可以使用 Azure 计费 API 以编程方式提升自己的访问权限,以管理目录中的所有计费帐户。
在目录中查找所有计费帐户
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts?includeAllOrgs=true&api-version=2020-05-01
API 响应返回目录中计费帐户的列表。
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"name": "6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountStatus": "Active",
"accountType": "Individual",
"agreementType": "MicrosoftCustomerAgreement",
"billingProfiles": {
"hasMoreResults": false
},
"displayName": "Connie Wilson",
"hasReadAccess": true
},
"type": "Microsoft.Billing/billingAccounts"
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountStatus": "Active",
"accountType": "Enterprise",
"agreementType": "MicrosoftCustomerAgreement",
"billingProfiles": {
"hasMoreResults": false
},
"displayName": "Contoso",
"hasReadAccess": true
},
"type": "Microsoft.Billing/billingAccounts"
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/4e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"name": "4e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountStatus": "Active",
"accountType": "Individual",
"agreementType": "MicrosoftCustomerAgreement",
"billingProfiles": {
"hasMoreResults": false
},
"displayName": "Tomas Wilson",
"hasReadAccess": true
},
"type": "Microsoft.Billing/billingAccounts"
}
]
}
使用计费帐户的 displayName
属性来标识你要针对其提升访问权限的计费帐户。 复制计费帐户的 name
。 例如,如果你要将自己提升为 Connie Wilson 计费帐户的所有者,可以复制 6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx
。 将该值粘贴到某个位置,以便在下一步中使用它。
获取可用于计费帐户的角色定义
发出以下请求,将 <billingAccountName>
替换为在第一步复制的 name
(6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx
)。
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<billingAccountName>/billingRoleDefinitions?api-version=2020-05-01
API 响应返回可用于计费帐户的角色列表。
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx/billingRoleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"name": "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"properties": {
"description": "The Owner role gives the user all permissions including access management on a billing account.",
"permissions": [
{
"actions": [
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1"
]
}
],
"roleName": "Billing account owner"
},
"type": "Microsoft.Billing/billingAccounts/billingRoleDefinitions"
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx/billingRoleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"name": "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"properties": {
"description": "The Contributor role gives the user all permissions except access management on a billing account.",
"permissions": [
{
"actions": [
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
]
}
],
"roleName": "Billing account contributor"
},
"type": "Microsoft.Billing/billingAccounts/billingRoleDefinitions"
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx/billingRoleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"name": "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"properties": {
"description": "The Reader role gives the user read permissions to a billing account.",
"permissions": [
{
"actions": [
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
]
}
],
"roleName": "Billing account reader"
},
"type": "Microsoft.Billing/billingAccounts/billingRoleDefinitions"
}
]
}
使用 roleName
属性来标识所有者角色定义。 复制角色定义的 name
。 例如,在上面的 API 响应中复制 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
。 将该值粘贴到某个位置,以便在下一步使用它。
将自己添加为所有者
发出以下请求,将 <billingAccountName>
替换为在第一步复制的 name
(6e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx_xxxx-xx-xx
)。
PUT https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<billingAccountName>/createBillingRoleAssignment?api-version=2020-05-01
请求正文
若要将自己添加为所有者,你需要获取自己的对象 ID。 可以在 Azure 门户上“Microsoft Entra ID”部分的“用户”页中找到对象 ID,也可以使用 Microsoft Graph API 获取对象 ID。
在请求正文中,请将 <roleDefinitionName>
替换为在步骤 2 中复制的 name
。 将 <principalId>
替换为从 Azure 门户或通过 Microsoft Graph API 获取的对象 ID。
{
"principalId": "<principalId>",
"roleDefinitionId": "<roleDefinitionName>"
}