Assign Reader and Tag Contributor Roles (multiple subscriptions)
PreviousAssign Reader and Tag Contributor Roles (single subscription)NextMigrate to Azure Cost Management APIs
Last updated
Was this helpful?
Last updated
Was this helpful?
You can use Azure Management Groups to grant the Client Portal access to your Azure subscriptions. This approach has the following benefits:
You can assign access to multiple subscriptions in a single step.
If you create more Azure subscriptions in the future, access will be automatically granted. It means that when you add an Azure subscription to your tenant, activating it in the Client Portal is unnecessary.
When you onboard your tenant to the Client Portal, an Enterprise Application called SoftwareOne Cloud Consumption (formerly PyraCloud) is created in your tenant. You must then assign the and roles to the "PyraCloud (Azure)" Enterprise Application:
These roles allow the Client Portal to read a list of all the resources in your Azure subscriptions and read and write tags on those resources. You can choose whether you want the Client Portal to write tags back to resources in your Azure subscription using the Cloud Tenant Setup feature.
Use the following commands to onboard your Azure subscriptions:
The following table explains these commands:
az login
Log in to your Microsoft tenant.
az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a
az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"
Create the PyraCloud (Azure) service principal (Enterprise Application) in your tenant.
$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)
Get the ID of your Tenant Root Group.
az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"
az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"
Assign the Reader and Tag Contributor roles to the PyraCloud (Azure) application in your Tenant Root Group.
Before granting access through the Azure Portal, note the following points:
On the Role tab, select Reader as the role and then select Next.
On the Members tab, select User, group, or service principal if it's not selected by default. Then, choose Select members.
In the Select members panel, search for SoftwareOne Cloud Consumption (formerly PyraCloud Azure).
Use Select to add the enterprise application to the Members list. After the app has been added, select Review + assign.
On the Review + assign tab, review the details and select Review + assign to confirm the role assignment.
Elevate your permissions to manage all Azure subscriptions and management groups. See .
Ensure that you have .
Ensure that you have the correct permissions to manage access to all Azure subscriptions and management groups in your tenant. For instructions, see in the Microsoft documentation.
Launch the and search for Management groups.
To assign the Tag Contributor role, follow all the steps in , but choose Tag Contributor as your role instead of Reader.
