billing role assignment

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How can I see a list of all users and the roles assigned to them in Azure?

I am an Azure Administrator.

I would like to know if there is an easy way of showing a list of users in Azure and the role assignments they have against which Subscriptions, User Groups and Resources?

Basically, i'd like a list of all role assignments people have on anything.

Conversely i'd accept a list of every Resource Group and Resource in a Subscription and list the role assignments on them.

Doesn't sound like a big ask?

What's the simplest way of doing this?

• Azure Portal has this functionality. Have you tried it? Just go to Subscription -> IAM -> Role Assignments. –  Gaurav Mantri Commented Dec 2, 2019 at 14:36
• 1 Doesn't that only shows me the role assignments on the Subscription.. not child Resource Groups or Resources? I'd like to see role assignments on all Resource Groups and Resources as well –  Lee Englestone Commented Dec 3, 2019 at 8:08

2 Answers 2

As mentioned in the comment, you can check it in the portal directly. Navigate to the resource/resource group/subscription in the portal -> Access control (IAM) -> Role assignments , you can filter with the parameters you want.

Or you can use the Azure powershell Get-AzRoleAssignment or REST API , it depends on your requirement.

1.You have a list of ObjectIds of the users, you can use the script as below.

2.You have the SignInNames of the users.

Note: The role assignment in Azure is inheritable, e.g. If you add the role assignment for a user in the subscription scope, when you list the role assignments in a resource group , the role assignment of the user will also be listed. The same logic for resource groups and resources in the group.

1.You have the SignInNames of the users, want to get the role assignments of all the resources in the subscription.

2.You have the SignInNames of the users, want to get the role assignments of all the resources in a specific resource group.

3.You have the SignInNames of the users, want to get the role assignments of all the resource groups in the subscription.

• 1 Yes, I tried the Subscriptions -> Access control (IAM) -> Role assignments but it does not show all role assignments on child Resource Groups and Resources. Your script solves half my question.. It would completely answer my question if it could get the list of subscriptions, resource groups and resources then iterate over them and output the role assignments. –  Lee Englestone Commented Dec 3, 2019 at 8:14
• @LeeEnglestone Actually they are the same logic, just change the script to meet your own requirements, you could check my update. –  Joy Wang Commented Dec 3, 2019 at 8:41

The "az account list" az cli command saves the output (list of subscriptions) in a variable. Then a for loop iterates through these subscriptions one by one, listing their owners (of type "User"). Please ask if it's unclear.

• Welcome to StackOverflow. While this code may answer the question, providing additional context regarding how and/or why it solves the problem would improve the answer's long-term value. –  Sven Eberth Commented Jun 22, 2021 at 23:28
• The "az account list" az cli command saves the output (list of subscriptions) in a variable. Then a for loop iterates through these subscriptions one by one, listing their owners (of type "User"). Please ask if it's unclear. –  MeisterLabs Commented Jun 23, 2021 at 17:20
• Thanks @SvenEberth. New to StackOverflow. –  MeisterLabs Commented Jun 23, 2021 at 17:21
• Please use the edit button and add the description to your answer, not as comment. –  Sven Eberth Commented Jun 24, 2021 at 0:03
• instead of -o table | grep -vi "resul\|--" you can also just use the tsv output formatting: az account list --all --query "[].id" -o tsv –  Marius Commented Jun 27 at 8:51

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure or ask your own question .

• The Overflow Blog
• Where does Postgres fit in a world of GenAI and vector databases?
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• I'm trying to remember a novel about an asteroid threatening to destroy the earth. I remember seeing the phrase "SHIVA IS COMING" on the cover
• The meaning of "by" in "swear by God"
• What explanations can be offered for the extreme see-sawing in Montana's senate race polling?
• My visit is for two weeks but my host bought insurance for two months is it okay
• Has a tire ever exploded inside the Wheel Well?
• Regression techniques for a “triangular” scatterplot
• Employee always seems distracted affecting others and his work, found out finally what it is, wondering if I can say something
• about flag changes in 16-bit calculations on the MC6800
• The answer is not wrong
• Expected number of numbers that stay at their place after k swaps
• How would you say a couple of letters (as in mail) if they're not necessarily letters?
• Historical U.S. political party "realignments"?
• Using conditionals within \tl_put_right from latex3 explsyntax
• Does the order of ingredients while cooking matter to an extent that it changes the overall taste of the food?
• Walk or Drive to school?
• Using "no" at the end of a statement instead of "isn't it"?
• My school wants me to download an SSL certificate to connect to WiFi. Can I just avoid doing anything private while on the WiFi?
• Why does a halfing's racial trait lucky specify you must use the next roll?
• Integral concerning the floor function
• A very interesting food chain
• Is there a phrase for someone who's really bad at cooking?
• Plotting orbitals on a lattice
• Too many \setmathfont leads to "Too many symbol fonts declared" error
• Why do National Geographic and Discovery Channel broadcast fake or pseudoscientific programs?

