Grant access to create Azure Enterprise subscriptions (legacy)

Article
09/24/2024

In this article, you learn how to use Azure role-based access control (Azure RBAC) to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role on the account you wish to share.

Note

This API only works with the legacy APIs for subscription creation.
Unless you have a specific need to use the legacy APIs, you should use the information for the latest GA version about the latest API version. See Enrollment Account Role Assignments - Put to grant permission to create EA subscriptions with the latest API.
If you're migrating to use the newer APIs, you must grant owner permissions again using 2019-10-01-preview. Your previous configuration that uses the following APIs doesn't automatically convert for use with newer APIs.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Grant access

To create subscriptions under an enrollment account, users must have the Azure RBAC Owner role on that account. You can grant a user or a group of users the Azure RBAC Owner role on an enrollment account by following these steps:

Get the object ID of the enrollment account you want to grant access to

To grant others the Azure RBAC Owner role on an enrollment account, you must either be the Account Owner or an Azure RBAC Owner of the account.
Request to list all enrollment accounts you have access to:
```
GET https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
```
Azure responds with a list of all enrollment accounts you have access to:
```
{
  "value": [
    {
      "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "type": "Microsoft.Billing/enrollmentAccounts",
      "properties": {
        "principalName": "SignUpEngineering@contoso.com"
      }
    },
    {
      "id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "type": "Microsoft.Billing/enrollmentAccounts",
      "properties": {
        "principalName": "BillingPlatformTeam@contoso.com"
      }
    }
  ]
}
```
Use the principalName property to identify the account that you want to grant Azure RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.
Use the Get-AzEnrollmentAccount cmdlet to list all enrollment accounts you have access to. Select Try it to open Azure Cloud Shell. To paste the code, select and hold (or right-click) the shell windows, and the select Paste.
```
Get-AzEnrollmentAccount
```
Azure responds with a list of enrollment accounts you have access to:
```
ObjectId                               | PrincipalName
747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx   | SignUpEngineering@contoso.com
4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx   | BillingPlatformTeam@contoso.com
```
Use the principalName property to identify the account you want to grant Azure RBAC Owner access to. Copy the ObjectId of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Paste this object ID somewhere so that you can use it in the next step as the enrollmentAccountObjectId.
```
az billing enrollment-account list
```
Azure responds with a list of enrollment accounts you have access to:
```
[
  {
    "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "principalName": "SignUpEngineering@contoso.com",
    "type": "Microsoft.Billing/enrollmentAccounts",
  },
  {
    "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "principalName": "BillingPlatformTeam@contoso.com",
    "type": "Microsoft.Billing/enrollmentAccounts",
  }
]
```
Use the principalName property to identify the account that you want to grant Azure RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.
Get object ID of the user or group you want to give the Azure RBAC Owner role to
1. In the Azure portal, search on Microsoft Entra ID.
2. If you want to grant a user access, select Users in the menu on the left. To give access to a group, select Groups.
3. Select the User or Group you want to give the Azure RBAC Owner role to.
4. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the ObjectID by selecting the icon to the right of the text box. Paste it somewhere so that you can use it in the next step as userObjectId.

Grant the user or group the Azure RBAC Owner role on the enrollment account

Using the values you collected in the first two steps, grant the user or group the Azure RBAC Owner role on the enrollment account.

Run the following command, replacing <enrollmentAccountObjectId> with the name you copied in the first step (747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Replace <userObjectId> with the object ID you copied from the second step.

PUT  https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01

{
  "properties": {
    "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
    "principalId": "<userObjectId>"
  }
}

When the Owner role is successfully assigned at the enrollment account scope, Azure responds with information of the role assignment:

{
  "properties": {
    "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
    "principalId": "<userObjectId>",
    "scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "createdOn": "2018-03-05T08:36:26.4014813Z",
    "updatedOn": "2018-03-05T08:36:26.4014813Z",
    "createdBy": "<assignerObjectId>",
    "updatedBy": "<assignerObjectId>"
  },
  "id": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
  "type": "Microsoft.Authorization/roleAssignments",
  "name": "<roleAssignmentGuid>"
}

Run the following New-AzRoleAssignment command, replacing <enrollmentAccountObjectId> with the ObjectId collected in the first step (747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Replace <userObjectId> with the object ID collected in the second step.

New-AzRoleAssignment -RoleDefinitionName Owner -ObjectId <userObjectId> -Scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>

Run the following az role assignment create command, replacing <enrollmentAccountObjectId> with the name you copied in the first step (747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Replace <userObjectId> with the object ID collected in the second step.

az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>

Once a user becomes an Azure RBAC Owner for your enrollment account, they can programmatically create subscriptions under it. When a delegated user creates a subscription, they get the Azure RBAC Owner role for the subscription.

Audit who created subscriptions using activity logs

To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.

As a tenant admin of the Microsoft Entra tenant, elevate access then assign a Reader role to the auditing user over the scope /providers/microsoft.insights/eventtypes/management. This access is available in the Reader role, the Monitoring contributor role, or a custom role.

As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:

GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"

To conveniently call this API from the command line, try ARMClient.

Now that the user or service principal has permission to create a subscription, you can use that identity to programmatically create Azure Enterprise subscriptions.
For an example on creating subscriptions using .NET, see sample code on GitHub.
To learn more about Azure Resource Manager and its APIs, see Azure Resource Manager overview.
To learn more about managing large numbers of subscriptions using management groups, see Organize your resources with Azure management groups

Grant access to create Azure Enterprise subscriptions (legacy)

Grant access

Audit who created subscriptions using activity logs

Related content

Additional resources