Create the ability to give permissions to all subscription reservations to a single principle.
We would like to have the ability to give permissions to all Reservations within a single EA to a single principle. This would include Enterprise Applications, Users and Groups.
From what we can tell, when Azure created the Reservation capabilities in their platform, they introduced a new abstract layer of authorization strictly around the Reservations themselves. When reservations are created the only people allowed to view them are the Owner of the subscription that the Reservations were created within, and the user that actual purchased the reservation.
The primary limitation to this method is that there is no a way to create a group of principals and have that group automatically or programmatically be given permissions to all existing and future Reservations.
With the potential for Azure customers to have multitudes of subscriptions and multitudes of Reservations within those subscriptions, potentially purchased by multiple different users, there is not happy path to allow authorization to all of the reservation data.
A couple solutions that would make this easier to manage would be:
Creating 2 new directory roles that could be applied to any principal that cover all Reservations under a given directory:
Allow the ability to setup a Group to be applied to all future Reservations.
This would require some investigation and work to Authorize all existing Reservations, but would allow newly created ones to have a centralized method of authorization.
I'm sure there are potentially other methods that could simplify this problem and I am happy to jump on a call and provide further clarity or answer any questions.
Has there been any update on this? You mentioned delivery by the end of last calendar year
Yashesvi Sharma commented
Hi Folks - thanks for raising this feature. I am the PM for Azure RIs and can be reached at yashar[@]microsoft[dot]com
We do have this feature in the backlog and we plan to deliver this before end of the calendar year. The approach that we are thinking of is that some billing roles will be able to see all RIs purchased in the org. Please reach out if you have any other inputs or suggestions.
Matthew Weaver commented
This makes reporting RI costs to a common cost optimization platform difficult to impossible. The needs to be a better way.
Jason Turner commented
Please excuse my spelling misfortune.
Should have been "principal" not "principle".