![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 27%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
25,143 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
You can only assign the Billing Reader role at the subscription or management group scope and not at the Resource Group level. If you have the correct Owner role at the subscription level, you can assign the RBAC roles.
The "write" and "delete" permissions allow you to assign Azure RBAC roles. The conditions for your owner role validate that the action matches 'Microsoft.Authorization/roleAssignments/write' and the role definition ID matches the specified GUID. If this condition is not met, then the second condition checks if the action matches 'Microsoft.Authorization/roleAssignments/delete' and the role definition ID matches the specified GUID. (reference for RBAC role assignment) To assign the Billing Reader role, you need to have the Owner, User Access Administrator, Service Administrator or Co-administrator role on the subscription itself and not just the Resource Group. https://azure.microsoft.com/en-us/blog/azure-billing-reader-role-and-preview-of-invoice-api/#:~:text=How%20to%20add%20users%20to%20Billing%20Reader%20Role,to%20delegate%20access%20to%20subscription%20scoped%20billing%20information
If you have the right permissions and want to assign the role at the subscription or management group scope, you can do so via Azure CLI:
At Management Group scope:
az role assignment create --assignee "alain@example.com" \ --role "Billing Reader" \ --scope "/providers/Microsoft.Management/managementGroups/marketing-group"
At subscription scope:
az role assignment create --assignee <user-email> --role "Billing Reader" --scope /subscriptions/<subscription-id[2](#doc-pos=0)</span>>
If you want this user to see some of the billing info and not others, you may want to create a custom RBAC role via AzureRM with some of the permissions set into the NotActions Section. Currently "Billing Reader" is set up with the following permissions:
Get-AzureRmRoleDefinition "Billing Reader"
Name : Billing Reader
Id : fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
IsCustom : False
Description : Allows read access to billing data
Actions : {Microsoft.Authorization//read, Microsoft.Billing//read, Microsoft.Commerce//read,
Microsoft.Consumption//read...}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : $billing = (Get-AzureRmRoleDefinition "Billing Reader")
$billing.Actions
Microsoft.Authorization//read
Microsoft.Billing//read
Microsoft.Commerce//read
Microsoft.Consumption//read
Microsoft.Management/managementGroups/read
Microsoft.CostManagement//read
Microsoft.Support/
Let me know if this helps, if I understood your request correctly, and if you run into any issues.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.
