Adding Azure Enrollment Reader Roles with PowerShell
search cancel

Adding Azure Enrollment Reader Roles with PowerShell

book

Article ID: 283962

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

This article describes the steps to add reader roles to enrollments using the PowerShell.

Resolution

Prerequisites:

  • Azure User account with Enterprise Admin permission.
  • PowerShell version 5.1 or above. (You can also use the Azure Cloud Shell with PowerShell mode to run this script)
  • Azure PowerShell module ( Az.Resources & Az.Accounts)
  • Get the Application ID and Enrollment ID from VMWare Aria Cost Portal.

If the Azure PowerShell Modules are not installed, please run the commands below, to install the modules first (No Administrator privilege is required).

Install-Module Az.Resources -Scope CurrentUser -Force

Install-Module Az.Accounts -Scope CurrentUser -Force

 

Steps to add Enrollment Reader role:

  1. Open PowerShell ISE.
  2. Install the above PowerShell Modules if they have not already been installed (see steps above).
  3. Copy and paste the script below into the script editor window.
  4. Press F5 or click on the Run Script button to execute the script.
  5. Enter the Azure Application ID and EA ID when prompted.
#Connect Azure AD

Connect-AzAccount

#Get input for Azure Application Id and Billing Account Id

$AppId = Read-Host "Enter Azure Application Id"

$BillingAccountId = Read-Host "Enter Enrollment Account (EA) Id"

# Fetch the Object Id using the Application id.

$objectId = (Get-AzADServicePrincipal -ApplicationId $AppId).Id

#Fetch the Tenant ID.

$tenantId = (Get-AzContext).Tenant.Id

#Fetch the AzAccessToken for REST API Request.

$azAccessToken = (get-AzAccessToken).Token

# Generate Random GUID for Billing Account Assignment Name.

$AssignmentName = (New-Guid).Guid

# Run the REST API call using the Access token to add the Enrollment Reader permission

$url = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$BillingAccountId"+"/billingRoleDefinitions/$AssignmentName"+"?api-version=2019-10-01-preview"

$body = @{

 "properties" = @{

 "principalId" = "$objectId"

 "principalTenantId" = "$tenantId"

 "roleDefinitionId" = "/providers/Microsoft.Billing/billingAccounts/$BillingAccountId/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"

 }

} | ConvertTo-Json

$Headers = @{

 "Authorization" = "Bearer $azAccessToken"

 "Content-Type" = "application/json"

}

$response = Invoke-RestMethod -Uri $url -Method PUT -Headers $Headers -Body $body

# Output the response

Write-Host $response
Powered by Wolken Software