Azure Billing Restrictions

Andy Lau Pik Hui 65

Hi, how can I achieve the scenario below?

Create a custom role that gives user contributor role in the subscription but restrict permission to view Sentinel cost & billing. The user still may use Sentinel and view cost & billing for other resources except Sentinel's. Is this possible?

Thank you in advance.

1 answer

Fabricio Godoy 2,611

Hello @Andy Lau Pik Hui

Yes, is possible.

You need create a custon role.

This can be achieved by creating a custom role with the following permissions:

Microsoft.Compute/virtualMachines/*
Microsoft.Network/networkInterfaces/*
Microsoft.Network/networkSecurityGroups/*
Microsoft.Network/publicIPAddresses/*
Microsoft.Network/virtualNetworks/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/*

You can then deny the user access to view Sentinel cost and billing by adding the following deny permissions:

Microsoft.Insights/alertRules/*
Microsoft.Insights/components/*
Microsoft.Insights/diagnosticSettings/*
Microsoft.Insights/logs/*

You can create this custom role by script or graphic view.

I hope this help you, and if yes, don't forget to upvote and accept the answer

Regards

Andy Lau Pik Hui 65 Reputation points

2023-03-10T08:14:41.42+00:00

--delete repeated comment---

Andy Lau Pik Hui 65

Hi @Fabricio Godoy , thank you for your fast response.

I created a custom role in the access control (IAM) in the subscription using the permissions as shown below. After assigning the role to the user, the user could not see the Sentinel resource.

   
       "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/*",
                    "Microsoft.Network/networkInterfaces/*",
                    "Microsoft.Network/networkSecurityGroups/*",
                    "Microsoft.Network/publicIPAddresses/*",
                    "Microsoft.Network/virtualNetworks/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Storage/storageAccounts/*"
                ],
                "notActions": [
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.Insights/components/*",
                    "Microsoft.Insights/diagnosticSettings/*",
                    "Microsoft.Insights/logs/*"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]

Fabricio Godoy 2,611

ohh. ok.

try this:

$roleDefinitionName = "Contributor with Billing View except for Sentinel"
$notActions = @(
    "Microsoft.OperationsManagement/solutions/*/read"
)
$actions = @(
    "Microsoft.Billing/billingAccounts/read",
    "Microsoft.Billing/billingAccounts/invoices/read"
)
$billingNamespace = "Microsoft.Billing"

# Create the custom role definition
$roleDefinition = New-AzRoleDefinition `
    -Name $roleDefinitionName `
    -Description "Contributor with Billing View except for Sentinel" `
    -Actions $actions `
    -NotActions $notActions `
    -AssignableScopes "/subscriptions/<subscription-id>"

# Assign the role to a user or group
New-AzRoleAssignment `
    -SignInName "<user-email>" `
    -RoleDefinitionName $roleDefinitionName `
    -Scope "/subscriptions/<subscription-id>"

Andy Lau Pik Hui 65 Reputation points

2023-03-12T03:31:06.33+00:00

Hi @Fabricio Godoy , when I tried in Azure Powershell, I got this error.

Ryan Hill 27,111 Microsoft Employee

Try using PSRoleDefinition object or a JSON template.

{
  "Name": "Contributor with Billing View except for Sentinel",
  "Id": null,
  "IsCustom": true,
  "Description": "Contributor with Billing View except for Sentinel",
  "Actions": [
    "Microsoft.Billing/billingAccounts/read",
    "Microsoft.Billing/billingAccounts/invoices/read"
  ],
  "NotActions": [
    "Microsoft.OperationsManagement/solutions/*/read"
  ],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
  ]
}

Then assign the above JSON using New-AzRoleDefinition -InputFile C:\Temp\roleDefinition.json

Share via

Azure Billing Restrictions

1 answer