| title | description | author | ms.service | ms.subservice | ms.topic | ms.date | ms.reviewer | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|
Programmatically create Azure subscriptions for a Microsoft Customer Agreement with the latest APIs |
Learn how to create Azure subscriptions for a Microsoft Customer Agreement programmatically using the latest versions of REST API, Azure CLI, Azure PowerShell, and Azure Resource Manager templates. |
bandersmsft |
cost-management-billing |
billing |
how-to |
03/21/2024 |
sgautam |
banders |
devx-track-azurepowershell, devx-track-azurecli, devx-track-arm-template, devx-track-bicep |
This article helps you programmatically create Azure subscriptions for a Microsoft Customer Agreement using the most recent API versions. If you're still using the older preview version, see Programmatically create Azure subscriptions with legacy APIs.
In this article, you learn how to create subscriptions programmatically using Azure Resource Manager.
If you need to create an Azure MCA subscription across Microsoft Entra tenants, see Programmatically create MCA subscriptions across Microsoft Entra tenants.
When you create an Azure subscription programmatically, that subscription is governed by the agreement under which you obtained Azure services from Microsoft or an authorized reseller. For more information, see Microsoft Azure Legal Information.
[!INCLUDE updated-for-az]
You can't create support plans programmatically. You can buy a new support plan or upgrade one in the Azure portal. Navigate to Help + support and then at the top of the page, select Choose the right support plan.
You must have an owner, contributor, or Azure subscription creator role on an invoice section or owner or contributor role on a billing profile or a billing account to create subscriptions. You can also give the same role to a service principal name (SPN). For more information about roles and assigning permission to them, see Subscription billing roles and tasks.
If you're using an SPN to create subscriptions, use the ObjectId of the Microsoft Entra Enterprise application as the Principal ID using Microsoft Graph PowerShell or Azure CLI.
Note
Permissions differ between the legacy API (api-version=2018-03-01-preview) and the latest API (api-version=2020-05-01). Although you may have a role sufficient to use the legacy API, you might need an EA admin to delegate you a role to use the latest API.
If you don't know whether you have access to a Microsoft Customer Agreement account, see Check access to a Microsoft Customer Agreement.
Make the following request to list all the billing accounts.
GET https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01
The API response lists the billing accounts that you have access to.
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountStatus": "Active",
"accountType": "Enterprise",
"agreementType": "MicrosoftCustomerAgreement",
"billingProfiles": {
"hasMoreResults": false
},
"displayName": "Contoso",
"hasReadAccess": false
},
"type": "Microsoft.Billing/billingAccounts"
}
]
}Use the displayName property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is MicrosoftCustomerAgreement. Copy the name of the account. For example, to create a subscription for the Contoso billing account, copy 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx. Paste the value somewhere so that you can use it in the next step.
Get-AzBillingAccount
You'll get back a list of all billing accounts that you have access to
Name : 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx
DisplayName : Contoso
AccountStatus : Active
AccountType : Enterprise
AgreementType : MicrosoftCustomerAgreement
HasReadAccess : TrueUse the displayName property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is MicrosoftCustomerAgreement. Copy the name of the account. For example, to create a subscription for the Contoso billing account, copy 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx. Paste the value somewhere so that you can use it in the next step.
az billing account list
You'll get back a list of all billing accounts that you have access to.
[
{
"accountStatus": "Active",
"accountType": "Enterprise",
"agreementType": "MicrosoftCustomerAgreement",
"billingProfiles": {
"hasMoreResults": false,
"value": null
},
"departments": null,
"displayName": "Contoso",
"enrollmentAccounts": null,
"enrollmentDetails": null,
"hasReadAccess": true,
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"soldTo": null,
"type": "Microsoft.Billing/billingAccounts"
}
]Use the displayName property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is MicrosoftCustomerAgreement. Copy the name of the account. For example, to create a subscription for the Contoso billing account, copy 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx. Paste the value somewhere so that you can use it in the next step.
The charges for your subscription appear on a section of a billing profile's invoice. Use the following API to get the list of billing profiles and invoice sections on which you have permission to create Azure subscriptions.
First you get the list of billing profiles under the billing account that you have access to (Use the name that you got from the previous step)
GET https://management.azure.com/providers/Microsoft.Billing/billingaccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingprofiles/?api-version=2020-05-01The API response lists all the billing profiles on which you have access to create subscriptions:
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx",
"name": "AW4F-xxxx-xxx-xxx",
"properties": {
"billingRelationshipType": "Direct",
"billTo": {
"addressLine1": "One Microsoft Way",
"city": "Redmond",
"companyName": "Contoso",
"country": "US",
"email": "kenny@contoso.com",
"phoneNumber": "425xxxxxxx",
"postalCode": "98052",
"region": "WA"
},
"currency": "USD",
"displayName": "Contoso Billing Profile",
"enabledAzurePlans": [
{
"skuId": "0002",
"skuDescription": "Microsoft Azure Plan for DevTest"
},
{
"skuId": "0001",
"skuDescription": "Microsoft Azure Plan"
}
],
"hasReadAccess": true,
"invoiceDay": 5,
"invoiceEmailOptIn": false,
"invoiceSections": {
"hasMoreResults": false
},
"poNumber": "001",
"spendingLimit": "Off",
"status": "Active",
"systemId": "AW4F-xxxx-xxx-xxx",
"targetClouds": []
},
"type": "Microsoft.Billing/billingAccounts/billingProfiles"
}
]
}Copy the id to next identify the invoice sections underneath the billing profile. For example, copy /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx and call the following API.
