This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 65%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
I have 2 azure tenants (tenant 1 and tenant 2).
We also have one Enterprise agreement that we use to create subscriptions for both tenant 1 and tenant 2, the billing account that has the EA is in tenant 1, and we have an enrollment account in tenant 2 that is connected to the billing account in tenant 1.
We need to assign the subscription creator role to a service principal in tenant 2, and have used the steps in this ms learn documentation
Since the PUT request needed to assign this role expects the service principal to be in the same tenant as the billing account, i have also added the sp to tenant 1.
But, when running the PUT request to give the service principal the access to create subscriptions with the enrollment account in tenant 2, it just returns an error "role cannot be assigned since user tenant is different from account owner tenant.".
When i got that error, i had the value for principalTenantId set to the tenant ID of tenant1.
I tried again, but this time with principalTenantId being set to the value of tenant2, and then i got this error: "The provided principal Tenant Id =
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hi @**Daniel Tangnes,
**
I am checking on this request
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 8%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Hi, we're having the same problem. We want to create subscriptions under our single billing/enrollment account across multiple tenants, but failing with the same issue - can't assign the subscription creator role to the service principal in tenant 2, because the enrollment account owner is in tenant 1. Is it possible, or will we have to create a second enrollment account with a tenant 2 owner?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
Hello Daniel Tangnes,
You’re running into a limitation, of the SubscriptionCreator EA role assignment only works if the service principal and billing account owner exist in the same tenant
Which was discussed in the Documentation mentioned below
That’s why the REST call errors out with messages about mismatched tenant IDs.
Try to transfer the enrollment account’s directory to tenant 2, so the SP and EA root are co-located. Then assign the role normally via the REST API call as in the MS Docs
Create a multi‑tenant Enterprise App + B2B invite
Refer from outlines that mentioned under “Access services across tenant with service principal,” steps 1–4 in the document attached
Try an alternative instead of targeting an SP, invite a guest user from tenant 2 into tenant 1, assign Subscription Creator to that guest user within tenant 1 enrollment account, then authenticate with the guest account to create subscriptions.
Please try these steps mentioned
Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Hi Daniel Tangnes,
We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
i managed to fix it without registering the enterprise app in tenant 1.
I attempted again by running the put request with the bearer token from the owner of the enrollment account for tenant 2, and this time it worked,