Merge pull request #273937 from nwokolo/patch-20

Rewrite

Author: Stacyrch140

articles/cost-management-billing/savings-plan/manage-savings-plan.md

@@ -62,7 +62,7 @@ To update auto-renewal setting as a billing administrator:
 3. Select the desired savings plan.
 4. Select **Settings** > **Renewal**.
 
-If you purchased a savings plan, have been added to a savings plan, or have been assigned a one or more savings plan RBAC roles, use the following steps to update auto-renewal setting:
+If you purchased a savings plan, have been added to a savings plan, or have been assigned one or more savings plan RBAC roles, use the following steps to update auto-renewal setting:
 1. Sign in to the Azure portal.
 2. Select All Services > Savings plans to list savings plans that you have access to.
 3. Select the desired savings plan.
@@ -79,7 +79,7 @@ If you're a billing administrator, use following steps to view and manage all sa
 3. Select the desired savings plan.
 4. To rename the savings plan, click "Rename". To view payment history or upcoming payments, click the link to the right of "Billing frequency".
 
-If you purchased a savings plan, have been added to a savings plan, or have been assigned a one or more savings plan RBAC roles, use the following steps to view savings plan details and utilization:
+If you purchased a savings plan, have been added to a savings plan, or have been assigned one or more savings plan RBAC roles, use the following steps to view savings plan details and utilization:
 1. Sign in to the Azure portal.
 2. Select All Services > Savings plans to list savings plans that you have access to.
 3. Select the desired savings plan.
@@ -105,9 +105,9 @@ To delegate the Administrator, Contributor, or Reader role to a specific savings
 ### Delegate Savings plan Administrator, Contributor or Reader role to all savings plans
 [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) rights are required to grant RBAC roles at the tenant level. To get User Access Administrator rights, follow [Elevate access steps](../../role-based-access-control/elevate-access-global-admin.md).
 
-### To delegate the administrator, contributor, or reader role to all savings plans in a tenant
-1.	Navigate to **Home** > **Savings plans**
-2.	Click **Role assignment** from the top navigation bar
+After you have elevated access:
+1. Navigate to **Home** > **Savings plans** to see all savings plans that are in the tenant.
+2. To make modifications to the savings plan, add yourself as an owner of the savings plan order using Access control (IAM).
 
 
 ## Cancel, exchange, or refund

articles/cost-management-billing/savings-plan/permission-view-manage.md

@@ -15,28 +15,36 @@ ms.author: banders
 This article explains how savings plan permissions work and how users can view and manage Azure savings plans in the Azure portal.
 