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoicesections?api-version=2020-05-01{
"totalCount": 1,
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",
"name": "SH3V-xxxx-xxx-xxx",
"properties": {
"displayName": "Development",
"state": "Active",
"systemId": "SH3V-xxxx-xxx-xxx"
},
"type": "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections"
}
]
}Use the id property to identify the invoice section for which you want to create subscriptions. Copy the entire string. For example, /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx.
Get-AzBillingProfile -BillingAccountName 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx
You'll get the list of billing profiles under this account as part of the response.
Name : AW4F-xxxx-xxx-xxx
DisplayName : Contoso Billing Profile
Currency : USD
InvoiceDay : 5
InvoiceEmailOptIn : True
SpendingLimit : Off
Status : Active
EnabledAzurePlans : {0002, 0001}
HasReadAccess : True
BillTo :
CompanyName : Contoso
AddressLine1 : One Microsoft Way
AddressLine2 :
City : Redmond
Region : WA
Country : US
PostalCode : 98052Note the name of the billing profile from the above response. The next step is to get the invoice section that you have access to underneath this billing profile. You'll need the name of the billing account and billing profile.
Get-AzInvoiceSection -BillingAccountName 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx -BillingProfileName AW4F-xxxx-xxx-xxx
You'll get the invoice section returned.
Name : SH3V-xxxx-xxx-xxx
DisplayName : DevelopmentThe name above is the Invoice section name you need to create a subscription under. Construct your billing scope using the format /providers/Microsoft.Billing/billingAccounts/<BillingAccountName>/billingProfiles/<BillingProfileName>/invoiceSections/<InvoiceSectionName>. In this example, this value equates to "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx".
az billing profile list --account-name "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx" --expand "InvoiceSections"
This API returns the list of billing profiles and invoice sections under the provided billing account.
[
{
"billTo": {
"addressLine1": "One Microsoft Way",
"addressLine2": "",
"addressLine3": null,
"city": "Redmond",
"companyName": "Contoso",
"country": "US",
"district": null,
"email": null,
"firstName": null,
"lastName": null,
"phoneNumber": null,
"postalCode": "98052",
"region": "WA"
},
"billingRelationshipType": "Direct",
"currency": "USD",
"displayName": "Contoso Billing Profile",
"enabledAzurePlans": [
{
"skuDescription": "Microsoft Azure Plan for DevTest",
"skuId": "0002"
},
{
"skuDescription": "Microsoft Azure Plan",
"skuId": "0001"
}
],
"hasReadAccess": true,
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx",
"indirectRelationshipInfo": null,
"invoiceDay": 5,
"invoiceEmailOptIn": true,
"invoiceSections": {
"hasMoreResults": false,
"value": [
{
"displayName": "Field_Led_Test_Ace",
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",
"labels": null,
"name": "SH3V-xxxx-xxx-xxx",
"state": "Active",
"systemId": "SH3V-xxxx-xxx-xxx",
"targetCloud": null,
"type": "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections"
}
]
},
"name": "AW4F-xxxx-xxx-xxx",
"poNumber": null,
"spendingLimit": "Off",
"status": "Warned",
"statusReasonCode": "PastDue",
"systemId": "AW4F-xxxx-xxx-xxx",
"targetClouds": [],
"type": "Microsoft.Billing/billingAccounts/billingProfiles"
}
]Use the id property under the invoice section object to identify the invoice section for which you want to create subscriptions. Copy the entire string. For example, /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx.
The following example creates a subscription named Dev Team subscription for the Development invoice section. The subscription is billed to the Contoso Billing Profile billing profile and appears on the Development section of its invoice. You use the copied billing scope from the previous step: /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx.
PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01{
"properties":
{
"billingScope": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",
"DisplayName": "Dev Team subscription",
"Workload": "Production"
}
}{
"id": "/providers/Microsoft.Subscription/aliases/sampleAlias",
"name": "sampleAlias",
"type": "Microsoft.Subscription/aliases",
"properties": {
"subscriptionId": "b5bab918-e8a9-4c34-a2e2-ebc1b75b9d74",
"provisioningState": "Accepted"
}
}You can do a GET on the same URL to get the status of the request.
GET https://management.azure.com/providers/Microsoft.Subscription/aliases/sampleAlias?api-version=2021-10-01{
"id": "/providers/Microsoft.Subscription/aliases/sampleAlias",
"name": "sampleAlias",
"type": "Microsoft.Subscription/aliases",
"properties": {
"subscriptionId": "b5bab918-e8a9-4c34-a2e2-ebc1b75b9d74",
"provisioningState": "Succeeded"
}
}An in-progress status is returned as an Accepted state under provisioningState.
