Azure programmatically deploy subscription to specified MG

Question

I am in the process of exploring how to create a new Azure subscription using Bicep, a declarative language for Azure resources. I'm using Azure DevOps to deploy the Bicep template. Specifically, I want to deploy the new subscription into a pre-defined management group in my Azure environment. My current billing model is under the Microsoft Customer Agreement (MCA).

For this task, I have been following Microsoft's guide on programmatically creating a subscription under an MCA agreement: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement?tabs=rest

Below is the Bicep code I've used: ---all fields entered according to my ENV

targetScope = 'managementGroup'

@description('Provide a name for the alias. This name will also be the display name of the subscription.')
param subscriptionAliasName string

@description('Provide the full resource ID of billing scope to use for subscription creation.')
param billingScope string

resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = {
  scope: tenant()
  name: subscriptionAliasName
  properties: {
    workload: 'Production'
    displayName: subscriptionAliasName
    billingScope: billingScope
  }
}

To deploy the template, I used the following Azure DevOps pipeline:

yaml
Copy code
trigger:
- none

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'Jo' 
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      echo "Installing the Bicep CLI"
      az bicep version
      echo "Deploying Bicep template to Management Group Jo"
      az deployment mg create --location australiaeast --management-group-id Jo --template-file ./idsub.bicep

However, I've encountered an error indicating that I have insufficient permissions on the invoice section. which is unusual as i am owner.

here is the specific error

Deploying Bicep template to Management Group Jo
ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/providers/Microsoft.Management/managementGroups/Jo/providers/Microsoft.Resources/deployments/idsub","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InsufficientPermissionsOnInvoiceSection","message":"Cannot create subscription since either invoice section is not found or you do not have sufficient permissions under the provided invoice section. Try again with a different invoice section or contact invoice section owner for permissions"}]}}
##[error]Script failed with exit code: 1
/usr/bin/az account clear
Finishing: AzureCLI

I'd be extremely grateful if anyone who has managed to achieve this could share their experience. I've tried multiple approaches.

Thank you in advance for your insights!

Answer 1

I can't remember precisely what fixed this issue. but I did jot this down, which I think fixed the permission issue. Hopefully this helps others with this problem:

There was a resource authorization issue: The pipeline is not valid. Job Job: Step AzureCLI input connectedServiceNameARM references service connection Azure subscription 1 which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.

(I have to go into the Portal and give myself the Global Administrator role to deploy Management Groups requiring higher access.)

Once this has been done, in the link, I have then gone into Azure PowerShell and given myself SPN permission note to get the $spnAppId; this is in Azure AD -> App Registration -> applicationId.

This appears to have worked in the PowerShell command.

$spnAppId = " "
$spn = (Get-AzADServicePrincipal -ApplicationId $spnAppId).id

New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $spn