0

I am in the process of exploring how to create a new Azure subscription using Bicep, a declarative language for Azure resources. I'm using Azure DevOps to deploy the Bicep template. Specifically, I want to deploy the new subscription into a pre-defined management group in my Azure environment. My current billing model is under the Microsoft Customer Agreement (MCA).

For this task, I have been following Microsoft's guide on programmatically creating a subscription under an MCA agreement: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement?tabs=rest

Below is the Bicep code I've used: ---all fields entered according to my ENV

targetScope = 'managementGroup'

@description('Provide a name for the alias. This name will also be the display name of the subscription.')
param subscriptionAliasName string

@description('Provide the full resource ID of billing scope to use for subscription creation.')
param billingScope string

resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = {
  scope: tenant()
  name: subscriptionAliasName
  properties: {
    workload: 'Production'
    displayName: subscriptionAliasName
    billingScope: billingScope
  }
}

To deploy the template, I used the following Azure DevOps pipeline:

yaml
Copy code
trigger:
- none

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'Jo' 
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      echo "Installing the Bicep CLI"
      az bicep version
      echo "Deploying Bicep template to Management Group Jo"
      az deployment mg create --location australiaeast --management-group-id Jo --template-file ./idsub.bicep

However, I've encountered an error indicating that I have insufficient permissions on the invoice section. which is unusual as i am owner.

here is the specific error

Deploying Bicep template to Management Group Jo
ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/providers/Microsoft.Management/managementGroups/Jo/providers/Microsoft.Resources/deployments/idsub","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InsufficientPermissionsOnInvoiceSection","message":"Cannot create subscription since either invoice section is not found or you do not have sufficient permissions under the provided invoice section. Try again with a different invoice section or contact invoice section owner for permissions"}]}}
##[error]Script failed with exit code: 1
/usr/bin/az account clear
Finishing: AzureCLI

I'd be extremely grateful if anyone who has managed to achieve this could share their experience. I've tried multiple approaches.

Thank you in advance for your insights!

Joshua Martin
  • 3
  • 2
  • Can you try assigning the `Azure subscription Creator` role to the specific user or the service principal that you are using to authenticate and deploy the template. refer to [this documentation](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles#billing-role-definitions) for more information about billing role definitions for MCA subscription – VenkateshDodda Aug 29 '23 at 12:16

0 Answers0