To install the version of the module that contains the New-AzSubscriptionAlias cmdlet, in below example run Install-Module Az.Subscription -RequiredVersion 0.9.0. To install version 0.9.0 of PowerShellGet, see Get PowerShellGet Module.
Run the following New-AzSubscriptionAlias command and the billing scope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx".
New-AzSubscriptionAlias -AliasName "sampleAlias" -SubscriptionName "Dev Team Subscription" -BillingScope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" -Workload "Production"
You get the subscriptionId as part of the response from the command.
{
"id": "/providers/Microsoft.Subscription/aliases/sampleAlias",
"name": "sampleAlias",
"properties": {
"provisioningState": "Succeeded",
"subscriptionId": "4921139b-ef1e-4370-a331-dd2229f4f510"
},
"type": "Microsoft.Subscription/aliases"
}First, install the extension by running az extension add --name account and az extension add --name alias.
Run the az account alias create following command.
az account alias create --name "sampleAlias" --billing-scope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" --display-name "Dev Team Subscription" --workload "Production"
You get the subscriptionId as part of the response from the command.
{
"id": "/providers/Microsoft.Subscription/aliases/sampleAlias",
"name": "sampleAlias",
"properties": {
"provisioningState": "Succeeded",
"subscriptionId": "4921139b-ef1e-4370-a331-dd2229f4f510"
},
"type": "Microsoft.Subscription/aliases"
}The previous section showed how to create a subscription with PowerShell, CLI, or REST API. If you need to automate creating subscriptions, consider using an Azure Resource Manager template (ARM template) or Bicep file.
The following template creates a subscription. For billingScope, provide the invoice section ID. The subscription is created in the root management group. After creating the subscription, you can move it to another management group.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionAliasName": {
"type": "string",
"metadata": {
"description": "Provide a name for the alias. This name will also be the display name of the subscription."
}
},
"billingScope": {
"type": "string",
"metadata": {
"description": "Provide the full resource ID of billing scope to use for subscription creation."
}
}
},
"resources": [
{
"scope": "/",
"name": "[parameters('subscriptionAliasName')]",
"type": "Microsoft.Subscription/aliases",
"apiVersion": "2021-10-01",
"properties": {
"workLoad": "Production",
"displayName": "[parameters('subscriptionAliasName')]",
"billingScope": "[parameters('billingScope')]"
}
}
],
"outputs": {}
}Or, use a Bicep file to create the subscription.
targetScope = 'managementGroup'
@description('Provide a name for the alias. This name will also be the display name of the subscription.')
param subscriptionAliasName string
@description('Provide the full resource ID of billing scope to use for subscription creation.')
param billingScope string
resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = {
scope: tenant()
name: subscriptionAliasName
properties: {
workload: 'Production'
displayName: subscriptionAliasName
billingScope: billingScope
}
}Deploy the template at the management group level. The following examples show deploying the JSON ARM template, but you can deploy a Bicep file instead.
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/mg1/providers/Microsoft.Resources/deployments/exampledeployment?api-version=2020-06-01With a request body:
{
"location": "eastus",
"properties": {
"templateLink": {
"uri": "http://mystorageaccount.blob.core.windows.net/templates/template.json"
},
"parameters": {
"subscriptionAliasName": {
"value": "sampleAlias"
},
"billingScope": {
"value": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"
}
},
"mode": "Incremental"
}
}New-AzManagementGroupDeployment `
-Name exampledeployment `
-Location eastus `
-ManagementGroupId mg1 `
-TemplateFile azuredeploy.json `
-subscriptionAliasName sampleAlias `
-billingScope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"
az deployment mg create \
--name exampledeployment \
--location eastus \
--management-group-id mg1 \
--template-file azuredeploy.json \
--parameters subscriptionAliasName='sampleAlias' billingScope='/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx'
To move a subscription to a new management group, use the following ARM template.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetMgId": {
"type": "string",
"metadata": {
"description": "Provide the ID of the management group that you want to move the subscription to."
}
},
"subscriptionId": {
"type": "string",
"metadata": {
"description": "Provide the ID of the existing subscription to move."
}
}
},
"resources": [
{
"scope": "/",
"type": "Microsoft.Management/managementGroups/subscriptions",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('targetMgId'), '/', parameters('subscriptionId'))]",
"properties": {
}
}
],
"outputs": {}
}Or, the following Bicep file.
targetScope = 'managementGroup'
@description('Provide the ID of the management group that you want to move the subscription to.')
param targetMgId string
@description('Provide the ID of the existing subscription to move.')
param subscriptionId string
resource subToMG 'Microsoft.Management/managementGroups/subscriptions@2020-05-01' = {
scope: tenant()
name: '${targetMgId}/${subscriptionId}'
}- Now that you've created a subscription, you can grant that ability to other users and service principals. For more information, see Grant access to create Azure Enterprise subscriptions (preview).
- For more information about managing large numbers of subscriptions using management groups, see Organize your resources with Azure management groups.
- To change the management group for a subscription, see Move subscriptions.
- For advanced subscription creation scenarios using REST API, see Alias - Create.