Assign Savings plan reader (Microsoft.BillingBenefits) to the Umbrella service principal on each savings plan order. Under MPA, the grant goes in the partner tenant.

Savings Plan Reader for Azure ingestion

Umbrella reads your Azure Savings Plan inventory - what was purchased, on what terms, and where it applies. This access is governed by RBAC on the savings plan order itself, on the benefits plane, independent of subscription access. Subscription roles alone will not surface it.

What this grants

Read-only visibility into the savings plan orders:

• Orders
• Term
• Commitment per hour
• Applied scope (Shared vs. Single subscription)
• Instance flexibility

Before you start

You are granting read access to the service principal Umbrella uses to pull data. Whoever performs these steps needs to be able to assign roles at the relevant scope - this is the part to confirm first, because it differs by who owns the billing.

1. The Umbrella service principal (app registration). Have the application (client) ID ready, or its display name in Entra ID. This is the identity the role is assigned to.
2. Role-assignment rights. You need Owner or User Access Administrator on the target, or the equivalent billing role (Enterprise Administrator for EA, Billing account/profile Owner for MCA).
3. The right scope in mind. Savings Plans are almost always purchased at billing account or billing profile scope, above any single subscription. The role is applied on each savings plan order.

   📘

   Note
   Azure renames built-in roles and bumps API versions on the benefits plane periodically. The role name here is current as of authoring. Before locking an onboarding runbook, confirm the exact role name and API version against Microsoft's live docs.

Grant the role

1. Open the savings plan order

Go to Cost Management + Billing > Savings plans, open the savings plan order you want Umbrella to read, then select Access control (IAM) > Add role assignment.

Apply the role on each order you want covered. The grant is scoped to the order it is set on and will not carry to plans purchased later.

2. Assign the role

The Add role assignment flow has three tabs: pick the role, pick the member, review and assign.

1. On the Role tab, search savings plan reader and select it.
2. On the Members tab, choose User, group, or service principal, then select the Umbrella app by name or client ID.
3. Select Review + assign. The assignment takes effect within a minute or two.

EA / MCA / CSP differences

The role is the same everywhere. What changes is where the savings plan is owned and which billing role can perform the assignment. MPA (partner) is the one that bites during MSP onboarding.

📘

MSP Flow (CSP)

Under MPA, the savings plan does not live in the end-customer tenant - it is purchased and owned at the partner billing account. The SP reader grant must be applied on the orders in the partner tenant, and it is a different consent flow from standard direct-customer onboarding.

If the onboarding wizard assumes the SP grant happens in the customer tenant, partner savings plans will be invisible. Make MPA a distinct onboarding branch, not a checkbox on the direct flow.

Validate access

Before handing the customer back to the ingestion pipeline, confirm the service principal can read the inventory. Run this as the service principal, not as your admin user - an admin succeeding proves nothing about the SP's grant.

# Should return the savings plan orders, not an empty list or a 403
az rest --method get \
  --url "https://management.azure.com/providers/Microsoft.BillingBenefits/savingsPlanOrders?api-version=2024-11-01-preview"

Reading the result:

• 403 - the reader role did not land. Wrong scope, or (under MPA) assigned in the customer tenant instead of the partner tenant.
• Empty 200 - the grant is correct but no orders exist at that scope yet.

Quick reference