Share via

Issue Creating Azure Subscriptions via ALZ Subscription Vending Module

Sumit Gaur 415 Reputation points
2026-03-18T14:24:47.4333333+00:00

Hi Team,

We are currently attempting to create Azure subscriptions using the ALZ Subscription Vending module: https://github.com/Azure/terraform-azure-avm-ptn-alz-sub-vending

However, we are encountering issues when running the deployment via Terraform CLI. The subscription creation fails with errors, even though we are able to successfully create subscriptions manually through the Azure Portal.

To troubleshoot, we have taken the following steps:

  • Temporarily assigned the Terraform Service Principal as Billing Account Owner

Granted additional permissions at various billing scopes, including:

  • Billing Account
  • Billing Profile
  • Invoice Section

Assigned roles such as Subscription Creator and Invoice Section Contributor

Despite these changes, the issue persists.

One potential factor we’ve identified is that our billing setup is under a Microsoft Customer Agreement (MCA) with an account type of "Individual", and we are unsure if this could be impacting the ability to create subscriptions programmatically via Terraform.

if anyone can help us understand:

  • If the MCA account type ("Individual") has any known limitations with subscription vending via Terraform
  • Whether there are any additional permissions or configurations required for this scenario
  • If there are any known issues or prerequisites specific to the ALZ subscription vending module in this context

Any guidance or recommendations would be greatly appreciated.

{
    "error": {
        "code": "InsufficientPermissionsOnInvoiceSection",
        "message": "Cannot create subscription since either invoice section is not found or you do not have sufficient permissions under the provided invoice section. Try again with a different invoice section or contact invoice section owner for permissions"
    },
    "code": "InsufficientPermissionsOnInvoiceSection",
    "message": "Cannot create subscription since either invoice section is not found or you do not have sufficient permissions under the provided invoice section. Try again with a different invoice section or contact invoice section owner for permissions"
}
Azure Cost Management
Azure Cost Management

A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.

Answer accepted by question author
  1. Bharath Y P 7,320 Reputation points Microsoft External Staff Moderator
    2026-03-18T14:49:59.4466667+00:00

    Hello Sumit Gaur, thank you for posting your query on Microsoft Q&A platform.

    You are using ALZ Subscription Vending (AVM Terraform module) to create subscriptions. Manual subscription creation via Azure Portal works but Terraform (AzAPI / ARM alias) fails with error: "InsufficientPermissionsOnInvoiceSection".

    Yes, MCA "Individual" accounts have practical limitations for programmatic subscription creation. What works interactively in the portal does not always work via automation (Terraform / ARM), even with correct roles. The error you’re seeing is expected behavior in many MCA Individual tenants when using subscription vending automation.

     Azure Portal performs interactive, delegated billing operations but Terraform/ALZ uses ARM Microsoft.Subscription/aliases, Non-interactive API calls and AzAPI provider. For MCA billing, API subscription creation is stricter than the portal.

    From Microsoft’s own MCA automation guidance:

    • Programmatic subscription creation requires: -  Owner / Contributor directly on the Invoice Section -  The invoice section must be automation-compatible
    • MCA Individual accounts are optimized for human billing, not enterprise automation
    • Certain invoice sections created under Individual MCA do not allow alias-based creation

    Microsoft does not block this explicitly, but it is a documented practical limitation

    Programmatically create Azure subscriptions for a Microsoft Customer Agreement with the latest APIs - Microsoft Cost Management | Microsoft Learn

     You can try with the below steps:

    1. Even if your Service Principal (SPN) is a Billing Account Owner, you must explicitly assign the Azure subscription creator role at the Invoice Section scope. Use the Object ID of the SPN, not the Application ID, when assigning the role.
    • Go to Cost Management + Billing > Billing scopes > Invoice Section > Access Control (IAM) > Add role assignment.
    • Role: Azure subscription creator
    • Assign to: Service Principal (your Terraform SPN).

    This ensures the SPN has the precise permission needed to create subscriptions under that invoice section.

    1. The billing_scope parameter passed to the ALZ module must be the fully qualified Resource ID of the invoice section.
    /providers/Microsoft.Billing/billingAccounts/{account-id}/billingProfiles/{profile-id}/invoiceSections/{section-id}

    Using a billing profile ID or account ID alone will fail. The module requires the full invoice section path.

    1. MCA accounts (especially “Individual” type) have limits that can block automation:
    • By default, only 5 subscriptions can be created under an Individual MCA. Beyond that, you need a support ticket to raise the limit.
    • After creating a subscription, there’s a 24‑hour cooldown before another can be created programmatically.

