diff --git a/.secrets.baseline b/.secrets.baseline
index a233e4cf..657683b7 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
     "lines": null
   },
-  "generated_at": "2020-01-27T19:24:43Z",
+  "generated_at": "2020-02-04T21:00:49Z",
   "plugins_used": [
     {
       "base64_limit": 4.5,
@@ -82,7 +82,7 @@
         "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 32,
+        "line_number": 43,
         "type": "Secret Keyword"
       }
     ],
diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py
index d5ef5204..60b6d9a0 100644
--- a/atst/domain/csp/cloud/azure_cloud_provider.py
+++ b/atst/domain/csp/cloud/azure_cloud_provider.py
@@ -97,10 +97,14 @@ class AzureCloudProvider(CloudProviderInterface):
         self.secret_key = config["AZURE_SECRET_KEY"]
         self.tenant_id = config["AZURE_TENANT_ID"]
         self.vault_url = config["AZURE_VAULT_URL"]
-        self.ps_client_id = config["POWERSHELL_CLIENT_ID"]
-        self.owner_role_def_id = config["AZURE_OWNER_ROLE_DEF_ID"]
+        self.ps_client_id = config["AZURE_POWERSHELL_CLIENT_ID"]
         self.graph_resource = config["AZURE_GRAPH_RESOURCE"]
         self.default_aadp_qty = config["AZURE_AADP_QTY"]
+        self.roles = {
+            "owner": config["AZURE_ROLE_DEF_ID_OWNER"],
+            "contributor": config["AZURE_ROLE_DEF_ID_CONTRIBUTOR"],
+            "billing": config["AZURE_ROLE_DEF_ID_BILLING_READER"],
+        }
 
         if azure_sdk_provider is None:
             self.sdk = AzureSDKProvider()
@@ -602,7 +606,7 @@ class AzureCloudProvider(CloudProviderInterface):
     def create_tenant_admin_ownership(self, payload: TenantAdminOwnershipCSPPayload):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {
@@ -630,7 +634,7 @@ class AzureCloudProvider(CloudProviderInterface):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
         # NOTE: the tenant_id is also the id of the root management group, once it is created
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {
diff --git a/config/base.ini b/config/base.ini
index 1f4c732a..0105eea5 100644
--- a/config/base.ini
+++ b/config/base.ini
@@ -1,9 +1,19 @@
 [default]
 ASSETS_URL
+AZURE_AADP_QTY=5
 AZURE_ACCOUNT_NAME
-AZURE_STORAGE_KEY
-AZURE_TO_BUCKET_NAME
+AZURE_CLIENT_ID
+AZURE_GRAPH_RESOURCE="https://graph.microsoft.com/"
 AZURE_POLICY_LOCATION=policies
+AZURE_POWERSHELL_CLIENT_ID
+AZURE_ROLE_DEF_ID_BILLING_READER="fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64"
+AZURE_ROLE_DEF_ID_CONTRIBUTOR="b24988ac-6180-42a0-ab88-20f7382dd24c"
+AZURE_ROLE_DEF_ID_OWNER="8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+AZURE_SECRET_KEY
+AZURE_STORAGE_KEY
+AZURE_TENANT_ID
+AZURE_TO_BUCKET_NAME
+AZURE_VAULT_URL
 BLOB_STORAGE_URL=http://localhost:8000/
 CAC_URL = http://localhost:8000/login-redirect
 CA_CHAIN = ssl/server-certs/ca-chain.pem
@@ -42,10 +52,10 @@ REDIS_TLS=False
 REDIS_USER
 SECRET_KEY = change_me_into_something_secret
 SERVER_NAME
-SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_DOMAIN
-SESSION_KEY_PREFIX=session:
+SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_SECURE=false
+SESSION_KEY_PREFIX=session:
 SESSION_TYPE = redis
 SESSION_USE_SIGNER = True
 SQLALCHEMY_ECHO = False
diff --git a/tests/mock_azure.py b/tests/mock_azure.py
index ce85a396..0062e386 100644
--- a/tests/mock_azure.py
+++ b/tests/mock_azure.py
@@ -9,8 +9,10 @@ AZURE_CONFIG = {
     "AZURE_TENANT_ID": "MOCK",
     "AZURE_POLICY_LOCATION": "policies",
     "AZURE_VAULT_URL": "http://vault",
-    "POWERSHELL_CLIENT_ID": "MOCK",
-    "AZURE_OWNER_ROLE_DEF_ID": "MOCK",
+    "AZURE_POWERSHELL_CLIENT_ID": "MOCK",
+    "AZURE_ROLE_DEF_ID_OWNER": "MOCK",
+    "AZURE_ROLE_DEF_ID_CONTRIBUTOR": "MOCK",
+    "AZURE_ROLE_DEF_ID_BILLING_READER": "MOCK",
     "AZURE_GRAPH_RESOURCE": "MOCK",
     "AZURE_AADP_QTY": 5,
 }