Azure Billing Restrictions

Andy Lau Pik Hui 60 Reputation points

Hi, how can I achieve the scenario below?

Create a custom role that gives user contributor role in the subscription but restrict permission to view Sentinel cost & billing. The user still may use Sentinel and view cost & billing for other resources except Sentinel's. Is this possible?

Thank you in advance.

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,028 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fabricio Godoy 2,601 Reputation points

    Hello @Andy Lau Pik Hui

    Yes, is possible.

    You need create a custon role.

    This can be achieved by creating a custom role with the following permissions:

    • Microsoft.Compute/virtualMachines/*
    • Microsoft.Network/networkInterfaces/*
    • Microsoft.Network/networkSecurityGroups/*
    • Microsoft.Network/publicIPAddresses/*
    • Microsoft.Network/virtualNetworks/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/*

    You can then deny the user access to view Sentinel cost and billing by adding the following deny permissions:

    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/components/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.Insights/logs/*

    You can create this custom role by script or graphic view.

    I hope this help you, and if yes, don't forget to upvote and accept the answer