How to grant EnrollmentReader role to the CloudMonitor Service Principal for EA Billing Accounts

Tip

These instructions show how to grant the read-only EnrollmentReader role to the CloudMonitor Service Principal for customers that have Legacy Enterprise Agreements (EA) with Microsoft.

Only Department Administrators and Account Owners are allowed to assign the EnrollmentReader Role to the CloudMonitor Service Principal. If you do not have any of these 2 roles ask your Enterprise Administrator to assign these roles to you - https://helpdesk.cloudmonitor.ai/support/solutions/articles/51000337718-how-to-assign-roles-as-an-enterprise-administrator-for-enterprise-agreement-customers-

Tip

The following steps will utilize the Azure REST API to grant the read-only EnrollmentReader role to a Service Principal.

Microsoft has confirmed that this is a known limitation of the Azure Portal and provided this alternative method. Customers on MCA agreements do not need to do this step.

Step 1

First navigate to the REST API page - https://learn.microsoft.com/en-us/rest/api/billing/2019-10-01-preview/role-assignments/put?tabs=HTTP#code-try-0 • Sign in with an Admin Account. • Select the AD Tenant that contains the CloudMonitor Service Principal.

Step 2

You will see that the right pane has changed into a simple API platform. In the Parameters section we need to provide values for the following fields:

1. billingAccoutName
2. billingRoleAssignmentName

Step 3

The billingAccountName is your “Billing account ID”. You can find this in the Azure portal on the “Cost Management + Billing” Overview. In our example below it is 1111111.

Step 4

Paste the “Billing account ID” into the billingAccountName input field.

Step 5

For the second input, we need to provide a random, unique GUID. We can generate one using the online GUID/UUID Generator website - https://guidgenerator.com.

Step 6

Paste the GUID in the billingRoleAssignmentName input field.

Step 7

The Parameters section is now done. We will now move onto providing a JSON object in the Body section.

Tip

Copy this JSON object below. It has descriptive placeholders to clearly identify the segments that need to be replaced.

{
  "properties": {
    "principalId": "<your-principal-id>",
    "principalTenantId": "<your-principal-tenantId>",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/<your-billing-accountId>/billingRoleDefinitions/<billing-role-definitionId>"
  }
}

Step 8

Replace <your-billing-accountId> with the same billingAccountId used in the “billingAccountName” parameter. In our example, it is “1111111”.

Step 9

Replace <billing-role-definitionId> with “24f8edb6-1668-4659-b5e2-40bb5f3a7d7e”. The reason for this specific value is explained in the next step.

Step 10

Note: “24f8edb6-1668-4659-b5e2-40bb5f3a7d7e” represents the role definition ID for the EnrollmentReader role. This role grants the Service Principal Name (SPN) read access to view your billing information.

Step 11

Then replace <your-principal-tenantId> with your AD Tenant Id. You can locate it via:

1. Go to Azure Ad > App Registrations > Find the CloudMonitor Service Principal/App (Tip: paste the Service Principal’s Client Id for filtering).
2. Replace <your-principal-tenantId> with the “Directory (tenant) Id” field.
3. Stay on this page for a future step.

Step 12

Lastly, replace <your-principal-Id> with the CloudMonitor Service Principal Managed Application resource Object ID. You can find it by:

1. Continuing from the last location & clicking on the Managed Application link.
2. Replace <your-principal-Id> with the “Object ID”.

Step 13

Your Body section should now look similar to the below:

Step 14

Click “Run” – it should return a “200” Status Code if it made the association successfully.

Tip

You have successfully granted the read-only EnrollmentReader role to the CloudMonitor Service Principal. Please let our Support team know so that they can proceed with configuration.