Error Creating Subscription with Service Principal in Azure Enrollment Account

Introduction

Problem:

A user may encounter the following error during a terraform apply attempting to create a Subscription in an Azure Enrollment Account while authenticated as a Service Principal:

Error: creating new Subscription (Alias "<REDACTED>"): subscription.AliasClient#Create: 
Failure sending request: StatusCode=401 -- Original Error: Code="UserNotAuthorized" 
Message="User is not authorized to create subscriptions on this enrollment account"

Cause:

The error indicates the service principal lacks appropriate permissions. Creating subscriptions in enrollment accounts require additional permissions. To use a service principal (SPN) to create an EA subscription, the service principal needs the Subscription Creator role. 

Solution:

Assign Subscription Creator role to the service principal following instructions here. 

Note: The role isn't shown in the EA portal. It's created by programmatic means and is only for programmatic use.

Outcome:

After assigning the Subscription Creator role, retry the failed run and the subscription should be created. 

Additional Information

• Azure Provider: Authenticating via a Service Principal and a Client Secret | Guides | hashicorp/azurerm | Terraform Registry

• Programmatically create Azure Enterprise Agreement subscriptions with the latest APIs - Microsoft Cost Management | Microsoft Learn