How to add Invoice Manager role IAM

Question

How to add Invoice Manager role IAM

Andy Clapham 51

I would like to grant access for viewing and paying invoices to our accounts team.

They are not technical and should only have rights related to this specific duty on the subscription.

I see from the document here that there is an Invoice Manager role designed for this https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles

However in IAM I don't see any such role. The closest seems to be Billing Reader (which can't pay invoices)

Has it been replaced with another role? Do I need to create this role myself (in which case what permissions set should I use?)

What's the best way to grant access to the subscription to be able to pay an invoice, without access to create or change anything else?

Accepted answer

1 additional answer

Your answer

Answer 1

TP 125.8K Volunteer Moderator

Hi Andy,

Please navigate to the Cost Management + Billing -- Billing profiles blade using link below:

https://portal.azure.com/#view/Microsoft_Azure_GTM/ModernBillingMenuBlade/~/BillingProfiles

On right, click on the billing profile you would like to add role assignment to. Next click Access control (IAM) blade, and then click Add. Select Invoice manager and then search for and Add user account.

qna cost management invoice manager

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Andy Clapham 51 Reputation points

2024-08-12T13:34:29.5266667+00:00

I do not see the Invoce Manager role in the add role assignment panel.

I see:
SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2024-08-12T16:07:03.9733333+00:00

@Andy Clapham What type of subscription are you using?
Andy Clapham 51 Reputation points

2024-08-12T16:15:43.0533333+00:00

I don't see a "type" on the subscription - I see Plan: Azure Plan in the subscription overview. If you mean a different setting, let me know where to look :)
Andy Clapham 51 Reputation points

2024-08-12T16:19:01.3733333+00:00

-- duplicate deleted
TP 125.8K Reputation points Volunteer Moderator

2024-08-12T19:33:50.1066667+00:00

@Andy Clapham Please navigate to the Billing profile and add the role assignment using my instructions above. Based on your screenshot you are on the billing account, which doesn't have Invoice manager as an option.

If you zoom in on my screenshot and compare it to yours you will see mine references billing profile while yours references billing account.
Andy Clapham 51 Reputation points

2024-08-12T22:47:53.11+00:00

Hi TP - thanks that seems to be the case. All sorted now.

I have to say it's rather confusing to find that section as there's a cost management + billing sections directly in the subscription view's navigator. Instead you have to go to the higher level cost management + billing section (is that called a blade then? unusual UX) direct from the burger-menu.

I suppose as a software developer I'm used to the left side navigation tree of IDEs showing everything, rather than being context dependent :)
TP 125.8K Reputation points Volunteer Moderator

2024-08-12T22:52:09.33+00:00

Hi Andy, I agree in regards to it being confusing. Please click Accept Answer and upvote to close up this thread.

Thank you.
TP 125.8K Reputation points Volunteer Moderator

2024-08-14T11:01:33.16+00:00

@Andy Clapham Please click Accept Answer to close up this thread.

Thank you.

Answer 2

Hello Andy Clapham,

Thanks for your question.

Billing Reader cant do this. The roles who can pay invoices are specified here: Billing account owner, Billing profile owner, Billing profile Contributor and Invoice Manager

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles#manage-invoices-for-billing-profile

Access to billing can be done here:

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-billing-access

You can also create a custom role if you still cannot find the invoice mannager role.

Example:

{
  "Name": "Custom Invoice Manager",
  "Description": "Custom role for managing and paying invoices.",
  "Actions": [
    "Microsoft.Billing/*/read",
    "Microsoft.Billing/*/write"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Andy Clapham 51 Reputation points

2024-08-12T13:32:26.7866667+00:00

As per my question, I am indeed trying to add Invoice Manager, but it looks like the role isn't defined on my tenant.

And also as per my question if this role doesn't exist and I need to create it myself, what permissions should I add - your suggestion adds full write to everything which is what I'm trying to avoid. It would be great i somebody knew the exact permissions required here.

Share via

How to add Invoice Manager role IAM

1 additional answer

Your answer