Skip to content

Commit 862a543

Browse files
Merge pull request #224271 from bandersmsft/assign-roles-azure-service-principals-01182023
MCM - Updated assign-roles-spn
2 parents 20429f7 + 676646e commit 862a543

File tree

1 file changed

+12
-3
lines changed

1 file changed

+12
-3
lines changed

articles/cost-management-billing/manage/assign-roles-azure-service-principals.md

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ tags: billing
77
ms.service: cost-management-billing
88
ms.subservice: billing
99
ms.topic: how-to
10-
ms.date: 09/20/2022
10+
ms.date: 01/18/2023
1111
ms.author: banders
1212
---
1313

@@ -16,6 +16,9 @@ ms.author: banders
1616
You can manage your Enterprise Agreement (EA) enrollment in the [Azure Enterprise portal](https://ea.azure.com/). Direct Enterprise customer can now manage Enterprise Agreement(EA) enrollment in [Azure portal](https://portal.azure.com/).
1717
You can create different roles to manage your organization, view costs, and create subscriptions. This article helps you automate some of those tasks by using Azure PowerShell and REST APIs with Azure service principal names (SPNs).
1818

19+
> [!NOTE]
20+
> If you have multiple EA billing accounts in your organization, you must grant the EA roles to Azure SPNs individually in each EA billing account.
21+
1922
Before you begin, ensure that you're familiar with the following articles:
2023

2124
- [Enterprise agreement roles](understand-ea-roles.md)
@@ -37,7 +40,11 @@ Here's an example of the application registration page.
3740

3841
### Find your SPN and tenant ID
3942

40-
You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article.
43+
You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article. All applications are registered in Azure AD in the tenant. Two types of objects get created when the app registration is completed:
44+
45+
- Application object - The application object ID is what you see under App Registrations in Azure AD. The object ID should *not* be used to grant any EA roles.
46+
47+
- Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Azure AD. The object ID is used to grant EA roles to the SPN.
4148

4249
1. Open Azure Active Directory, and then select **Enterprise applications**.
4350
1. Find your app in the list.
@@ -66,11 +73,13 @@ Later in this article, you'll give permission to the Azure AD app to act by usin
6673
| DepartmentReader | Download the usage details for the department they administer. Can view the usage and charges associated with their department. | db609904-a47f-4794-9be8-9bd86fbffd8a |
6774
| SubscriptionCreator | Create new subscriptions in the given scope of Account. | a0bcee42-bf30-4d1b-926a-48d21664ef71 |
6875

69-
- An EnrollmentReader role can be assigned to an SPN only by a user who has an enrollment writer role.
76+
- An EnrollmentReader role can be assigned to an SPN only by a user who has an enrollment writer role. The EnrollmentReader role assigned to an SPN isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
7077
- A DepartmentReader role can be assigned to an SPN only by a user who has an enrollment writer or department writer role.
7178
- A SubscriptionCreator role can be assigned to an SPN only by a user who is the owner of the enrollment account (EA administrator). The role isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
7279
- The EA purchaser role isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.
7380

81+
When you grant an EA role to an SPN, you must use the `billingRoleAssignmentName` required property. The parameter is a unique GUID that you must provide. You can generate a GUID using the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) PowerShell command. You can also use the [Online GUID / UUID Generator](https://guidgenerator.com/) website to generate a unique GUID.
82+
7483
An SPN can have only one role.
7584

7685
## Assign enrollment account role permission to the SPN

0 commit comments

Comments
 (0)