 ## Who can manage a savings plan by default
-By default, the following users can view and manage savings plans:
-- The person who buys a savings plan and the account administrator of the billing subscription used to buy the savings plan are added to the savings plan order.
-- Enterprise Agreement and Microsoft Customer Agreement billing administrators.
-- Users with elevated access to manage all Azure subscriptions and management groups.
-- A Savings plan administrator for savings plans in their Microsoft Entra tenant (directory)
-- A Savings plan reader has read-only access to savings plans in their Microsoft Entra tenant (directory)
-
-The savings plan lifecycle is independent of an Azure subscription, so the savings plan isn't a resource under the Azure subscription. Instead, it's a tenant-level resource with its own Azure role-based access control (RBAC_ permission separate from subscriptions. Savings plans don't inherit permissions from subscriptions after the purchase.
-
-## View and manage savings plans as a billing administrator
-
-If you're a billing administrator, use following steps to view and manage all savings plans and savings plan transactions in the Azure portal:
+There are two different authorization methods that control a user's ability to view, manage and delegate permissions to savings plans - billing admin roles and savings plan RBAC roles.
+
+## Billing admin roles
+You can view, manage, and delegate permissions to savings plans using built-in billing admin roles. To learn more about MCA and EA billing roles, see [Understand Microsoft Customer Agreement administrative roles in Azure](../manage/understand-mca-roles.md) and [Managing Azure Enterprise Agreement roles](../manage/understand-ea-roles.md), respectively.
+
+### Billing admin roles required for savings plan actions
+- View savings plans
+    - MCA: Users with Billing profile reader or above
+    - EA: Users with Enterprise Administrator (read only) or above
+    - MPA: Not supported
+- Manage savings plans (achieved by delegating permissions for the full billing profile/enrollment)
+    - MCA: Users with Billing profile contributor or above
+    - EA: Users with EA Administrator or above
+    - MPA: Not supported
+- Delegate savings plan permissions
+    - MCA: Users with Billing profile contributor or above
+    - EA: Users with EA purchaser or above
+    - MPA: Not supported
+
+### View and manage savings plans as a billing admin
+If you're a billing role user, use following steps to view and manage all savings plans and savings plan transactions in the Azure portal:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Cost Management + Billing**.
-    - If you're an EA admin, in the left menu, select **Billing scopes** and then in the list of billing scopes, select one.
-    - If you're a Microsoft Customer Agreement billing profile owner, in the left menu, select **Billing profiles**. In the list of billing profiles, select one.
+    - If you're under an EA account, in the left menu, select **Billing scopes** and then in the list of billing scopes, select one.
+    - If you're under a MCA account, in the left menu, select **Billing profiles**. In the list of billing profiles, select one.
 1. In the left menu, select **Products + services** > **Savings plans**.
-    The complete list of savings plans for your EA enrollment or billing profile is shown.
-1. Billing administrators can take ownership of a savings plan with the [Savings Plan Order - Elevate REST API](/rest/api/billingbenefits/savings-plan-order/elevate) to give themselves Azure RBAC roles.
+    The complete list of savings plans for your EA enrollment or MCA billing profile is shown.
+1. Billing role users can take ownership of a savings plan with the [Savings Plan Order - Elevate REST API](/rest/api/billingbenefits/savings-plan-order/elevate) to give themselves Azure RBAC roles.
 
 ### Adding billing administrators
-
 Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement in the Azure portal.
 
 - For an Enterprise Agreement, add users with the Enterprise Administrator role to view and manage all savings plan orders that apply to the Enterprise Agreement. Enterprise administrators can view and manage savings plan in **Cost Management + Billing**.
@@ -45,37 +53,44 @@ Add a user as billing administrator to an Enterprise Agreement or a Microsoft Cu
 - For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all savings plan purchases made using the billing profile. 
     - Billing profile readers and invoice managers can view all savings plans that are paid for with the billing profile. However, they can't make changes to savings plans. For more information, see [Billing profile roles and tasks](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
 
-## View savings plans with Azure RBAC access
-
-If you purchased the savings plan or you're added to a savings plan, use the following steps to view and manage savings plans in the Azure portal:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All Services** > **Savings plans** to list savings plans that you have access to.
-
-## Manage subscriptions and management groups with elevated access
 
-You can [elevate a user's access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md).
+## Savings plan RBAC roles
+The savings plan lifecycle is independent of an Azure subscription. Savings plans don't inherit permissions from subscriptions after the purchase. Savings plans are a tenant-level resource with their own Azure RBAC permissions. 
 
-After you have elevated access:
+### Overview
+There are four savings plan-specific RBAC roles:
+- Savings plan administrator – allows [management](manage-savings-plan.md) of one or more savings plans in a tenant and [delegation of RBAC roles](../../role-based-access-control/role-assignments-portal.yml) to other users.
+- Savings plan purchaser – allows purchase of savings plans with a specified subscription.
+    - Allows savings plans purchase or [Reservation trade-in](reservation-trade-in.md) by non-billing admins and non-subscription owners.
+    - Savings plan purchasing by non-billing admins must be enabled. Learn more [here](buy-savings-plan.md#who-can-buy-a-savings-plan).
+- Savings plan contributor – allows management of one or more savings plans in a tenant but not delegation of RBAC roles to other users.
+- Savings plan reader – allows read-only access to one or more savings plans in a tenant.
 
