Skip to main content
Skip table of contents

Step- 2: Assign permissions to the app

In this step, we will assign the EnrollmentReader permission to the app created in Step 1. This role grants read access to account information and cost reports. It’s important to note that the EnrollmentReader role DOES NOT provide any WRITE permissions to DigitalEx platform.

Procedure in this step is also documented by Azure here : assign-roles-azure-service-principals.

  1. Unlike other billing account types, Azure does not allow role assignment of Enterprise Agreement (EA) accounts using the user interface. Instead, we’ll use the official Azure HTTP API to achieve this.

  2. Before hitting the API, lets capture few details we would need to pass to the API

a. billingAccountName : This is simply an ID of your billing account you can capture from Cost Management + Billing > Overview page

image-20240212-064414.png

b. billingRoleAssignmentName : This parameter is a unique GUID that you need to provide. You can use the GUID Generator website to generate a unique GUID.

c. Principal ID : This is Enterprise App’s Object ID. For this, navigate to Microsoft Entra ID > Enterprise applications and look for the app we created in step 1 and capture it’s Object ID

image-20240212-064845.png

  1. We’re now ready to hit an API to make role assignment. Open following URL on the same browser window where you have Azure portal open : Role Assignments and click Try It and select correct directory if it asks. Fill in the parameters billingAccountName and billingRoleAssignmentName with the values captured in last step. And in the body section put following JSON,

CODE 
{
  "properties": {
    "principalId": "<principal_id>",
    "principalTenantId": "<tenant_id>",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<billing-account-id>/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
  }
}

  1. Make sure to replace <principal_id>" and <tenant_id> and <billing-account-id> with correct values captured in earlier steps. roleDefinitionId is an ID for and EnrollmentReader role as documented here : permissions-that-can-be-assigned-to-the-service-principal
    After filling in all the parameters and body, click Run. API call should return 200 OK. if it doesn’t, do not proceed.

image-20240212-070000.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close