Grant access to create Azure Enterprise subscriptions (legacy)

In this article, you learn how to use Azure role-based access control (Azure RBAC) to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role on the account you wish to share.

Note

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Grant access

To create subscriptions under an enrollment account, users must have the Azure RBAC Owner role on that account. You can grant a user or a group of users the Azure RBAC Owner role on an enrollment account by following these steps:

  1. Get the object ID of the enrollment account you want to grant access to

    To grant others the Azure RBAC Owner role on an enrollment account, you must either be the Account Owner or an Azure RBAC Owner of the account.

    Request to list all enrollment accounts you have access to:

    GET https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
    

    Azure responds with a list of all enrollment accounts you have access to:

    {
      "value": [
        {
          "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "type": "Microsoft.Billing/enrollmentAccounts",
          "properties": {
            "principalName": "SignUpEngineering@contoso.com"
          }
        },
        {
          "id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "type": "Microsoft.Billing/enrollmentAccounts",
          "properties": {
            "principalName": "BillingPlatformTeam@contoso.com"
          }
        }
      ]
    }
    

    Use the principalName property to identify the account that you want to grant Azure RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.

    Use the principalName property to identify the account that you want to grant Azure RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.

  2. Get object ID of the user or group you want to give the Azure RBAC Owner role to

    1. In the Azure portal, search on Microsoft Entra ID.
    2. If you want to grant a user access, select Users in the menu on the left. To give access to a group, select Groups.
    3. Select the User or Group you want to give the Azure RBAC Owner role to.
    4. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the ObjectID by selecting the icon to the right of the text box. Paste it somewhere so that you can use it in the next step as userObjectId.
  3. Grant the user or group the Azure RBAC Owner role on the enrollment account

    Using the values you collected in the first two steps, grant the user or group the Azure RBAC Owner role on the enrollment account.

    Run the following command, replacing <enrollmentAccountObjectId> with the name you copied in the first step (747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Replace <userObjectId> with the object ID you copied from the second step.

    PUT  https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
    
    {
      "properties": {
        "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
        "principalId": "<userObjectId>"
      }
    }
    

    When the Owner role is successfully assigned at the enrollment account scope, Azure responds with information of the role assignment:

    {
      "properties": {
        "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
        "principalId": "<userObjectId>",
        "scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "createdOn": "2018-03-05T08:36:26.4014813Z",
        "updatedOn": "2018-03-05T08:36:26.4014813Z",
        "createdBy": "<assignerObjectId>",
        "updatedBy": "<assignerObjectId>"
      },
      "id": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "<roleAssignmentGuid>"
    }
    

Audit who created subscriptions using activity logs

To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.

  1. As a tenant admin of the Microsoft Entra tenant, elevate access then assign a Reader role to the auditing user over the scope /providers/microsoft.insights/eventtypes/management. This access is available in the Reader role, the Monitoring contributor role, or a custom role.

  2. As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:

    GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"
    

To conveniently call this API from the command line, try ARMClient.