• Español – América Latina
• Português – Brasil
• Cloud Billing
• Documentation

Create Custom Roles for Billing

Identity and Access Management (IAM) includes fine-grained permissions, which allows you to grant or revoke access to specific actions for individual users. To simplify the process of assigning permissions to users, IAM roles combine these fine-grained permissions into related groups. Billing has predefined roles , such as Billing Account Administrator or Billing Account Viewer , which should work for most users. But, if they don't fit your needs, custom roles allow you to grant more specific sets of permissions.

Create a custom role

Custom roles are created on the organization, and then are applied to any billing account in the organization. Creating and Managing Custom Roles in the IAM documentation describes how to configure a custom role, including which permissions are necessary.

After custom roles are created, you can grant custom roles to users just like standard, predefined roles. Learn how to update billing permissions .

Example custom role

Imagine you'd like to give someone the ability to edit cost management features, such as budget alerts and billing export. The relevant permissions are:

• billing.budgets.create
• billing.budgets.update
• billing.accounts.updateUsageExportSpec

With the pre-defined roles, to apply these permissions you would need to grant the Billing Account Administrator role. But that role also includes permission to delete resource associations, cancel subscriptions, and close the billing account. If you didn't want your users to have those capabilities, you could instead create a custom role with only the three permissions above and name it Cost Management Administrator . Then, you could apply that custom role in combination with the Billing Account Viewer role to any users that should have broad cost management permissions but no ability to edit other account properties.

Permission association and inheritance

You can grant billing permissions at the billing account level or at the project level. Most billing permissions belong on the billing account, so roles containing those permissions should be associated with the billing account. Other billing permissions instead belong on a project and need to be associated with the project instead of the billing account.

For example, associating a project with a billing account requires the billing.resourceAssociations.create permission on the billing account and also the resourcemanager.projects.createBillingAssignment permission on the project. This is because project permissions are required for actions where project owners control access, while billing account permissions are required for actions where billing account administrators control access. When both should be involved, both permissions are necessary.

Just like other IAM permissions, all billing permissions inherit from higher levels of the billing hierarchy. For example, a user with a role containing billing.accounts.close on an organization can close any billing account within that organization. However, some permissions only apply at higher levels. For example, the billing.accounts.list permission doesn't do anything when applied to an individual billing account, but a user with a role containing billing.accounts.list on an organization can list all billing accounts within that organization.

Billing activities

The following tables describe common billing activities, the permissions required to perform those activities, and the resource that those permissions apply to.

Account management

Billing account hierarchy

Payment information

The payment profile includes customer name, address, and payment method.

Resource associations

Moving a project between billing accounts requires the same permissions as removing it from the original billing account and associating it with the new one.

Budgets and spending alerts

Credits and promotions

The policy defines which users have access to which resources on a billing account. For information on creating or modifying custom roles, see the Create a Custom Role section, above.

Export specifications

The export specification defines where to send a copy of all usage-related data, and can contain the name of a BigQuery dataset .

Related topics

• Overview of Billing Access Control
• Cloud Billing API Access Control
• Granting, Changing, and Revoking Access in the Identity and Access Management documentation

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-08-21 UTC.

• Preparing search index...
• The search index is not available
• Public/Protected
• BillingRoleAssignmentsImpl

Class BillingRoleAssignmentsImpl

Package version

Class containing BillingRoleAssignments operations.

• BillingRoleAssignments

Constructors

Constructor, delete bybilling account, delete bybilling profile, delete byinvoice section, get bybilling account, get bybilling profile, get byinvoice section, list bybilling account, list bybilling profile, list byinvoice section.

• new Billing Role Assignments Impl ( client : BillingManagementClient ) : BillingRoleAssignmentsImpl

Initialize a new instance of the class BillingRoleAssignments class.

client: BillingManagementClient

Reference to the service client

Returns BillingRoleAssignmentsImpl

• delete ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >

Deletes a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

billingAccountName: string

The ID that uniquely identifies a billing account.

billingRoleAssignmentName: string

The ID that uniquely identifies a role assignment.

