Activation of Service Principal as Account Owner in the EA Portal via Powershell?

Question

Our customer wants to use a service principal to generate new subscriptions, so that a malicious employee doesn't have owner access to newly created subscriptions. I already generated a service principal via CLI, but to make him an account owner in the ea-portal the principal needs an e-mailaddress which is of course not existing. I cannot make that service principal an account owner

I already tried to implement to scenario based on the following docs.microsoft.com-entries:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/programmatically-create-subscription?tabs=azure-powershell

https://docs.microsoft.com/en-us/azure/azure-resource-manager/grant-access-to-create-subscription?tabs=rest%2Crest-2

The generation of the service principal was done with:

az ad sp create-for-rbac --name %name_of_the_account%

AmanGarg-MSFT AmanGarg-MSFT · Accepted Answer · 2019-06-24T11:11:55

@NormanPunge The default RBAC role assigned to the Service Principal is Contributor.

You can provide the owner role to your service principal using the below command

az role assignment create --assignee <your Service Principal ID> --role Owner
az role assignment delete --assignee <your Service Principal ID> --role Contributor

For more information: https://docs.microsoft.com/en-us/azure/azure-resource-manager/grant-access-to-create-subscription?tabs=azure-cli%2Cazure-cli-2#grant-access

Activation of Service Principal as Account Owner in the EA Portal via Powershell?

1 Answers