Share via

Programmatically change Azure Enterprise Agreement subscriptions

Peter Bartosinski 20 Reputation points
Jan 20, 2023, 10:11 AM

Hey Guys,

because we manage our infrastructure via Terraform, we wanna create EA subscriptions programmatically, too.
We followed the official documentation ([https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement?tabs=rest) and are able to create subscriptions. Everything is working so far.

Our problem starts if we try to change an existing subscription via the Service Principal. Error Message: Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Updating a subscription which was created via the Service Principal works. The problem only occurs on subscriptions, which were created manually in the past.

Some things I've checked so far:

  • The Azure App has an RBAC-Role-Assignment (Owner) on both Subscriptions.
  • Both Subscriptions are assigned to the same Billing Account. Account Admin, Billing Account ID and Service-Admin are the same.

Now i wounder if there is another attribute, which needs to be changed or another permission which needs to be granted.

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
3,127 questions
Accepted answer
  1. Monalla-MSFT 13,051 Reputation points
    Jan 23, 2023, 4:01 PM

    @Peter Bartosinski - Thanks for reaching out to us.

    @Roderick Bant -Thank you for providing the useful information.

    Reiterating the solution here to reach broader audience and the community.

    The error message means that you need to assign the "Reader" role at the /providers/Microsoft.Subscription scope

    To resolve this, do the following:

    1. Make sure this setting (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) is turned on so all Global Admins in the tenant have "User Access Administrator" permissions at the "/" scope
    2. Using a Global Admin of the AAD tenant, connect using the Az module and assign permissions to the service principal like this: Connect-AzAccount -Tenant xxxxxxxx $sp = Get-AzADServicePrincipal -DisplayName "appdisplayname" New-AzRoleAssignment -ObjectId $sp.Id -Scope /providers/Microsoft.Subscription -RoleDefinitionName "Reader"
    3. Then retry the operation with the service principal.

    Hope this helps. and please feel free to reach out if you have any further questions.

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.