You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cost-management-billing/manage/assign-roles-azure-service-principals.md
+11-6Lines changed: 11 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,11 +78,14 @@ Later in this article, you give permission to the Microsoft Entra app to act by
78
78
| SubscriptionCreator | Create new subscriptions in the given scope of Account. | a0bcee42-bf30-4d1b-926a-48d21664ef71 |
79
79
| Partner Admin Reader | Partner Admins can view data for all enrollments under the partner organization. This role is only available for the following APIs:<br>- [Balances](/rest/api/consumption/balances/get-by-billing-account)<br>- [Exports V2 (api-version 2025-03-01 only)](/rest/api/cost-management/exports)<br>- [Generate Cost Details Report](/rest/api/cost-management/generate-cost-details-report)<br>- [Marketplaces](/rest/api/consumption/marketplaces/list)<br>- [Consumption Price sheet](/rest/api/consumption/price-sheet)<br>- [Cost Management Price sheet Download](/rest/api/cost-management/price-sheet/download-by-billing-account)<br>- [Generate Reservation Details Report](/rest/api/cost-management/generate-reservation-details-report/by-billing-account-id)<br>- [Reservation Summaries](/rest/api/consumption/reservations-summaries)<br>- [Reservation Recommendations](/rest/api/consumption/reservation-recommendations/list)<br>- [Reservation Transactions](/rest/api/consumption/reservation-transactions) | 4f6144c0-a809-4c55-b3c8-7f9b7b15a1bf |
80
80
81
-
- An EnrollmentReader role can be assigned to a service principal only by a user who has an enrollment writer role. The EnrollmentReader role assigned to a service principal isn't shown in the Azure portal. It gets created by programmatic means and is only for programmatic use.
82
-
- A DepartmentReader role can be assigned to a service principal only by a user who has an enrollment writer or department writer role.
83
-
- A SubscriptionCreator role can be assigned to a service principal only by a user who is the owner of the enrollment account (EA administrator). The role isn't shown in the Azure portal. It gets created by programmatic means and is only for programmatic use.
84
-
- The EA purchaser role isn't shown in the Azure portal. It gets created by programmatic means and is only for programmatic use.
85
-
- The Partner Admin Reader role can be assigned to a service principal only by a user who has Partner Administrator role. The EnrollmentReader role assigned to a service principal isn't shown in the Azure portal. It gets created by programmatic means and is only for programmatic use.
81
+
- The following user roles are required to assign each service principal role:
82
+
-**EnrollmentReader**: Can be assigned only by a user with the enrollment writer role.
83
+
-**DepartmentReader**: Can be assigned only by a user with the enrollment writer or department writer role.
84
+
-**SubscriptionCreator**: Can be assigned only by a user who is the owner of the enrollment account (EA administrator).
85
+
-**EA purchaser**: Can be assigned only by a user with the enrollment writer role.
86
+
-**Partner Admin Reader**: Can be assigned only by a user with the Partner Administrator role.
87
+
88
+
All of these roles are created by programmatic means, are not shown in the Azure portal, and are only for programmatic use.
86
89
87
90
When you grant an EA role to a service principal, you must use the `billingRoleAssignmentName` required property. The parameter is a unique GUID that you must provide. You can generate a GUID using the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) PowerShell command. You can also use the [Online GUID / UUID Generator](https://guidgenerator.com/) website to generate a unique GUID.
88
91
@@ -98,7 +101,9 @@ A service principal can have only one role.
98
101
99
102
1. Provide the following parameters as part of the API request.
100
103
101
-
-`billingAccountName`: This parameter is the **Billing account ID**. You can find it in the Azure portal on the **Cost Management + Billing** overview page. For the **Partner Admin Reader Role**, the format is "pcn.{PCN}" where {PCN} is the partner organization number.
104
+
-`billingAccountName`: This parameter is the **Billing account ID**. You can find it in the Azure portal on the **Cost Management + Billing** overview page.
105
+
- For the **Partner Admin Reader** role, use the format `pcn.{PCN}` for the billing account name, where `{PCN}` is your partner organization's Partner Customer Number.
106
+
- For all other roles, use the standard billing account ID as shown in the Azure portal.
0 commit comments