Programmatically change Azure Enterprise Agreement subscriptions

Peter Bartosinski 20 Reputation points
2023-01-20T10:11:23.3633333+00:00

Hey Guys,

because we manage our infrastructure via Terraform, we wanna create EA subscriptions programmatically, too.
We followed the official documentation ([https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement?tabs=rest) and are able to create subscriptions. Everything is working so far.

Our problem starts if we try to change an existing subscription via the Service Principal. Error Message: Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Updating a subscription which was created via the Service Principal works. The problem only occurs on subscriptions, which were created manually in the past.

Some things I've checked so far:

  • The Azure App has an RBAC-Role-Assignment (Owner) on both Subscriptions.
  • Both Subscriptions are assigned to the same Billing Account. Account Admin, Billing Account ID and Service-Admin are the same.

Now i wounder if there is another attribute, which needs to be changed or another permission which needs to be granted.

Azure Cost Management
Azure Cost Management
An Azure service that provides cloud cost management capabilities.
979 questions
{count} votes

Accepted answer
  1. Monalla-MSFT 6,401 Reputation points Microsoft Employee
    2023-01-23T16:01:32.87+00:00

    @Peter Bartosinski - Thanks for reaching out to us.

    @Roderick Bant -Thank you for providing the useful information.

    Reiterating the solution here to reach broader audience and the community.

    The error message means that you need to assign the "Reader" role at the /providers/Microsoft.Subscription scope

    To resolve this, do the following:

    1. Make sure this setting (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) is turned on so all Global Admins in the tenant have "User Access Administrator" permissions at the "/" scope
    2. Using a Global Admin of the AAD tenant, connect using the Az module and assign permissions to the service principal like this: Connect-AzAccount -Tenant xxxxxxxx $sp = Get-AzADServicePrincipal -DisplayName "appdisplayname" New-AzRoleAssignment -ObjectId $sp.Id -Scope /providers/Microsoft.Subscription -RoleDefinitionName "Reader"
    3. Then retry the operation with the service principal.

    Hope this helps. and please feel free to reach out if you have any further questions.


    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

    No comments

0 additional answers

Sort by: Most helpful