Add EA enrollment 403 error to common errors page

flanakin · claude · flanakin · commit 9d55c110c5ac · 2026-03-02T13:25:38.000-08:00
Adds a concise entry to the existing errors.md page for the HTTP 403 error when using Add-FinOpsServicePrincipal. Links to authoritative Microsoft docs for EA role assignment and permissions. Closes #1754 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/docs-mslearn/toolkit/changelog.md b/docs-mslearn/toolkit/changelog.md
@@ -36,31 +36,21 @@ The following section lists features and enhancements that are currently in deve
 - Cost Management export modules for subscriptions and resource groups.
 -->
 
-<br>
+<br><a name="latest"></a>
 
 ## v14
 
+### [Implementing FinOps guide](../implementing-finops-guide.md) v14
+
+- **Added**
+  - Added EA enrollment 403 troubleshooting steps to the [common errors](../help/errors.md#403) page ([#1754](https://github.com/microsoft/finops-toolkit/issues/1754)).
+
 ### [FinOps hubs](hubs/finops-hubs-overview.md) v14
 
 - **Changed**
   - Improved deployment UI to consolidate hub mode selection into a single radio button group with four mutually exclusive options: None (storage only for Power BI reports), Azure Data Explorer, Microsoft Fabric, or Remote Hub ([#1929](https://github.com/microsoft/finops-toolkit/issues/1929)).
   - Remote Hub configuration (storage URI, storage key, and purge protection) is now displayed in the Basics tab when Remote Hub mode is selected, making the mutual exclusivity clear.
   - Data Explorer SKU and retention settings are now only visible when Azure Data Explorer mode is selected.
-
-### [PowerShell module](powershell/powershell-commands.md) v14
-
-- **Added**
-  - Added `-WhatIf` support for resource provider registration in [New-FinOpsCostExport](powershell/cost-management/New-FinOpsCostExport.md).
-- **Fixed**
-  - Fixed inverted verbose logging in [Start-FinOpsCostExport](powershell/cost-management/Start-FinOpsCostExport.md) that showed blank dates when a date range was specified.
-  - Addressed minor lint warnings across PowerShell commands.
-
-<br><a name="latest"></a>
-
-## v14
-
-### [FinOps hubs](hubs/finops-hubs-overview.md) v14
-
 - **Fixed**
   - Fixed Init-DataFactory deployment script failing when an Event Grid subscription is already provisioning by checking subscription status before attempting subscribe/unsubscribe and polling separately for completion ([#1996](https://github.com/microsoft/finops-toolkit/issues/1996)).
 
@@ -71,6 +61,14 @@ The following section lists features and enhancements that are currently in deve
     - Azure Hybrid Benefit doesn't apply to Dev/Test resources as Windows licenses are already covered by Visual Studio subscriptions.
   - Fixed Azure Hybrid Benefit reports to include Windows VMs from all publishers, not just Microsoft-published images ([#1793](https://github.com/microsoft/finops-toolkit/issues/1793)).
 
+### [PowerShell module](powershell/powershell-commands.md) v14
+
+- **Added**
+  - Added `-WhatIf` support for resource provider registration in [New-FinOpsCostExport](powershell/cost-management/New-FinOpsCostExport.md).
+- **Fixed**
+  - Fixed inverted verbose logging in [Start-FinOpsCostExport](powershell/cost-management/Start-FinOpsCostExport.md) that showed blank dates when a date range was specified.
+  - Addressed minor lint warnings across PowerShell commands.
+
 <br>
 
 ## v13 Update 1
diff --git a/docs-mslearn/toolkit/help/errors.md b/docs-mslearn/toolkit/help/errors.md
@@ -25,6 +25,21 @@ If the information provided doesn't help you, [Create a support request](/azure/
 
 <br>
 
+## 403
+
+<sup>Severity: Critical</sup>
+
+You may see this error when using [Add-FinOpsServicePrincipal](../powershell/hubs/Add-FinOpsServicePrincipal.md) to assign EA enrollment reader permissions to a service principal. The billing role assignment API returns HTTP 403 when the request is rejected.
+
+**Mitigation**:
+
+1. Confirm you are using the service principal object ID from **Enterprise applications** in the Azure portal, not the application object ID from **App registrations**. See [Assign roles to EA service principals](https://learn.microsoft.com/azure/cost-management-billing/manage/assign-roles-azure-service-principals).
+2. Confirm your account has the **Enrollment writer** role in your Enterprise Agreement. See [Understand EA administrative roles](https://learn.microsoft.com/azure/cost-management-billing/manage/understand-ea-roles).
+3. Confirm the billing account ID matches your EA enrollment number exactly.
+4. If the error persists, try assigning the role directly through the [Billing Role Assignments REST API](https://learn.microsoft.com/rest/api/billing/2019-10-01-preview/role-assignments/put) using the **Try it** feature.
+
+<br>
+
 ## Access to the resource is forbidden
 
 <sup>Severity: Critical</sup>
