Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to grant Role-Based Access Control (RBAC) access to Azure reservations using PowerShell. To view and manage RBAC access in Azure portal, see Permissions to view and manage Azure reservations.
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
Grant access with PowerShell
Users that have owner access for reservations orders, users with elevated access, and User Access Administrators can delegate access management for all reservation orders they have access to.
Access granted using PowerShell isn't shown in the Azure portal. Instead, you use the get-AzRoleAssignment command in the following section to view assigned roles.
Assign the owner role for all reservations
Use the following Azure PowerShell script to give a user Azure RBAC access to all reservations orders in their Microsoft Entra tenant (directory).
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount -Tenant <TenantId>
$response = Invoke-AzRestMethod -Path /providers/Microsoft.Capacity/reservations?api-version=2020-06-01 -Method GET
$responseJSON = $response.Content | ConvertFrom-JSON
$reservationObjects = $responseJSON.value
foreach ($reservation in $reservationObjects)
{
$reservationOrderId = $reservation.id.substring(0, 84)
Write-Host "Assigning Owner role assignment to "$reservationOrderId
New-AzRoleAssignment -Scope $reservationOrderId -ObjectId <ObjectId> -RoleDefinitionName Owner
}
When you use the PowerShell script to assign the ownership role and it runs successfully, a success message isn’t returned.
Parameters
-ObjectId Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String
- Aliases: Id, PrincipalId
- Position: Named
- Default value: None
- Accept pipeline input: True
- Accept wildcard characters: False
-TenantId Tenant unique identifier.
- Type: String
- Position: 5
- Default value: None
- Accept pipeline input: False
- Accept wildcard characters: False
Tenant-level access
User Access Administrator rights are required before you can grant users or groups the Reservations Administrator, Reservations Contributor, and Reservations Reader roles at the tenant level. In order to get User Access Administrator rights at the tenant level, follow Elevate access steps.
Add a Reservations Administrator role, Reservations Contributor role, or Reservations Reader role at the tenant level
Only Global Administrators can assign these roles from the Azure portal.
- Sign in to the Azure portal and navigate to Reservations.
- Select a reservation that you have access to.
- At the top of the page, select Role Assignment.
- Select the Roles tab.
- To make modifications, add a user as a Reservations Administrator, Reservations Contributor, or Reservations Reader using Access control.
Add a Reservation Administrator role at the tenant level using Azure PowerShell script
Use the following Azure PowerShell script to add a Reservation Administrator role at the tenant level with PowerShell.
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount -Tenant <TenantId>
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Administrator"
Parameters
-ObjectId Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String
- Aliases: Id, PrincipalId
- Position: Named
- Default value: None
- Accept pipeline input: True
- Accept wildcard characters: False
-TenantId Tenant unique identifier.
- Type: String
- Position: 5
- Default value: None
- Accept pipeline input: False
- Accept wildcard characters: False
Add a Reservation Contributor role at the tenant level using Azure PowerShell script
Use the following Azure PowerShell script to add a Reservation Contributor role at the tenant level with PowerShell.
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount -Tenant <TenantId>
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Contributor"
Parameters
-ObjectId Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String
- Aliases: Id, PrincipalId
- Position: Named
- Default value: None
- Accept pipeline input: True
- Accept wildcard characters: False
-TenantId Tenant unique identifier.
- Type: String
- Position: 5
- Default value: None
- Accept pipeline input: False
- Accept wildcard characters: False
Assign a Reservation Reader role at the tenant level using Azure PowerShell script
Use the following Azure PowerShell script to assign the Reservation Reader role at the tenant level with PowerShell.
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount -Tenant <TenantId>
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Reader"
Parameters
-ObjectId Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String
- Aliases: Id, PrincipalId
- Position: Named
- Default value: None
- Accept pipeline input: True
- Accept wildcard characters: False
-TenantId Tenant unique identifier.
- Type: String
- Position: 5
- Default value: None
- Accept pipeline input: False
- Accept wildcard characters: False