| title | description | services | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Grant access to create Azure Enterprise subscriptions| Microsoft Docs |
Learn how to give a user or service principal the ability to programmatically create Azure Enterprise subscriptions. |
azure-resource-manager |
adpick |
adpick |
azure-resource-manager |
na |
conceptual |
na |
na |
06/05/2018 |
adpick |
As an Azure customer on Enterprise Agreement (EA), you can give another user or service principal permission to create subscriptions billed to your account. In this article, you learn how to use Role-Based Access Control (RBAC) to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role on the account you wish to share.
To create a subscription, see Programmatically create Azure Enterprise subscriptions (preview).
To give another user or service principal the ability to create subscriptions against a specific account, give them an RBAC Owner role at the scope of the enrollment account. The following example gives a user in the tenant with principalId of <userObjectId> (for [email protected]) an Owner role on the enrollment account. To find the enrollment account ID and principal ID, see Programmatically create Azure Enterprise subscriptions (preview).
PUT https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
{
"properties": {
"roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
"principalId": "<userObjectId>"
}
}When the Owner role is successfully assigned at the enrollment account scope, Azure responds with information of the role assignment:
{
"properties": {
"roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
"principalId": "<userObjectId>",
"scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdOn": "2018-03-05T08:36:26.4014813Z",
"updatedOn": "2018-03-05T08:36:26.4014813Z",
"createdBy": "<assignerObjectId>",
"updatedBy": "<assignerObjectId>"
},
"id": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
"type": "Microsoft.Authorization/roleAssignments",
"name": "<roleAssignmentGuid>"
}Use the New-AzureRmRoleAssignment to give another user Owner access to your enrollment account.
New-AzureRmRoleAssignment -RoleDefinitionName Owner -ObjectId <userObjectId> -Scope /providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Use the az role assignment create to give another user Owner access to your enrollment account.
az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Once a user becomes an RBAC Owner for your enrollment account, they can programmatically create subscriptions under it. A subscription created by a delegated user still has the original Account Owner as Service Admin, but it also has the delegated user as an Owner by default.
To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.
- As a tenant admin of the Azure AD tenant, elevate access then assign a Reader role to the auditing user over the scope
/providers/microsoft.insights/eventtypes/management. - As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:
GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"
Note
To conveniently call this API from the command line, try ARMClient.
- Now that the user or service principal has permission to create a subscription, you can use that identity to programmatically create Azure Enterprise subscriptions.
- For an example on creating subscriptions using .NET, see sample code on GitHub.
- To learn more about Azure Resource Manager and its APIs, see Azure Resource Manager overview.
- To learn more about managing large numbers of subscriptions using management groups, see Organize your resources with Azure management groups
- To see a comprehensive best practice guidance for large organizations on subscription governance, see Azure enterprise scaffold - prescriptive subscription governance