Share via

Azure Billing Restrictions

Andy Lau Pik Hui 70 Reputation points
2023-03-10T07:01:24.9033333+00:00

Hi, how can I achieve the scenario below?

Create a custom role that gives user contributor role in the subscription but restrict permission to view Sentinel cost & billing. The user still may use Sentinel and view cost & billing for other resources except Sentinel's. Is this possible?

Thank you in advance.

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
3,298 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,267 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabricio Godoy 2,626 Reputation points
    2023-03-10T07:22:20.3+00:00

    Hello @Andy Lau Pik Hui

    Yes, is possible.

    You need create a custon role.

    This can be achieved by creating a custom role with the following permissions:

    • Microsoft.Compute/virtualMachines/*
    • Microsoft.Network/networkInterfaces/*
    • Microsoft.Network/networkSecurityGroups/*
    • Microsoft.Network/publicIPAddresses/*
    • Microsoft.Network/virtualNetworks/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/*

    You can then deny the user access to view Sentinel cost and billing by adding the following deny permissions:

    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/components/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.Insights/logs/*

    You can create this custom role by script or graphic view.

    I hope this help you, and if yes, don't forget to upvote and accept the answer

    Regards

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.