Share via

Is there a Reservations Contributor RBAC so I can create a Service Principal with tenant level read and write access for PTU reservations?

William Heng 0 Reputation points
2026-04-02T21:37:13.1166667+00:00

Is there a Reservations Contributor RBAC so I can create a Service Principal with tenant level read and write access for PTU reservations?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 35,905 Reputation points Microsoft External Staff Moderator
    2026-04-02T21:51:03.5433333+00:00

    Hello William Heng

    Use the Reservations Contributor RBAC role.

    • Tenant level (/providers/Microsoft.Capacity) is the scope.
    • Read and write for reservations (including PTU) Assign this role at the tenant scope for SPN.
    • If role assignment permissions are also needed, use Reservations Administrator.

    Let me know if any further queries - feel free to reach out!

  2. Q&A Assist
    2026-04-02T21:37:25.9866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes. Azure provides a built-in Reservations Contributor RBAC role that can be used at the tenant scope and assigned to a service principal to give read/write access to reservations (including PTU reservations) across the tenant.

    Key points:

    1. Role capabilities
      The Reservations Contributor role:
      • Can manage (read and write) one or more reservations in the Microsoft Entra tenant.
      • Cannot delegate RBAC roles to other users.
    2. Scope
      Reservation-specific RBAC roles (including Reservations Contributor) can be scoped:
      • To a specific reservation or subscription, or
      • To the tenant (directory) level, which is what is needed for tenant-wide PTU reservation management.
    3. Assigning Reservations Contributor at tenant level to a service principal (PowerShell)
      Use the New-AzRoleAssignment cmdlet with the Microsoft.Capacity tenant scope and the service principal’s object ID: 
         Import-Module Az.Accounts
   Import-Module Az.Resources
   
   Connect-AzAccount -Tenant <TenantId>
   
   New-AzRoleAssignment \
     -Scope "/providers/Microsoft.Capacity" \
     -PrincipalId <ObjectId> \
     -RoleDefinitionName "Reservations Contributor"
      • -TenantId is the tenant GUID.
      • -PrincipalId (ObjectId) is the Microsoft Entra object ID of the service principal that should manage PTU reservations.
    4. Prerequisites for assigning at tenant level
      • To grant reservation roles at tenant scope, the assigning identity must have User Access Administrator rights at tenant level (typically via elevated access) and usually be a Global Administrator when assigning via the Azure portal.

    Once assigned, the service principal with Reservations Contributor at scope "/providers/Microsoft.Capacity" has tenant-level read/write access to reservations, suitable for PTU reservation automation.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.