-1. Navigate to **All Services** > **Savings plans** to see all savings plans that are in the tenant.
-2. To make modifications to the savings plan, add yourself as an owner of the savings plan order using Access control (IAM).
+These roles can be scoped to either a specific resource entity (e.g. subscription or savings plan) or the Microsoft Entra tenant (directory). To learn more about Azure RBAC, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md). 
 
-## Grant access to individual savings plans
+### Savings plan RBAC roles required for savings plan actions
+- View savings plans:
+    - Tenant-scope: Users with Savings plan reader or above.
+    - Savings plan-scope: Built-in Reader or above.
+- Manage savings plans:
+    - Tenant-scope: Users with Savings plan contributor or above.
+    - Savings plan-scope: Built-in Contributor or Owner roles, or Savings plan contributor or above.
+- Delegate savings plan permissions:
+    - Tenant-scope: [User Access Administrator](../../role-based-access-control/built-in-roles.md#general) rights are required to grant RBAC roles to all savings plans in the tenant. To gain these rights, follow [Elevate access](../../role-based-access-control/elevate-access-global-admin.md) steps.
+    - Savings plan-scope: Savings plan administrator or User access administrator.
 
-Users who have owner access on the savings plan and billing administrators can delegate access management for an individual savings plan order in the Azure portal.
+In addition, users who held the Subscription owner role when the subscription was used to purchase a savings plan, can also view, manage and delegate permissions for the purchased savings plan.
 
-To allow other people to manage savings plans, you have two options:
 
-- Delegate access management for an individual savings plan order by assigning the Owner role to a user at the resource scope of the savings plan order. If you want to give limited access, select a different role. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).
-- Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement:
-  - For an Enterprise Agreement, add users with the Enterprise Administrator role to view and manage all savings plan orders that apply to the Enterprise Agreement. Users with the Enterprise Administrator (read only) role can only view the savings plan. Department admins and account owners can't view savings plans unless they're explicitly added to them using Access control (IAM). For more information, see [Manage Azure Enterprise roles](../manage/understand-ea-roles.md).
-  - For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all savings plan purchases made using the billing profile. Billing profile readers and invoice managers can view all savings plans that are paid for with the billing profile. However, they can't make changes to savings plans. For more information, see [Billing profile roles and tasks](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
+### View savings plans with RBAC access
 
-      _Enterprise Administrators can take ownership of a savings plan order and they can add other users to a savings plan using Access control (IAM)._
+If you have savings plan-specific RBAC roles (Savings plan administrator, purchaser, contributor or reader), purchased savings plans, or been added as an owner to savings plans, use the following steps to view and manage savings plans in the Azure portal:
 
-  - For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all savings plan purchases made using the billing profile. Billing profile readers and invoice managers can view all savings plans that are paid for with the billing profile. However, they can't make changes to savings plans. For more information, see [Billing profile roles and tasks](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **Home** > **Savings plans** to list savings plans that you have access to.
 
+### Adding RBAC roles to users and groups
+To learn about delegating savings plan RBAC roles, see [Delegate savings plan RBAC roles](manage-savings-plan.md#delegate-savings-plan-rbac-roles)
 
 
 ## Grant access with PowerShell
@@ -84,12 +99,10 @@ Users that have owner access for savings plan orders, users with elevated access
 
 Access granted using PowerShell isn't shown in the Azure portal. Instead, you use the `get-AzRoleAssignment` command in the following section to view assigned roles.
 
