Share via

Programmatically create a subscription. Permission denied, but I can create in portal.

Mark Burton 0 Reputation points
2025-10-05T21:50:00.5966667+00:00

I have an MCA tenancy associated with an organisation, pay as you go. I also have a tenancy associated with me as an individual.

I'm trying to create subscriptions programmatically. There is an article - https://free.blessedness.top/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement?tabs=azure-powershell. I've also looked at projects in GitHub.

I can create subscriptions in the portal. Whenever I try through code, I get permission denied. I'm authenticated with the account that is the owner of the tenancy, billing scope, profile and invoice section, and for good measure I added 'Azure create subscription' to the invoice section. I've tried Powershell, Azure CLI and Rest - same issue. I've created management groups, and when I have a subscription, I can create resource groups and resources inside it. I'm stumped. Cursor and Claude are stumped.

I created the organisation tenancy because I thought it might be a limitation of the individual tenancy.

I will try creating a new Entra ID user account in the MCA org tenancy and see if that makes any difference, but it is a long shot.

I want to create subscriptions automatically because some architectures require multiple landing zones and I want to be able to build these with scripts. These are bootstrap scripts that create the basic pre-reqs before CI/CD pipelines do the rest. It is not much to create the subscriptions manually, but it is ugly to have to do that.

I've also got paid support as a developer and as a business MCA customer, but I can't create a ticket for the supposed 24*7 customer service - the wizards just come to a dead end but they do mention the article above, after that the option are all not applicable.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Stanislav Zhelyazkov 29,281 Reputation points MVP Volunteer Moderator
    2025-10-06T05:53:33.7533333+00:00

    Hi,

    It is not completely clear what roles you have exactly and at which scope. You also haven't provided the exact error. However my guess that is you are missing some permission on tenant scope (/). This is because resource type Microsoft.Subscription/aliases is resource at tenant scope. The portal most likely still uses the legacy API for subscription creation which uses different permissions. So either try using the legacy API or provider the exact error along with the permissions at tenant scope (/). You can use get-azroleassignment cmdlet to get permissions at specific scope.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.