Create the ability to give permissions to all subscription reservations to a single principle.
We would like to have the ability to give permissions to all Reservations within a single EA to a single principle. This would include Enterprise Applications, Users and Groups.
From what we can tell, when Azure created the Reservation capabilities in their platform, they introduced a new abstract layer of authorization strictly around the Reservations themselves. When reservations are created the only people allowed to view them are the Owner of the subscription that the Reservations were created within, and the user that actual purchased the reservation.
The primary limitation to this method is that there is no a way to create a group of principals and have that group automatically or programmatically be given permissions to all existing and future Reservations.
With the potential for Azure customers to have multitudes of subscriptions and multitudes of Reservations within those subscriptions, potentially purchased by multiple different users, there is not happy path to allow authorization to all of the reservation data.
A couple solutions that would make this easier to manage would be:
Creating 2 new directory roles that could be applied to any principal that cover all Reservations under a given directory:
Allow the ability to setup a Group to be applied to all future Reservations.
This would require some investigation and work to Authorize all existing Reservations, but would allow newly created ones to have a centralized method of authorization.
I'm sure there are potentially other methods that could simplify this problem and I am happy to jump on a call and provide further clarity or answer any questions.
We will soon have a feature that will let all Enterprise Administrators to see and manage all reservations, without being explicitly added to them.
Priyanshi Mittal commented
All Enterprise/billing admins can view all reservations in Cost Management and Billing blade.
Ed Lawrence commented
Hi, is there an update on this?
This is also required for CSP's without delegated admin permissions. There is currently no way to add a user from the AAD of the customer as owner of an Reserveration order as you do not have list rights in the directory. A Reserverations Admin role would be useful in this case.
Make reservations part of the concept "Management groups" and handle them as subscriptions.
well, is it still planned?
it's funny when spent millions for Azure consumption and need to manage reservation manually
Please, at least provide a workaround (a powershell script?) to simplify the management until the feature is released.
Any word when this will be Generally Available?
The issue still persists
Kurt Roggen commented
Hi product team,
Any progress on this issue? Does not seem to be a nice-to-have, but rather must-have.
This is simply not fit for for purpose. A modern-day enterprise where one of potentially 20 people can create a reservation and only the creator can see them by default??? I'm amazed that RIs have been around so long and this has still not been addressed.
As has already been said, this approach is simply ridiculous. Please add the functionality that would bring this in line with modern-day infrastructure management fit for the enterprise.
Has there been any update on this? You mentioned delivery by the end of last calendar year
Eric Hebert commented
Here we are March 25th 2020 and still not fixed...
I can't believe that I have to manually go in and add my admins to each reservation individually. This is maddening.
Calum O commented
Is this still in the backlog? Seems like a pretty standard feature to expect out of something like this. Are there any ETAs? I see this as a bug, more than an idea.
Christian Margadant commented
@Yashesvi Sharma: Is there any news about this feature in the backlog?
It would be a great improvement for the management of reservations.
Jack Fruh commented
I second this, as a global company with 70+ subscriptions and millions in azure spend, we need central management over this.
Lester, I was able to see instances with powershell, but could not pull information or change anything I did not have access to.
Yashesvi Sharma commented
Hi Folks - thanks for raising this feature. I am the PM for Azure RIs and can be reached at yashar[@]microsoft[dot]com
We do have this feature in the backlog and we plan to deliver this before end of the calendar year. The approach that we are thinking of is that some billing roles will be able to see all RIs purchased in the org. Please reach out if you have any other inputs or suggestions.
Matthew Weaver commented
This makes reporting RI costs to a common cost optimization platform difficult to impossible. The needs to be a better way.
Jason Turner commented
Please excuse my spelling misfortune.
Should have been "principal" not "principle".