Share via

How to Restrict Cost Management and Billing Access for End Clients in CSP While Assigning Owner/Contributor Role

Vinay Shivakoti 20 Reputation points
2025-06-04T16:43:25.08+00:00

Hello Community,

We are a CSP partner, and we want to assign Owner or Contributor roles to our end clients in Azure for resource management. However, we want to restrict their access to Cost Management + Billing, so they can manage resources but not view or modify any billing or cost-related data.

How can we achieve this?

Is there a way to assign Owner or Contributor privileges minus Cost Management and Billing access using Azure role-based access control (RBAC) or custom roles?

Looking forward to your guidance.

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
3,560 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 34,496 Reputation points MVP Volunteer Moderator
    2025-06-08T05:35:51.8033333+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    TLDR;

    Yes, you can assign Owner/Contributor-level capabilities minus billing/cost access by using custom RBAC roles that explicitly exclude Microsoft.Billing/*, Microsoft.Consumption/*, and Microsoft.CostManagement/*. You cannot do this with default roles; a custom role is required.

    In a Microsoft CSP scenario, restricting Cost Management + Billing access while granting Owner or Contributor roles to end clients requires a nuanced approach. Azure RBAC does not allow you to subtract permissions from a built-in role like Owner or Contributor. However, you can achieve your goal using custom roles and scopes:

    Key Facts:

    Owner/Contributor roles include cost management permissions by default.

    1. Azure RBAC is additive: you cannot remove permissions from built-in roles; you need to create a custom role if you want precise control.

    Billing scopes (at CSP subscription level) are not covered by Azure RBAC. CSP partners inherently manage billing; customers should not have access unless explicitly granted.

    Recommended Solution: Use a Custom Role with Exclusions

    Step-by-step:

    1. Create a Custom Role Based on Contributor

    Create a role that includes Contributor permissions minus billing. The most relevant cost-related permissions to exclude are:

    Microsoft.Consumption/* Microsoft.Billing/* Microsoft.CostManagement/*

    Important Considerations in CSP:

    CSP billing data is controlled via Partner Center, not directly exposed via Azure billing APIs. So clients do not inherently get billing access, unless explicitly given RBAC roles that expose it (like Owner/Contributor).

    If end clients are not Account Admins and you use Azure Plan, they cannot access Partner Center billing anyway.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.