role access problem , Error :RBACAccessDenied

Question

Hello cumunnity, im new here and i have a question about this access problem.
I create an app from my Azure AD, this app i used for read the costs of billings account, i use this API query usage :
https://learn.microsoft.com/es-es/rest/api/cost-management/query/usage?tabs=HTTP#billingaccountquerygrouping-legacy
when i send this request : https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{{billing_account}}/providers/Microsoft.CostManagement/query?api-version=2023-03-01 i have this response:

{
    "error": {
        "code": "RBACAccessDenied",
        "message": "The client does not have authorization to perform action. Request ID: 98c2999a-5964-483f-b8d6-3f2a024fe915"
    }
}

From my billing account i add the access to my app, the acces i add is : Cost management reader and Cost management contributor, but the problem persist and i not find a solution for this, i need your help, thank u for the read.

Answer 1

Hello @Lucas Duran Thank you for contacting us on Microsoft Q&A Platform. Happy to help!

I understand that you created an app from Azure AD, to read the costs of billings accounts. However, it errors out as ""RBACAccessDenied". This implies that there is a permission issue that we need to fix to run the API query successfully.

If the link you posted is the one that you used, then I believe this billing account is an EA billing account. 

In that case, since the scope is billing account, so the traditional RBAC role won’t work since you will need Enrollment Reader role on the SPN. This can only be done via calling API.

You can find the official document here: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals

Hope this helps. Let us know if you need further assistance in this matter!

---

If the response helped, do "Accept Answer" and up-vote it