Share via

Service Principal cannot list Savings Plans or Reservations despite Billing Account Contributor role

Omer Ben Aderet 20 Reputation points
2025-12-01T15:22:58.9366667+00:00

Hi everyone,

I’m trying to use a Service Principal to list all Savings Plans and Reservations in Azure using the Azure CLI.

I created a Service Principal and assigned it the Billing Account Contributor role on my Billing Account, which (per Microsoft docs) should provide the required permissions.

I log in using the following command:
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID

However, when I run:
az billing-benefits savings-plan list
I get this error:
(AuthorizationFailed) The client '<client_id>' with object id '<object_id>' does not have authorization to perform action 'Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read' over scope '/providers/Microsoft.BillingBenefits' or the scope is invalid. If access was recently granted, please refresh your credentials.

What I’ve tried so far:

  • Assigned Billing Account Contributor at the Billing Account level
  • Also tried Owner at the root Management Group, Subscription, and even Tenant root scope
  • Refreshed tokens and re-logged multiple times
  • Confirmed the SP is visible at the Billing Account IAM panel

No matter what I do, the SP cannot read Usage Plans or Reservations.

Has anyone encountered this? Any guidance would be greatly appreciated—I’m stuck.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
Answer accepted by question author
  1. VEMULA SRISAI 3,500 Reputation points Microsoft External Staff Moderator
    2025-12-03T12:37:32.5266667+00:00

    Hello Omer Ben Aderet ,

    It looks like you're having trouble with your Service Principal not being able to list Savings Plans and Reservations despite having the Billing Account Contributor role. This can be a common issue due to the specific permissions needed for accessing Savings Plans, which are managed at the tenant level.

    Here's what you should try:

    1. Assign the Correct Role: The Service Principal needs the "Savings Plan Reader" role assigned at the scope of /providers/Microsoft.BillingBenefits. The Billing Account Contributor or other subscription roles do not grant the necessary permissions to read Savings Plans. You can assign the Savings Plan Reader role using the Azure CLI with the following command: 
         az role assignment create \

    --assignee-object-id <ObjectId>
    --assignee-principal-type ServicePrincipal
    --role "Savings plan Reader"
    --scope "/providers/Microsoft.BillingBenefits"

       
   Make sure to replace `<ObjectId>` with the actual Object ID of your Service Principal.
   
   **Refresh Credentials**: After you've assigned the role, make sure to refresh credentials and re-login using your Service Principal:
   
   ```powershell
   az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID

    Retry the Command: After logging in again, try running the command to list Savings Plans:

       az billing-benefits savings-plan list

    Important Notes:

    The Savings Plans are considered tenant-level resources, and users or service principals need to be assigned the appropriate Savings Plan RBAC roles to access them. Simply having the Service Principal visible in the IAM panel doesn’t guarantee the necessary permissions to read Savings Plans.

    I hope this points you in the right direction! If you’re still facing issues after trying the above steps, please provide more details about any error messages you receive or the current permissions set for the Service Principal.

    References:

    Permissions to view and manage Azure savings plans Assign Azure roles using the Azure portal Understanding Microsoft Customer Agreement administrative roles in Azure Managing Azure Enterprise Agreement roles

    Let me know if you need further help!

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.