New-AzRoleAssignment to assign Billing account reader role to billing account

Question

Hi,
I'm reading through the docs (https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-5.1.0) and have tried multiple commands but am unsure how to do it correctly, or if it is even possible to assign the Billing Account Reader role to a service principal application through the New-AzRoleAssignment PowerShell command. Everything I see in the docs there for the -Scope parameter seems to indicate that it's only possible at the subscription and below level.
I am able to add this role manually through the Azure portal UI but would like to be able to script this

Thanks,
Sean

Answer 1

@Sean Belling
Thank you for your post! You can add the Billing Reader role to your service principle by following the below steps.

1.Get the ObjectID of your Service Principle - For more info.

#This will list all service principles  
Get-AzureADServicePrincipal  

2.Run the New-AzRoleAssignment command specifying the ObjectID of your Service Principle - For more info.

New-AzRoleAssignment -ObjectId "servicePrincpleObjectID" -RoleDefinitionName "Billing Reader"  

Billing Reader role

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Answer 2

Hi, thanks that's helpful for adding the role
What I'm wondering was though if it is possible to add that role at the Billing Account scope, so something like this command
New-AzRoleAssignment -ObjectId "servicePrincpleObjectID" -RoleDefinitionName "Billing Reader" -Scope /bilingAccount/<billingAccountId> ?
I see in your example the scope parameter wasn't included so the command defaulted to the current subscription scope

thanks