Contents x
    Script to Setup Commitment Permissions
    • 09 Apr 2026
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Script to Setup Commitment Permissions

    • Updated on 09 Apr 2026
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    In this section there is a powershell script that can help you setup the permissions so Turbo360 can see commitments in Azure.

    Pre-req

    • Install Azure CLI

    • Have Powershell installed

    • Get the App Registration Client ID that you have setup for Turbo360

    Steps

    1. Copy the below code into a Powershell file called Setup-Commitments-Permissions.ps1

    2. Login to Azure with Az CLI.  Note you need to do this twice so you have both the graph and management api scopes.  Use the following commands below.

    az login --use-device-code --tenant [Your tenant id] --scope https://management.core.windows.net//.default

az login --use-device-code --tenant [Your tenant id] --scope https://graph.microsoft.com//.default

    1. Run the below command

    .\Setup-Commitments-Permissions.ps1 -ClientId "[Your client id]"

    Script to setup Permissions

    This is the script you should save to file to help setup the permissions.

    

param(
    [Parameter(Mandatory = $true)]
    [string]$ClientId
)

# Look up the Service Principal Object ID from the App Registration Client ID
Write-Host "Looking up Service Principal for Client ID: $ClientId ..."
$SpObjectId = az ad sp show --id $ClientId --query id -o tsv

if (-not $SpObjectId) {
    Write-Error "Could not find a Service Principal for Client ID '$ClientId'. Ensure the App Registration exists and you are logged in to the correct tenant."
    exit 1
}

Write-Host "Found Service Principal Object ID: $SpObjectId"

# Role assignments to create
$Assignments = @(
    @{ Role = "Reservations Reader";   Scope = "/providers/Microsoft.Capacity" },
    @{ Role = "Savings plan Reader";   Scope = "/providers/Microsoft.BillingBenefits" }
)

foreach ($Assignment in $Assignments) {
    Write-Host "`nAssigning '$($Assignment.Role)' at scope '$($Assignment.Scope)' ..."
    az role assignment create --assignee-object-id "$SpObjectId" --assignee-principal-type ServicePrincipal --role "$($Assignment.Role)" --scope "$($Assignment.Scope)"

    if ($LASTEXITCODE -ne 0) {
        Write-Warning "Failed to assign '$($Assignment.Role)'. Check the error above."
    } else {
        Write-Host "Successfully assigned '$($Assignment.Role)'."
    }
}

Write-Host "`nVerifying assignments ..."
az role assignment list --assignee "$SpObjectId" --output table

    Was this article helpful?
    What's Next