a Pro with PowerShell
Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.
PowerShell examples for managing Azure Role assignments
List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.
And now there is a script that combines some of these examples into one usable function:
I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.
Vukasin Terzic
Recent Update
- Writing your first Azure Terraform Configuration
- Transition from ARM Templates to Terraform with AI
- Getting started with Terraform for Azure
- Terraform Configuration Essentials: File Types, State Management, and Provider Selection
- Dynamically Managing Azure NSG Rules with PowerShell
Trending Tags
Retrieve azure resource group cost with powershell api.
The Future Of Azure Governance: Trends and Predictions
Further Reading
In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...
Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency
As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...
Custom PowerShell API for Azure Naming Policy
To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...
- Preparing search index...
- The search index is not available
- Public/Protected
- BillingRoleAssignments
Interface BillingRoleAssignments
Package version
Interface representing a BillingRoleAssignments.
Implemented by
- BillingRoleAssignmentsImpl
delete ByBilling Account
Delete bybilling profile, delete byinvoice section, get bybilling account, get bybilling profile, get byinvoice section, list bybilling account, list bybilling profile, list byinvoice section.
- delete ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >
Deletes a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.
billingAccountName: string
The ID that uniquely identifies a billing account.
billingRoleAssignmentName: string
The ID that uniquely identifies a role assignment.
Optional options: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams
The options parameters.
Returns Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >
- delete ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingProfileResponse >
Deletes a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.
billingProfileName: string
The ID that uniquely identifies a billing profile.
Optional options: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams
Returns promise < billingroleassignmentsdeletebybillingprofileresponse >.
- delete ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByInvoiceSectionResponse >
Deletes a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.
invoiceSectionName: string
The ID that uniquely identifies an invoice section.
Optional options: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams
Returns promise < billingroleassignmentsdeletebyinvoicesectionresponse >.
- get ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingAccountResponse >
Gets a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsGetByBillingAccountOptionalParams
Returns promise < billingroleassignmentsgetbybillingaccountresponse >.
- get ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingProfileResponse >
Gets a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsGetByBillingProfileOptionalParams
Returns promise < billingroleassignmentsgetbybillingprofileresponse >.
- get ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsGetByInvoiceSectionResponse >
Gets a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams
Returns promise < billingroleassignmentsgetbyinvoicesectionresponse >.
- list ByBilling Account ( billingAccountName : string , options ?: BillingRoleAssignmentsListByBillingAccountOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >
Lists the role assignments for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsListByBillingAccountOptionalParams
Returns pagedasynciterableiterator < billingroleassignment >.
- list ByBilling Profile ( billingAccountName : string , billingProfileName : string , options ?: BillingRoleAssignmentsListByBillingProfileOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >
Lists the role assignments for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsListByBillingProfileOptionalParams
- list ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , options ?: BillingRoleAssignmentsListByInvoiceSectionOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >
Lists the role assignments for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.
Optional options: BillingRoleAssignmentsListByInvoiceSectionOptionalParams
Generated using TypeDoc
- Azure Native
- BillingRoleAssignmentByEnrollmentAccount
Azure Native v2.36.0, Apr 8 24
azure-native.billing.BillingRoleAssignmentByEnrollmentAccount
Explore with Pulumi AI
On this page
- Request a Change
The role assignment Azure REST API version: 2019-10-01-preview. Prior API version in Azure Native 1.x: 2019-10-01-preview.
Example Usage
Putenrollmentaccountsubscriptioncreatorroleassignment, create billingroleassignmentbyenrollmentaccount resource.
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources .
Constructor syntax
The following reference example uses placeholder values for all input properties .
BillingRoleAssignmentByEnrollmentAccount Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
The BillingRoleAssignmentByEnrollmentAccount resource accepts the following input properties:
All input properties are implicitly available as output properties. Additionally, the BillingRoleAssignmentByEnrollmentAccount resource produces the following output properties:
An existing resource can be imported using its type token, name, and identifier, e.g.
To learn more about importing existing cloud resources, see Importing resources .
Package Details
- AnsibleFest
- Webinars & Training
- Collection Index
- Collections in the Azure Namespace
- Azure.Azcollection
- azure.azcollection.azure_rm_roleassignment_info module – Gets Azure Role Assignment facts
azure.azcollection.azure_rm_roleassignment_info module – Gets Azure Role Assignment facts
This module is part of the azure.azcollection collection (version 1.19.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core . To check whether it is installed, run ansible-galaxy collection list .
To install it, use: ansible-galaxy collection install azure.azcollection . You need further requirements to be able to use this module, see Requirements for details.
To use it in a playbook, specify: azure.azcollection.azure_rm_roleassignment_info .
New in azure.azcollection 0.1.2
Gets facts of Azure Role Assignment.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
The host that executes this module must have the azure.azcollection collection installed via galaxy
All python packages listed in collection’s requirements-azure.txt must be installed via pip on the host that executes modules from azure.azcollection
Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection
Parameters
For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login .
Authentication is also possible using a service principal or Active Directory user.
