Problem
When attempting to create a Subscription in an Azure Enrollment Account while authenticated as a Service Principal, you may encounter the following error during a terraform apply.
Error: creating new Subscription (Alias "<REDACTED>"): subscription.AliasClient#Create: Failure sending request: StatusCode=401 -- Original Error: Code="UserNotAuthorized" Message="User is not authorized to create subscriptions on this enrollment account"
Cause
The error indicates the service principal lacks the appropriate permissions required to create subscriptions in an Azure Enrollment Account. To use a service principal to create an Enterprise Agreement (EA) subscription, it must be assigned the Subscription Creator role.
Solution
To resolve this issue, assign the Subscription Creator role to the service principal by following the official Microsoft documentation to assign enrollment account role permission to the service principal.
Note: This role is not visible in the EA portal. It is created and used programmatically.
Outcome
After assigning the Subscription Creator role to the service principal, rerun the terraform apply command. The subscription creation should now succeed.