microsoft
Multiple Failures when configuring Enrollment Scope Error 403
🐛 Problem
TODO: Attempts to assign enrollment reader permission to ADF managed identity fail
👣 Repro steps
EA Account owner is running script to assign enrollment reader permission. Receiving Error Status Code 403 Could not read response body
📷 Screenshots
Hi @kstepha0
That command constructs a URI using the billingAccountId.
"{0}providers/Microsoft.Billing/billingAccounts/{1}/billingRoleAssignments/{2}?api-version={3}" -f $azContext.Environment.ResourceManagerUrl, $BillingAccountId, (New-Guid).Guid, $apiVersion
The 403 implies that something is wrong with the URL being constructed - my assumption is it's the billingAccountId
Add-FinOpsServicePrincipal -BillingAccountId 8611537 -ObjectId ad2135a7-0000-0000-0000-185f8c75895b -TenantId 16b3c013-0000-0000-0000-7eda0820b6d3
id name properties
-- ---- ----------
/providers/Microsoft.Billing/billingAccounts/8611537/billingRoleAssignments/959bc89a-0000-0000-0000-7788e87d9823 959bc89a-0000-0000-0000-7788e87d9823 @{createdOn=7/18/2025 7:19:11 AM; createdByPrincipalTenantId=16b3c013-0000-0000-0000-7eda0820b6d3; createdBy…
Successfully granted Enrollment Reader permissions to the specified service principal.
Either that or you're perhaps still using PowerShell v5?
Hi @MSBrett ,
We confirmed the enterprise billing account ID is correct. The billing account owner is running the command in the Azure CLI. We reran after confirming the account ID again and the role assignment failed but no error or exception thrown.
I switched the scope in the config file to run the config_ConfigureExports which failed and received the following: Error: {"error":{"code":"401","message":"No claims present for the caller in the system"}
Is there a specific role besides billing account owner known that is confirmed to be able to assign this scope?
Thanks
Hi @kstepha0
That command constructs a URI using the billingAccountId.
"{0}providers/Microsoft.Billing/billingAccounts/{1}/billingRoleAssignments/{2}?api-version={3}" -f $azContext.Environment.ResourceManagerUrl, $BillingAccountId, (New-Guid).Guid, $apiVersion The 403 implies that something is wrong with the URL being constructed - my assumption is it's the billingAccountId
Add-FinOpsServicePrincipal -BillingAccountId 8611537 -ObjectId ad2135a7-0000-0000-0000-185f8c75895b -TenantId 16b3c013-0000-0000-0000-7eda0820b6d3
id name properties
/providers/Microsoft.Billing/billingAccounts/8611537/billingRoleAssignments/959bc89a-0000-0000-0000-7788e87d9823 959bc89a-0000-0000-0000-7788e87d9823 @{createdOn=7/18/2025 7:19:11 AM; createdByPrincipalTenantId=16b3c013-0000-0000-0000-7eda0820b6d3; createdBy… Successfully granted Enrollment Reader permissions to the specified service principal. Either that or you're perhaps still using PowerShell v5?
We have re-attempted the enrollment role assignment with a new deployment with same error.
OK, give this a go. https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals
If that doesn't fix it you're going to need to get hold of support so they can help you troubleshoot becuase you're hitting the API directly here.
Please post results here so we can track this!