Permissions required for Azure Service Principal

Zurich IT Operations Management

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Permissions required for Azure Service Principal

Release version: Zurich

Updated July 31, 2025

1 minute to read

This table provides the permissions needed to create, close or cancel an Azure subscription, download billing details, and tag subscriptions.

Table 1. Roles required for Azure Service Principal
Role	Action	Role definition ID
EnrollmentReader	Enrollment readers can view data at the enrollment, department, and account scopes. This data includes charges for all subscriptions under these scopes, even across tenants, and displays the AzurePrepayment (previously called monetary commitment) balance associated with the enrollment.	24f8edb6-1668-4659-b5e2-40bb5f3a7d7e
DepartmentReader	Download the usage details for the department you administer. You can also view the usage and charges associated with your department.	db609904-a47f-4794-9be8-9bd86fbffd8a
Microsoft.Billing/billingAccounts/read	Read the list of billing accounts.
Microsoft.Management/managementGroups/subscriptions/write Microsoft.Management/managementGroups/write	Move subscription to the appropriate location once created
Microsoft.Resources/tags/write	Add tags to the subscription.
Microsoft.Billing/billingAccounts/billingSubscriptions/cancel/write	Close or cancel a subscription.