-## Assign the owner role for all savings plan
-
+### Assign the owner role for all savings plan
 Use the following Azure PowerShell script to give a user Azure RBAC access to all savings plan orders in their Microsoft Entra tenant (directory).
 
 ```azurepowershell
-
 Import-Module Az.Accounts
 Import-Module Az.Resources
 
@@ -104,12 +117,11 @@ foreach ($savingsPlan in $savingsPlanObjects)
   Write-Host "Assigning Owner role assignment to "$savingsPlanOrderId
   New-AzRoleAssignment -Scope $savingsPlanOrderId -ObjectId <ObjectId> -RoleDefinitionName Owner
 }
-
 ```
 
 When you use the PowerShell script to assign the ownership role and it runs successfully, a success message isn’t returned.
 
-### Parameters
+#### Parameters
 
 **-ObjectId**  Microsoft Entra ObjectId of the user, group, or service principal.
 - Type: String
@@ -126,21 +138,8 @@ When you use the PowerShell script to assign the ownership role and it runs succ
 - Accept pipeline input: False
 - Accept wildcard characters: False
 
-## Tenant-level access
-
-[User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) rights are required before you can grant users or groups the Savings plan Administrator and Savings plan Reader roles at the tenant level. In order to get User Access Administrator rights at the tenant level, follow [Elevate access](../../role-based-access-control/elevate-access-global-admin.md) steps.
-
-### Add a Savings plan Administrator role or Savings plan Reader role at the tenant level
-You can assign these roles from the [Azure portal](https://portal.azure.com).
-
-1. Sign in to the Azure portal and navigate to **Savings plan**.
-1. Select a savings plan that you have access to.
-1. At the top of the page, select **Role Assignment**.
-1. Select the **Roles** tab.
-1. To make modifications, add a user as a Savings plan Administrator or Savings plan Reader using Access control.
 
 ### Add a Savings plan Administrator role at the tenant level using Azure PowerShell script
-
 Use the following Azure PowerShell script to add a Savings plan Administrator role at the tenant level with PowerShell.
 
 ```azurepowershell
@@ -151,7 +150,32 @@ New-AzRoleAssignment -Scope "/providers/Microsoft.BillingBenefits" -PrincipalId
 ```
 
 #### Parameters
+**-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
+- Type:	String
+- Aliases: Id, PrincipalId
+- Position:	Named
+- Default value: None
+- Accept pipeline input: True
+- Accept wildcard characters: False
+
+**-TenantId** Tenant unique identifier.
+- Type:	String
+- Position:	5
+- Default value: None
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+### Assign a Savings plan Contributor role at the tenant level using Azure PowerShell script
+Use the following Azure PowerShell script to assign the Savings plan Contributor role at the tenant level with PowerShell.
+
+```azurepowershell
+Import-Module Az.Accounts
+Import-Module Az.Resources
+Connect-AzAccount -Tenant <TenantId>
+New-AzRoleAssignment -Scope "/providers/Microsoft.BillingBenefits" -PrincipalId <ObjectId> -RoleDefinitionName "Savings plan Contributor"
+```
 
+#### Parameters
 **-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
 - Type:	String
 - Aliases: Id, PrincipalId
@@ -167,22 +191,18 @@ New-AzRoleAssignment -Scope "/providers/Microsoft.BillingBenefits" -PrincipalId
 - Accept pipeline input: False
 - Accept wildcard characters: False
 
-### Assign a Savings plan Reader role at the tenant level using Azure PowerShell script
 
+### Assign a Savings plan Reader role at the tenant level using Azure PowerShell script
 Use the following Azure PowerShell script to assign the Savings plan Reader role at the tenant level with PowerShell.
 
 ```azurepowershell
-
 Import-Module Az.Accounts
 Import-Module Az.Resources
-
 Connect-AzAccount -Tenant <TenantId>
-
 New-AzRoleAssignment -Scope "/providers/Microsoft.BillingBenefits" -PrincipalId <ObjectId> -RoleDefinitionName "Savings plan Reader"
 ```
 
 #### Parameters
-
 **-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
 - Type:	String
 - Aliases: Id, PrincipalId