Grant access to create Azure Enterprise subscriptions (preview)

As an Azure customer on Enterprise Agreement (EA), you can give another user or service principal permission to create subscriptions billed to your account. In this article, you learn how to use Role-Based Access Control (RBAC) to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role on the account you wish to share.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Grant access

To create subscriptions under an enrollment account, users must have the RBAC Owner role on that account. You can grant a user or a group of users the RBAC Owner role on an enrollment account by following these steps:

  1. Get the object ID of the enrollment account you want to grant access to

    To grant others the RBAC Owner role on an enrollment account, you must either be the Account Owner or an RBAC Owner of the account.

    Request to list all enrollment accounts you have access to:

    GET https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
    

    Azure responds with a list of all enrollment accounts you have access to:

    {
      "value": [
        {
          "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "type": "Microsoft.Billing/enrollmentAccounts",
          "properties": {
            "principalName": "SignUpEngineering@contoso.com"
          }
        },
        {
          "id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "type": "Microsoft.Billing/enrollmentAccounts",
          "properties": {
            "principalName": "BillingPlatformTeam@contoso.com"
          }
        }
      ]
    }
    

    Use the principalName property to identify the account that you want to grant RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.

    Use the principalName property to identify the account that you want to grant RBAC Owner access to. Copy the name of that account. For example, if you wanted to grant RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx. This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as enrollmentAccountObjectId.

  2. Get object ID of the user or group you want to give the RBAC Owner role to

    1. In the Azure portal, search on Azure Active Directory.
    2. If you want to grant a user access, click on Users in the menu on the left. If you want to grant access to a group, click Groups.
    3. Select the User or Group you want to give the RBAC Owner role to.
    4. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the ObjectID by clicking the icon to the right of the text box. Paste this somewhere so that you can use it in the next step as userObjectId.
  3. Grant the user or group the RBAC Owner role on the enrollment account

    Using the values you collected in the first two steps, grant the user or group the RBAC Owner role on the enrollment account.

    Run the following command, replacing <enrollmentAccountObjectId> with the name you copied in the first step (747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Replace <userObjectId> with the object ID you copied from the second step.

    PUT  https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
    
    {
      "properties": {
        "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
        "principalId": "<userObjectId>"
      }
    }
    

    When the Owner role is successfully assigned at the enrollment account scope, Azure responds with information of the role assignment:

    {
      "properties": {
        "roleDefinitionId": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
        "principalId": "<userObjectId>",
        "scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "createdOn": "2018-03-05T08:36:26.4014813Z",
        "updatedOn": "2018-03-05T08:36:26.4014813Z",
        "createdBy": "<assignerObjectId>",
        "updatedBy": "<assignerObjectId>"
      },
      "id": "/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<ownerRoleDefinitionId>",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "<roleAssignmentGuid>"
    }
    

Audit who created subscriptions using activity logs

To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.

  1. As a tenant admin of the Azure AD tenant, elevate access then assign a Reader role to the auditing user over the scope /providers/microsoft.insights/eventtypes/management.

  2. As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:

    GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"
    

To conveniently call this API from the command line, try ARMClient.

Next steps