Coder Perfect

Using a Bicep template to create an Azure subscription fails with the error ‘InvalidSubCreationScope – Not a valid subscription creation scope.’

/

Category: Azure Bicep

Tag: ,

Problem

I’m attempting to create a new Azure Subscription using the Bicep template below:

targetScope = 'tenant'

var spokeSubscriptionName = 'Test Sub'
resource spokeSubscription 'Microsoft.Subscription/aliases@2020-09-01' = {
  scope: tenant()
  name: name: guid(spokeSubscriptionName, tenant().tenantId)
  properties: {
    displayName: spokeSubscriptionName
    billingScope: '/providers/Microsoft.Billing/billingAccounts/foo:bar'
    workload: 'Production'
  }
}

When I run the deployment command, it looks like this:

—name 01TestSubDeploy2021-11-21 —location uksouth —template-file.subscription-only.bicep az deployment tenant create

The following problem message appears on my screen:

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "BadRequest",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidSubCreationScope\",\r\n    \"message\": \"Not a valid subscription creation scope\"\r\n  },\r\n  \"code\": \"InvalidSubCreationScope\",\r\n  \"message\": \"Not a valid subscription creation scope\"\r\n}"
            }
        ]
    }
}

When you run the command with the —what-if switch, you’ll get the following results:

The deployment will update the following scope:

Scope: /

  + Microsoft.Subscription/aliases/[SUBGUID] [2020-09-01]

      apiVersion:              "2020-09-01"
      id:                      "/providers/Microsoft.Subscription/aliases/[SUBGUID]"
      name:                    "[SUBGUID]"
      properties.billingScope: "/providers/Microsoft.Billing/billingAccounts/foo:bar"
      properties.displayName:  "Test Sub"
      properties.workload:     "Production"
      type:                    "Microsoft.Subscription/aliases"

At the Root scope, the account I’m using has Owner rights.

This article suggests that the billing scope value I’m using is improper. The ID property supplied by the command az billing account list gave me the billing scope value. I tested both the full scope path and the ID value alone.

The billing account is a ‘Microsoft Customer Agreement’ type account (e.g. not EA). The majority of the literature for creating programmatic subscriptions specifies that the examples are for EA tenants and that’modifications will be required’ for other tenant categories. Nothing, however, says it isn’t feasible.

I’d like to either confirm that creating subscriptions with a Bicep template is presently not allowed for MCA billing accounts, or repair any issues in my template or deployment command.

Thanks in advance!

Asked by jamiecon

Solution #1

This error was caused by a billing scope that was incorrect.

The billing account, billing profile, and invoice section should all be included in the scope of an MCA membership.

See https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement for more information.

Answered by jamiecon

Post is based on https://stackoverflow.com/questions/70056549/creating-an-azure-subscription-with-a-bicep-template-fails-with-error-invalidsu