Assign Reader and Tag Contributor Roles (multiple subscriptions)

Use Azure Management Group to assign permissions across multiple subscriptions in a single step.

You can use Azure Management Groups to grant the Client Portal access to your Azure subscriptions. This approach has the following benefits:

You can assign access to multiple subscriptions in a single step.
If you create more Azure subscriptions in the future, access will be automatically granted. It means when you add an Azure subscription to your tenant, activating it in the Client Portal is unnecessary.

How does it work?

When you onboard your tenant to the Client Portal, an Enterprise Application called PyraCloud (Azure) is created in your tenant. You must then assign the Tag Contributor and Reader roles to the "PyraCloud (Azure)" Enterprise Application:

These roles allow the Client Portal to read a list of all the resources in your Azure subscriptions, and read and write tags on those resources. You can choose whether you want the Client Portal to write tags back to resources in your Azure subscription using the Cloud Tenant Setup feature.

Grant access using Azure CLI

Before granting access using Azure CLI, note the following points:

Ensure that you've installed PowerShell and Azure CLI. For installation instructions, see Install PowerShell and Install Azure CLI.
The script utilizes PowerShell variables, therefore, you must execute this script at a PowerShell prompt instead of a normal command prompt.

Use the following commands to onboard your Azure subscriptions:

az login



az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a

az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"

The following table explains these commands:

Command Description

Command	Description
`az login`	Log in to your Microsoft tenant.
`az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"`	Elevate your permissions to manage all Azure subscriptions and management groups. See Microsoft Documentation.
`az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a` `az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"`	Create the PyraCloud (Azure) service principal (Enterprise Application) in your tenant.
`$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] \| [0] \| id" --output tsv)`	Get the ID of your Tenant Root Group.
`az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"` `az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"`	Assign the Reader and Tag Contributor roles to the PyraCloud (Azure) application in your Tenant Root Group.

az login

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

Elevate your permissions to manage all Azure subscriptions and management groups. See Microsoft Documentation.

az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a

az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

Create the PyraCloud (Azure) service principal (Enterprise Application) in your tenant.

$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)

Get the ID of your Tenant Root Group.

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"

Assign the Reader and Tag Contributor roles to the PyraCloud (Azure) application in your Tenant Root Group.

Grant access using the Azure Portal

Before granting access through the Azure Portal, note the following points:

Ensure that you've onboarded your tenant.
Ensure that have the correct permissions to manage access to all Azure subscriptions and management groups in your tenant. For instructions, see Elevate access to manage all Azure subscriptions and management groups in the Microsoft documentation.

Step 1: Search for Management Groups

Launch the Azure Portal and search for Management groups.
On the Management groups page, select Tenant Root Group. Note that regardless of your organization's configuration, you'll always have a Tenant Root Group. It might have been renamed, but it always appears at the top of the hierarchy.

Step 2: Open the Add role assignment page

From the left sidebar, select Access control (IAM).

Click Add > Add role assignment.

The Add role assignment page opens.

Step 3: Assign the Reader role

On the Role tab, select Reader as the role and click Next. The Member tab opens.

Select User, group, or service principal if it's not selected by default, and then click Select members.

In the Select members panel, type Pyra and then select PyraCloud (Azure) from the search results.

Click Select to add PyraCloud (Azure) to the Members list. Once PyraCloud (Azure) is added, click Review + assign.
On the Review + assign tab, review the details and click Review + assign to confirm the role assignment.

Step 4: Assign the Tag Contributor role

To assign the Tag Contributor role, follow all of the steps in Step 3: Assign the Reader role, but choose Tag Contributor as your role instead of Reader.

After you've completed the steps, the roles are assigned and displayed on the Role assignments tab.

PreviousAssign Reader and Tag Contributor Roles (single subscription)NextMigrate to Azure Cost Management APIs