You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cost-management-billing/manage/assign-roles-azure-service-principals.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ tags: billing
7
7
ms.service: cost-management-billing
8
8
ms.subservice: billing
9
9
ms.topic: how-to
10
-
ms.date: 09/20/2022
10
+
ms.date: 01/18/2023
11
11
ms.author: banders
12
12
---
13
13
@@ -16,6 +16,9 @@ ms.author: banders
16
16
You can manage your Enterprise Agreement (EA) enrollment in the [Azure Enterprise portal](https://ea.azure.com/). Direct Enterprise customer can now manage Enterprise Agreement(EA) enrollment in [Azure portal](https://portal.azure.com/).
17
17
You can create different roles to manage your organization, view costs, and create subscriptions. This article helps you automate some of those tasks by using Azure PowerShell and REST APIs with Azure service principal names (SPNs).
18
18
19
+
> [!NOTE]
20
+
> If you have multiple EA billing accounts in your organization, you must grant the EA roles to Azure SPNs individually in each EA billing account.
21
+
19
22
Before you begin, ensure that you're familiar with the following articles:
@@ -37,7 +40,11 @@ Here's an example of the application registration page.
37
40
38
41
### Find your SPN and tenant ID
39
42
40
-
You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article.
43
+
You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article. All applications are registered in Azure AD in the tenant. Two types of objects get created when the app registration is completed:
44
+
45
+
- Application object - The application object ID is what you see under App Registrations in Azure AD. The object ID should *not* be used to grant any EA roles.
46
+
47
+
- Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Azure AD. The object ID is used to grant EA roles to the SPN.
41
48
42
49
1. Open Azure Active Directory, and then select **Enterprise applications**.
43
50
1. Find your app in the list.
@@ -66,11 +73,13 @@ Later in this article, you'll give permission to the Azure AD app to act by usin
66
73
| DepartmentReader | Download the usage details for the department they administer. Can view the usage and charges associated with their department. | db609904-a47f-4794-9be8-9bd86fbffd8a |
67
74
| SubscriptionCreator | Create new subscriptions in the given scope of Account. | a0bcee42-bf30-4d1b-926a-48d21664ef71 |
68
75
69
-
- An EnrollmentReader role can be assigned to an SPN only by a user who has an enrollment writer role.
76
+
- An EnrollmentReader role can be assigned to an SPN only by a user who has an enrollment writer role. The EnrollmentReader role assigned to an SPN isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
70
77
- A DepartmentReader role can be assigned to an SPN only by a user who has an enrollment writer or department writer role.
71
78
- A SubscriptionCreator role can be assigned to an SPN only by a user who is the owner of the enrollment account (EA administrator). The role isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
72
79
- The EA purchaser role isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
73
80
81
+
When you grant an EA role to an SPN, you must use the `billingRoleAssignmentName` required property. The parameter is a unique GUID that you must provide. You can generate a GUID using the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) PowerShell command. You can also use the [Online GUID / UUID Generator](https://guidgenerator.com/) website to generate a unique GUID.
82
+
74
83
An SPN can have only one role.
75
84
76
85
## Assign enrollment account role permission to the SPN
0 commit comments