How to grant EnrollmentReader role to the CloudMonitor Service Principal for EA Billing Accounts | Scribe

    How to grant EnrollmentReader role to the CloudMonitor Service Principal for EA Billing Accounts

    • Diane Borlado |
    • 0 step |
    • 2 minutes
    These instructions show how to grant the read-only EnrollmentReader role to the CloudMonitor Service Principal for customers that have Legacy Enterprise Agreements (EA) with Microsoft. Only Department Administrators and Account Owners are allowed to assign the EnrollmentReader Role to the CloudMonitor Service Principal. If you do not have any of these 2 roles ask your Enterprise Administrator to assign these roles to you - <https://helpdesk.cloudmonitor.ai/support/solutions/articles/51000337718-how-to-assign-roles-as-an-enterprise-administrator-for-enterprise-agreement-customers->
    The following steps will utilize the Azure REST API to grant the read-only EnrollmentReader role to a Service Principal. Microsoft has confirmed that this is a known limitation of the Azure Portal and provided this alternative method. Customers on MCA agreements do not need to do this step.
    First navigate to the REST API page - [https://learn.microsoft.com/en-us/rest/api/billing/2019-10-01-preview/role-assignments/put?tabs=HTTP#code-try-0](https://learn.microsoft.com/en-us/rest/api/billing/2019-10-01-preview/role-assignments/put?tabs=HTTP#code-try-0) • Sign in with an Admin Account. • Select the AD Tenant that contains the CloudMonitor Service Principal.
    You will see that the right pane has changed into a simple API platform. In the Parameters section we need to provide values for the following fields: 1. billingAccoutName 2. billingRoleAssignmentName
    The billingAccountName is your "Billing account ID". You can find this in the Azure portal on the "Cost Management + Billing" Overview. In our example below it is 1111111.
    Paste the "Billing account ID" into the billingAccountName input field.
    For the second input, we need to provide a random, unique GUID. We can generate one using the online GUID/UUID Generator website - [https://guidgenerator.com](https://guidgenerator.com).
    Paste the GUID in the billingRoleAssignmentName input field.
    The Parameters section is now done. We will now move onto providing a JSON object in the Body section.
    Copy this JSON object below. It has descriptive "<arrow-symbols>" to clearly identify the segments that need to be replaced. { "properties": { "principalId": "<your-principal-id>", "principalTenantId": "<your-principal-tenantId>", "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<your-billing- accountId>/billingRoleDefinitions/<billing-role-definitionId>" } }
    Replace <your-billing-accountId> with the same billingAccountId used in the "billingAccountName" parameter. In our example, it is "1111111".
    Replace <billing-role-definitionId> with "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e". The reason for this specific value is explained in the next step.
    Note: "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" represents the role definition ID for the EnrollmentReader role. This role grants the Service Principal Name (SPN) read access to view your billing information.
    Then replace <your-principal-tenantId> with your AD Tenant Id. You can locate it via: 1. Go to Azure Ad > App Registrations > Find the CloudMonitor Service Principal/App (Tip: paste the Service Principal's Client Id for filtering). 2. Replace <your-principal-tenantId> with the "Directory (tenant) Id" field. 3. Stay on this page for a future step.
    Lastly, replace <your-principal-Id> with the CloudMonitor Service Principal Managed Application resource Object ID. You can find it by: 1. Continuing from the last location & clicking on the Managed Application link. 2. Replace <your-principal-Id> with the "Object ID".
    Your Body section should now look similar to the below:
    Click "Run" – it should return a "200" Status Code if it made the association successfully.\ \ If it returns 400 error, then check all the fields again. If it returns a 403 error, then this usually means that the logged in user does not have permission to update the role assignment. Make sure you are logged in as Account Owner or Department Owner. Raise a helpdesk ticket if you cannot get a successful 200 response
    You have successfully granted the read-only EnrollmentReader role to the CloudMonitor Service Principal. Please proceed with the next step:[Configuring Storage for CloudMonitor to schedule Exports : CloudMonitor Helpdesk](https://helpdesk.cloudmonitor.ai/support/solutions/articles/51000362293-configuring-storage-for-cloudmonitor-to-schedule-exports)

    Want to make guides like this in seconds? Yes, it's really that fast.

    This Scribe is in tip-top shape!Leave feedback if there are any issues with this Scribe