    These constraints explain why manual portal creation sometimes works (the portal bypasses certain checks), while Terraform fails.

    Reference:

    Programmatically create Azure subscriptions for a Microsoft Customer Agreement with the latest APIs - Microsoft Cost Management | Microsoft Learn

    Billing roles for Microsoft Customer Agreements - Azure - Microsoft Cost Management | Microsoft Learn

    Hope this helps. and please feel free to reach out if you have any further questions. Thanks

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-18T14:25:23.12+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For Microsoft Customer Agreement (MCA) billing, subscription creation via Terraform (or any automation) must use the correct billing scope and permissions on the invoice section, not just generic high-level roles.

    From the error returned by the API:

    {
  "code": "InsufficientPermissionsOnInvoiceSection",
  "message": "Cannot create subscription since either invoice section is not found or you do not have sufficient permissions under the provided invoice section. Try again with a different invoice section or contact invoice section owner for permissions"
}

    the platform is explicitly failing authorization at the invoice section level.

    Based on the provided documentation, the key technical requirements are:

    1. Use the correct invoice section billing scope when creating the subscription
      • For MCA, the subscription creation API requires the full invoice section scope, for example: /providers/Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId}/invoiceSections/{invoiceSectionId}
      • The documented flow is:
        1. List billing profiles and invoice sections: 
                  az billing profile list --account-name "{billingAccountId}" --expand "InvoiceSections"
        2. Use the id property of the target invoice section as the billingScope when creating the subscription.
      • If the ALZ subscription vending module is not using the exact id of the invoice section returned by this API, the platform will return InsufficientPermissionsOnInvoiceSection even if permissions look correct elsewhere.
    2. Create the subscription via the supported MCA APIs/commands
      • For MCA, the supported programmatic path is via Microsoft.Subscription/aliases using either:
        • PowerShell: New-AzSubscriptionAlias with the MCA billing scope, or
        • Azure CLI: az account alias create with the MCA billing scope.
      • Both return a payload like: 
             {
       "id": "/providers/Microsoft.Subscription/aliases/sampleAlias",
       "name": "sampleAlias",
       "properties": {
         "provisioningState": "Succeeded",
         "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
       },
       "type": "Microsoft.Subscription/aliases"
     }
      • The ALZ Terraform module must ultimately call into this alias API (or equivalent) with the correct billingScope. If it is using an EA-style flow or a wrong scope, MCA will reject it with the invoice section error.
    3. Permissions must exist specifically on the invoice section
      • The error is raised when either:
        • The invoice section ID used is invalid/not found, or
        • The caller lacks the required role on that invoice section.
      • The documentation shows that the subscription is created for an invoice section, not just for a billing account or billing profile. The service principal must have the appropriate MCA billing role on that invoice section (for example, the role that allows subscription creation for that invoice section).
      • Assigning broad roles like “Billing Account Owner” alone is not sufficient if the invoice section-level role required for subscription creation is missing or the wrong invoice section ID is used.
    4. MCA account type (“Individual”) and ALZ subscription vending
      • The documentation for MCA programmatic subscription creation does not introduce a separate flow for “Individual” vs other MCA account types; it focuses on:
        • Correctly identifying billing profiles and invoice sections.
        • Using the MCA billing scope in the alias API.
      • The critical factor is therefore billing scope and invoice section permissions, not the ALZ module itself.
    5. Concrete checks and recommendations for this scenario
      • Verify that the Terraform configuration (or the ALZ module variables) is passing exactly the invoice section id returned by: 
             az billing profile list --account-name "{billingAccountId}" --expand "InvoiceSections"
      • Confirm that the service principal used by Terraform has the required MCA billing role on that specific invoice section, not only at billing account or billing profile level.
      • If needed, test outside Terraform using:
        • New-AzSubscriptionAlias with the same billingScope the module uses, or
        • az account alias create with that billingScope. If these commands fail with the same InsufficientPermissionsOnInvoiceSection error, the issue is definitively at the MCA billing/permissions layer, not in Terraform or ALZ.
      • Once the alias creation works via CLI/PowerShell with the same scope and identity, align the ALZ module configuration to use that working scope and identity.

    These steps align the ALZ subscription vending module with the documented MCA subscription-creation flow and address the specific InsufficientPermissionsOnInvoiceSection error by focusing on the invoice section scope and permissions.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.