Permissions to view and manage Azure reservations

This article explains how reservation permissions work and how users can view and manage Azure reservations in the Azure portal and with Azure PowerShell.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Who can manage a reservation by default

By default, the following users can view and manage reservations:

  • The person who buys a reservation and the account administrator of the billing subscription used to buy the reservation are added to the reservation order.
  • Enterprise Agreement and Microsoft Customer Agreement billing administrators.
  • Users with elevated access to manage all Azure subscriptions and management groups
  • A Reservation administrator for reservations in their Azure Active Directory (Azure AD) tenant (directory)
  • A Reservation reader has read-only access to reservations in their Azure Active Directory tenant (directory)

The reservation lifecycle is independent of an Azure subscription, so the reservation isn't a resource under the Azure subscription. Instead, it's a tenant-level resource with its own Azure RBAC permission separate from subscriptions. Reservations don't inherit permissions from subscriptions after the purchase.

View and manage reservations

If you're a billing administrator, use following steps to view and manage all reservations and reservation transactions in the Azure portal.

  1. Sign into the Azure portal and navigate to Cost Management + Billing.
    • If you're an EA admin, in the left menu, select Billing scopes and then in the list of billing scopes, select one.
    • If you're a Microsoft Customer Agreement billing profile owner, in the left menu, select Billing profiles. In the list of billing profiles, select one.
  2. In the left menu, select Products + services > Reservations.
  3. The complete list of reservations for your EA enrollment or billing profile is shown.
  4. Billing administrators can take ownership of a reservation by selecting one or multiple reservations, selecting Grant access and selecting Grant access in the window that appears.

Add billing administrators

Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement in the Azure portal.

  • For an Enterprise Agreement, add users with the Enterprise Administrator role to view and manage all reservation orders that apply to the Enterprise Agreement. Enterprise administrators can view and manage reservations in Cost Management + Billing.
    • Users with the Enterprise Administrator (read only) role can only view the reservation from Cost Management + Billing.
    • Department admins and account owners can't view reservations unless they're explicitly added to them using Access control (IAM). For more information, see Managing Azure Enterprise roles.
  • For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all reservation purchases made using the billing profile. Billing profile readers and invoice managers can view all reservations that are paid for with the billing profile. However, they can't make changes to reservations. For more information, see Billing profile roles and tasks.

View reservations with Azure RBAC access

If you purchased the reservation or you're added to a reservation, use the following steps to view and manage reservations in the Azure portal.

  1. Sign in to the Azure portal.
  2. Select All Services > Reservations to list reservations that you have access to.

Manage subscriptions and management groups with elevated access

You can elevate a user's access to manage all Azure subscriptions and management groups.

After you have elevated access:

  1. Navigate to All Services > Reservation to see all reservations that are in the tenant.
  2. To make modifications to the reservation, add yourself as an owner of the reservation order using Access control (IAM).

Grant access to individual reservations

Users who have owner access on the reservations and billing administrators can delegate access management for an individual reservation order in the Azure portal.

To allow other people to manage reservations, you have two options:

  • Delegate access management for an individual reservation order by assigning the Owner role to a user at the resource scope of the reservation order. If you want to give limited access, select a different role.
    For detailed steps, see Assign Azure roles using the Azure portal.

  • Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement:

    • For an Enterprise Agreement, add users with the Enterprise Administrator role to view and manage all reservation orders that apply to the Enterprise Agreement. Users with the Enterprise Administrator (read only) role can only view the reservation. Department admins and account owners can't view reservations unless they're explicitly added to them using Access control (IAM). For more information, see Managing Azure Enterprise roles.

      Enterprise Administrators can take ownership of a reservation order and they can add other users to a reservation using Access control (IAM).

    • For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all reservation purchases made using the billing profile. Billing profile readers and invoice managers can view all reservations that are paid for with the billing profile. However, they can't make changes to reservations. For more information, see Billing profile roles and tasks.

Grant access with PowerShell

Users that have owner access for reservations orders, users with elevated access, and User Access Administrators can delegate access management for all reservation orders they have access to.

Access granted using PowerShell isn't shown in the Azure portal. Instead, you use the get-AzRoleAssignment command in the following section to view assigned roles.

Assign the owner role for all reservations

Use the following Azure PowerShell script to give a user Azure RBAC access to all reservations orders in their Azure AD tenant (directory).


Import-Module Az.Accounts
Import-Module Az.Resources
 
Connect-AzAccount -Tenant <TenantId>
 
$response = Invoke-AzRestMethod -Path /providers/Microsoft.Capacity/reservations?api-version=2020-06-01 -Method GET
 
$responseJSON = $response.Content | ConvertFrom-JSON
 
$reservationObjects = $responseJSON.value
 
foreach ($reservation in $reservationObjects)
{
  $reservationOrderId = $reservation.id.substring(0, 84)
  Write-Host "Assigning Owner role assignment to "$reservationOrderId
  New-AzRoleAssignment -Scope $reservationOrderId -ObjectId <ObjectId> -RoleDefinitionName Owner
}

When you use the PowerShell script to assign the ownership role and it runs successfully, a success message isn’t returned.

Parameters

-ObjectId Azure AD ObjectId of the user, group, or service principal.

  • Type: String
  • Aliases: Id, PrincipalId
  • Position: Named
  • Default value: None
  • Accept pipeline input: True
  • Accept wildcard characters: False

-TenantId Tenant unique identifier.

  • Type: String
  • Position: 5
  • Default value: None
  • Accept pipeline input: False
  • Accept wildcard characters: False

Tenant-level access

User Access Administrator rights are required before you can grant users or groups the Reservation Administrator and Reservation Reader roles at the tenant level. In order to get User Access Administrator rights at the tenant level, follow Elevate access steps.

Add a Reservation Administrator role or Reservation Reader role at the tenant level

You can assign these roles from Azure portal.

  1. Sign in to the Azure portal and navigate to Reservations.
  2. At the top of the page, select Role Assignment.
  3. To make modifications, add user as a Reservation Administrator or Reservation Reader using Access control.

Add a Reservation Administrator role at the tenant level using Azure PowerShell script

Use the following Azure PowerShell script to add a Reservation Administrator role at the tenant level with PowerShell.

Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount -Tenant <TenantId>
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Administrator"

Parameters

-ObjectId Azure AD ObjectId of the user, group, or service principal.

  • Type: String
  • Aliases: Id, PrincipalId
  • Position: Named
  • Default value: None
  • Accept pipeline input: True
  • Accept wildcard characters: False

-TenantId Tenant unique identifier.

  • Type: String
  • Position: 5
  • Default value: None
  • Accept pipeline input: False
  • Accept wildcard characters: False

Assign a Reservation Reader role at the tenant level using Azure PowerShell script

Use the following Azure PowerShell script to assign the Reservation Reader role at the tenant level with PowerShell.


Import-Module Az.Accounts
Import-Module Az.Resources

Connect-AzAccount -Tenant <TenantId>

New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Reader"

Parameters

-ObjectId Azure AD ObjectId of the user, group, or service principal.

  • Type: String
  • Aliases: Id, PrincipalId
  • Position: Named
  • Default value: None
  • Accept pipeline input: True
  • Accept wildcard characters: False

-TenantId Tenant unique identifier.

  • Type: String
  • Position: 5
  • Default value: None
  • Accept pipeline input: False
  • Accept wildcard characters: False

Next steps