Azure Billing Account Role Assignment

Ahmad Masalha 0 Reputation points Microsoft Employee
2023-11-16T17:27:08.47+00:00

Given a certain billing account:
`/providers/Microsoft.Billing/enrollmentAccounts/

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,319 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Adam Zachary 2,901 Reputation points
    2023-11-17T02:47:24.86+00:00

    Via PowerShell

    Determine Who Needs Access: Identify the security principal (in this case, the AAD app or principal ID). You'll need the unique ID of this object, which can be obtained using Azure portal or Azure PowerShell​​.

    Select the Appropriate Role: Since you want to assign the Owner role, you'll have to get its unique role ID. Use the Get-AzRoleDefinition command to list roles and obtain this ID​​.

    Identify the Needed Scope: Determine the scope at which you want to assign the role. Azure provides different levels of scope: resource, resource group, subscription, and management group. Since you're dealing with a billing account, the scope might be at the subscription level or higher​​.

    1. Assign the Role: Use the New-AzRoleAssignment command to assign the role. The command format will depend on the scope you've chosen. For example, for a resource scope, the command would look something like this:
    
    New-AzRoleAssignment -ObjectId <objectId> -RoleDefinitionName <roleName> -Scope <scope
    

  2. JamesTran-MSFT 36,596 Reputation points Microsoft Employee
    2023-11-20T20:43:47.8533333+00:00

    @Ahmad Masalha

    Thank you for your post and I apologize for the delayed response!

    When it comes to assigning an Azure Billing Account RBAC role, specifically one with Microsoft.Billing/enrollmentAccounts/, you should be able to accomplish this through the Billing Reader built-in RBAC role.User's image

    Assign Azure roles using the Azure portal:

    1. Identify the needed scope - when you assign roles, you must specify a scope (management group, subscription, resource group, and resource).
    2. Open the Add role assignment page Access control (IAM).
    3. Select the appropriate role (for example - Billing Reader).
    4. Follow the prompts to assign the role to the appropriate user, group, or service principal.

    User's image

    Note: If you assign the Billing Reader role to a group at the subscription scope, the members of that group can read billing data for every resource group and resource in the subscription.


    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.