To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.
To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.
Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.
How to authenticate using the az login command.
Return Values
Common return values are documented here , the following are the fields unique to this module:
Yunge Zhu(@yungezz)
Paul Aiton(@paultaiton)
Collection links
- Issue Tracker
- Repository (Sources)
Search code, repositories, users, issues, pull requests...
Provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for MCA billing roles in azurerm_role_assignment #15211
keesvandenhoekict commented Feb 1, 2022
- 👍 34 reactions
b-c-lucas commented Mar 14, 2022 • edited
Sorry, something went wrong.
eastlondoner commented Jul 7, 2022 • edited
circa10a commented Feb 13, 2024
Circa10a commented feb 26, 2024.
omerfsen commented Mar 7, 2024
Omerfsen commented apr 2, 2024.
FrancoisPoinsot commented Apr 3, 2024
No branches or pull requests
- Collapse All
Get-AzRoleAssignment
In this Azure PowerShell article, we will discuss the syntax and usage of the Get-AzRoleAssignment PowerShell cmdlet with a few examples.
Table of Contents
Syntax of Get-AzRoleAssignment
Wrapping up.
Get-AzRoleAssignment is an excellent Azure PowerShell cmdlet that can get you the lists of all the role assignments under your subscription or a specific scope.
Below is the syntax of the Get-AzRoleAssignment Azure PowerShell cmdlet.
Let’s discuss some examples of implementation of the Get-AzRoleAssignment PowerShell command.
You can execute the Azure PowerShell cmdlet below to help you get the list of all the role assignments under my current subscription.
After executing the above PowerShell command, I got the below output.
You can see the output below
You can also use the below Azure PowerShell command to get the list of role assignments under the specified service principal “http://tsinfotechnologies.com”.
Execute the below PowerShell command that can help you to get the list of role assignments under a specified tsinfo website scope.
You may also like following the articles below
- New-AzRoleAssignment
- Get-AzRoleDefinition
- Get-AzResource
In this Azure article, we have discussed the syntax and usage of the Get-AzRoleAssignment Azure PowerShell cmdlet. Thanks for reading this article !!!
I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .
IMAGES
VIDEO
COMMENTS
The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the Azure portal. The billing role definition ID of db609904-a47f-4794-9be8-9bd86fbffd8a is for a department reader. Select Run to start the command. A 200 OK response shows that the service principal was successfully added.
Learn how to manage Azure Role assignments using PowerShell snippets and simple commandlets. Discover examples for listing all role assignments, adding and removing assignments for users or service principals, creating custom roles, and more. Plus, check out a script that combines some of these examples into a single function. Written by Vukasin Terzic.
Gets a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement. Parameters
Name , Type , Role , Scope , Condition ----- <App> <app> Owner/Contributor Subscription <userid> <User> Guest Management Group <GroupID> <Group> Reader So lets I have more than 50 subscriptions and under each subscription having 100 resources, I want some cumulative report where I need to know resources wise user and role assignment details.
The ID that uniquely identifies a billing account. billing_ role_ assignment_ name str The ID that uniquely identifies a role assignment. principal_ id str The principal id of the user to whom the role was assigned. principal_ tenant_ id str The principal tenant id of the user to whom the role was assigned. role_ definition_ id str The ID of ...
Step 2: On the Members tab, select the user you want to delegate the role assignments task to. Figure 3: Select members. Step 3: On the Condition tab, click Add condition to add the condition to the role assignment. Figure 4: Add condition to role assignment. Step 4: On the Add role assignment condition page, specify how you want to constrain ...
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window.
Billing Role Assignment Name string The ID that uniquely identifies a role assignment. Principal Id string The principal id of the user to whom the role was assigned. Principal Tenant Id string The principal tenant id of the user to whom the role was assigned. Role Definition Id string The ID of the role definition. User Authentication Type string
Controls the source of the credentials to use for authentication. Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.. When set to auto (the default) the precedence is module parameters -> env-> credential_file-> cli.. When set to env, the credentials will be read from the environment variables. When set to credential_file, it will read the profile from ~/.azure/credentials.
Learn about billing roles for billing accounts in Azure for Microsoft Customer Agreements.
This request is to add support in azurerm_role_assignment to support billing role assignment for MCA(Microsoft Customer Agreement) customers. The equivalent change for Enterprise Agreement customers (enrollment accounts) has been realised in #10547. New or Affected Resource(s) azurerm_role_assignment; Potential Terraform Configuration
This is supported only for billing accounts with agreement type Enterprise Agreement. properties.createdOn String The date the role assignment was created. properties.name String The name of the role assignment. properties.principalId String The principal id of the user to whom the role was assigned.
Get-AzRoleAssignment is an excellent Azure PowerShell cmdlet that can get you the lists of all the role assignments under your subscription or a specific scope. Syntax of Get-AzRoleAssignment. Below is the syntax of the Get-AzRoleAssignment Azure PowerShell cmdlet. Get-AzRoleAssignment Get-AzRoleAssignment -SignInName <String>