Change User Access Administrator to RBAC Administrator role#1949
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request changes the role assignment for managing Cost Management exports from User Access Administrator to RBAC Administrator, and moves the role assignment from the base Exports app to the ManagedExports app so it is only required when enableManagedExports is true.
Changes:
- Removed User Access Administrator role (GUID:
18d7d88d-d35e-4fb5-a5c3-7773c20a72d9) from the Exports app - Added RBAC Administrator role (GUID:
f58310d9-a9f6-439a-9e8d-f62e7b41a168) to the ManagedExports app - Updated changelog to document this change under v13
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/templates/finops-hub/modules/Microsoft.CostManagement/ManagedExports/app.bicep | Added RBAC Administrator role assignment to storageRoles array for the ManagedExports app |
| src/templates/finops-hub/modules/Microsoft.CostManagement/Exports/app.bicep | Removed User Access Administrator role assignment from the storageRoles array in the base Exports app |
| docs-mslearn/toolkit/changelog.md | Added changelog entry documenting the role change and movement to ManagedExports app under v13 |
Collaborator
|
Tested the enableManagedExports=false. We still need the Role Based Access Control Administrator role for the deployment, but now we can exclude the elevated roles for that role in this scenario (RBAC Admin doesn't need the right to assign RBAC Admin role): 
|
RolandKrummenacher
approved these changes
Jan 22, 2026
- Simplify Invoke-WithRetry with linear backoff retry delay - Add Set-BlobTriggerSubscription for Event Grid subscription handling - Detect BlobEventsTrigger by BlobPathBeginsWith property - Fix variable scoping issues with script block parameters - Remove SuppressErrors behavior (fail fast) - Reduce script from 189 to 132 lines
Collaborator
Author
|
@microsoft-github-policy-service agree |
flanakin
added a commit
that referenced
this pull request
Jan 31, 2026
Co-authored-by: Roland Krummenacher <roland.krummenacher@alescent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
enableManagedExportsis trueFixes #1946
Test plan
enableManagedExports=falseand confirm User Access Administrator / RBAC Administrator is not requiredenableManagedExports=trueand confirm RBAC Administrator role is assigned correctly🤖 Generated with Claude Code