Grant access to create Azure Enterprise subscriptions (legacy)
In this article, you learn how to use Azure role-based access control (Azure RBAC) to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role on the account you wish to share.
Note
- This API only works with the legacy APIs for subscription creation.
- Unless you have a specific need to use the legacy APIs, you should use the information for the latest GA version about the latest API version. See Enrollment Account Role Assignments - Put to grant permission to create EA subscriptions with the latest API.
- If you're migrating to use the newer APIs, you must grant owner permissions again using 2019-10-01-preview. Your previous configuration that uses the following APIs doesn't automatically convert for use with newer APIs.
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
Grant access
To create subscriptions under an enrollment account, users must have the Azure RBAC Owner role on that account. You can grant a user or a group of users the Azure RBAC Owner role on an enrollment account by following these steps:
Get the object ID of the enrollment account you want to grant access to
To grant others the Azure RBAC Owner role on an enrollment account, you must either be the Account Owner or an Azure RBAC Owner of the account.
Request to list all enrollment accounts you have access to:
GET https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
Azure responds with a list of all enrollment accounts you have access to:
{ "value": [ { "id": "/providers/Microsoft.Billing/enrollmentAccounts/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "name": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "type": "Microsoft.Billing/enrollmentAccounts", "properties": { "principalName": "SignUpEngineering@contoso.com" } }, { "id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "type": "Microsoft.Billing/enrollmentAccounts", "properties": { "principalName": "BillingPlatformTeam@contoso.com" } } ] }
Use the
principalName
property to identify the account that you want to grant Azure RBAC Owner access to. Copy thename
of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copyaaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step asenrollmentAccountObjectId
.Use the
principalName
property to identify the account that you want to grant Azure RBAC Owner access to. Copy thename
of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copyaaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step asenrollmentAccountObjectId
.Get object ID of the user or group you want to give the Azure RBAC Owner role to
- In the Azure portal, search on Microsoft Entra ID.
- If you want to grant a user access, select Users in the menu on the left. To give access to a group, select Groups.
- Select the User or Group you want to give the Azure RBAC Owner role to.
- If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the ObjectID by selecting the icon to the right of the text box. Paste it somewhere so that you can use it in the next step as
userObjectId
.
Grant the user or group the Azure RBAC Owner role on the enrollment account
Using the values you collected in the first two steps, grant the user or group the Azure RBAC Owner role on the enrollment account.
Run the following command, replacing
<enrollmentAccountObjectId>
with thename
you copied in the first step (aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
). Replace<userObjectId>
with the object ID you copied from the second step.PUT https://management.chinacloudapi.cn/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01 { "properties": { "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>", "principalId": "<userObjectId>" } }
When the Owner role is successfully assigned at the enrollment account scope, Azure responds with information of the role assignment:
{ "properties": { "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>", "principalId": "<userObjectId>", "scope": "/providers/Microsoft.Billing/enrollmentAccounts/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "createdOn": "2018-03-05T08:36:26.4014813Z", "updatedOn": "2018-03-05T08:36:26.4014813Z", "createdBy": "<assignerObjectId>", "updatedBy": "<assignerObjectId>" }, "id": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>", "type": "Microsoft.Authorization/roleAssignments", "name": "<roleAssignmentGuid>" }
Audit who created subscriptions using activity logs
To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.
As a tenant admin of the Microsoft Entra tenant, elevate access then assign a Reader role to the auditing user over the scope
/providers/microsoft.insights/eventtypes/management
. This access is available in the Reader role, the Monitoring contributor role, or a custom role.As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:
GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"
To conveniently call this API from the command line, try ARMClient.
Related content
- Now that the user or service principal has permission to create a subscription, you can use that identity to programmatically create Azure Enterprise subscriptions.
- For an example on creating subscriptions using .NET, see sample code on GitHub.
- To learn more about Azure Resource Manager and its APIs, see Azure Resource Manager overview.
- To learn more about managing large numbers of subscriptions using management groups, see Organize your resources with Azure management groups