Optional options: BillingRoleAssignmentsDeleteByBillingAccountOptionalParams

The options parameters.

Returns Promise < BillingRoleAssignmentsDeleteByBillingAccountResponse >

• delete ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByBillingProfileResponse >

Deletes a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

billingProfileName: string

The ID that uniquely identifies a billing profile.

Optional options: BillingRoleAssignmentsDeleteByBillingProfileOptionalParams

Returns promise < billingroleassignmentsdeletebybillingprofileresponse >.

• delete ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsDeleteByInvoiceSectionResponse >

Deletes a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

invoiceSectionName: string

The ID that uniquely identifies an invoice section.

Optional options: BillingRoleAssignmentsDeleteByInvoiceSectionOptionalParams

Returns promise < billingroleassignmentsdeletebyinvoicesectionresponse >.

• get ByBilling Account ( billingAccountName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingAccountOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingAccountResponse >

Gets a role assignment for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByBillingAccountOptionalParams

Returns promise < billingroleassignmentsgetbybillingaccountresponse >.

• get ByBilling Profile ( billingAccountName : string , billingProfileName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByBillingProfileOptionalParams ) : Promise < BillingRoleAssignmentsGetByBillingProfileResponse >

Gets a role assignment for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByBillingProfileOptionalParams

Returns promise < billingroleassignmentsgetbybillingprofileresponse >.

• get ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , billingRoleAssignmentName : string , options ?: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams ) : Promise < BillingRoleAssignmentsGetByInvoiceSectionResponse >

Gets a role assignment for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsGetByInvoiceSectionOptionalParams

Returns promise < billingroleassignmentsgetbyinvoicesectionresponse >.

• list ByBilling Account ( billingAccountName : string , options ?: BillingRoleAssignmentsListByBillingAccountOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByBillingAccountOptionalParams

Returns pagedasynciterableiterator < billingroleassignment >.

• list ByBilling Profile ( billingAccountName : string , billingProfileName : string , options ?: BillingRoleAssignmentsListByBillingProfileOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByBillingProfileOptionalParams

• list ByInvoice Section ( billingAccountName : string , billingProfileName : string , invoiceSectionName : string , options ?: BillingRoleAssignmentsListByInvoiceSectionOptionalParams ) : PagedAsyncIterableIterator < BillingRoleAssignment >

Lists the role assignments for the caller on an invoice section. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement.

Optional options: BillingRoleAssignmentsListByInvoiceSectionOptionalParams

Generated using TypeDoc

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create new billing_role_assignment resource(s) #24472

tgoodsell-tempus commented Jan 12, 2024 • edited Loading

• 👍 2 reactions

daniel-edwards-nz commented Jan 14, 2024

Sorry, something went wrong.

No branches or pull requests

• Published Apr 25, 2017

Azure Billing Reader role and preview of Invoice API

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Role Assignments - Put

Create or update a billing role assignment.

URI Parameters

Request Body

Azure Active Directory OAuth2 Flow.

Type: oauth2 Flow: implicit Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Put Enrollment Administrator Role Assignment

Sample request, sample response, definitions.

Billing Role Assignment

The role assignment

Error Details

The details of the error.

Error Response

Error response indicates that the service is not able to process the incoming request. The reason is provided in the error message.

Error Sub Details

Additional resources

• Azure Native
• BillingRoleAssignmentByEnrollmentAccount

Azure Native v2.58.0, Aug 23 24

azure-native.billing.BillingRoleAssignmentByEnrollmentAccount

Explore with Pulumi AI

On this page

• Request a Change

The role assignment Azure REST API version: 2019-10-01-preview. Prior API version in Azure Native 1.x: 2019-10-01-preview.

Other available API versions: 2024-04-01.

Example Usage

Putenrollmentaccountsubscriptioncreatorroleassignment, create billingroleassignmentbyenrollmentaccount resource.

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources .

Constructor syntax

Constructor example.

The following reference example uses placeholder values for all input properties .

BillingRoleAssignmentByEnrollmentAccount Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

The BillingRoleAssignmentByEnrollmentAccount resource accepts the following input properties:

All input properties are implicitly available as output properties. Additionally, the BillingRoleAssignmentByEnrollmentAccount resource produces the following output properties:

An existing resource can be imported using its type token, name, and identifier, e.g.

To learn more about importing existing cloud resources, see Importing resources .

Package Details