Add the Enrollment Reader role to the Microsoft Azure service principal

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:3分

    • Assign the Enrollment Reader role to the Azure service principal for your Enterprise Agreement (EA) account to retrieve billing, purchase, and pricing data. You can assign this role using a Microsoft API.

    始める前に

    Role required: Enterprise administrator

    このタスクについて

    Enrollment reader roles can view subscription charges related data at the enrollment, department, and account scopes. They can also view the Azure prepayment balance linked with the enrollment. Enrollment reader role is required only for EA accounts.

    手順

    1. Navigate to the Role Assignments - Put page in the Microsoft Azure documentation.
    2. Run the API by selecting the Try It button.
    3. Select Sign in.
    4. On the login page, enter your Microsoft Azure account credentials to sign in to the tenant.
    5. On the API request parameters form, fill in the fields.
      表 : 1. Role Assignments API request parameters
      Field Description
      billingAccountName The Azure EA billing account ID.

      You can find the billing account ID on the Azure portal on the Cost Management + Billing overview page.
      billingRoleAssignmentName A unique ID to identify the name of the role that you want to assign.

      You can use a GUID generator website to generate a unique ID.
      Body The request body with parameters in JSON code. Enter the following JSON code in the body.

      { "properties": { "principalId": "{enterprise-application (or SPN) object-id}", "principalTenantId": "{tenant-id}", "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/{ea-account-id}/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" } }

      In this code:
      • principalID: object ID of the EA account
      • principalTenantID: tenant (directory) ID of the EA account
      • roleDefinitionId: ID of the role definition, for example, 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e is the role definition ID of the enrollment reader role
      For details on the object ID and tenant ID, see Microsoft documentation.
      重要:
      Replace only the ea-account-id string with the actual EA billing account ID.
      注:
      You must not change the values in the api-version and Content-Type fields.
    6. Complete the role assignment for the Azure EA account by selecting Run.

    次のタスク

    Schedule and manage the jobs that download Azure billing data