Azure subscription rights challenge in CSP
Let's imagine a situation when you are a CSP Partner and you provide Azure services to your customer. Customer purchases Office 365 licenses from another reseller (e.g. under Enterprise Agreement), and that reseller is a managing partner (delegated admin) for customer's tenant. Customer wants you to manage Azure services only, and don't manage Office 365.
You've assigned a reseller relationship with customer's tenant, so you can assign cloud service subscriptions. But customer don't want to let you manage Office 365 services or view user accounts in Azure AD, so he removes you from Managing Partners list. So one partner (or customer itself) has access to manage Office 365 and Azure AD, and CSP partner manages Azure subscription. Real life situation, right?
By default, you will face some issues in that case:
- You (and only you) own Azure subscription in CSP as a partner. You can manage anything inside Azure CSP subscription and customer can't revoke those rights.
- Customer don't have any access to Azure CSP subscription by default, even with Global Admin rights in the tenant.
- If you'll try to assign any rights to the customer inside that Azure subscription, you won't be able to do that in a usual way, because you don't see any users in customer's directory. You won't be able to do that on Azure Portal neither through PowerShell in a direct way.
But I've found a workaround trick. You can ask your customer to provide a GUID of a user inside Customer's tenant and assign rights directly to that GUID. After that customer will be able to manage user rights himself.
Ask your customer to install MSOL PowerShell module and do the following:
#Connect to Azure AD using tenant's Global Admin or another existing user account
Connect-MsolService
#Get GUID of the required user account
$User = Get-MsolUser -UserPrincipalname user@tenantname.onmicrosoft.com$User.ObjectID
Ask your customer to send you that GUID. Then do the following using Azure Resource Manager PowerShell:
#Install Azure Resource Manager PowerShell module
Install-Module AzureRM
#Login using Partner Center AdminAgent user account
Login-AzureRmAccount
#Select Azure subscription in customer's tenant and assign Owner rights the Azure AD user with specified GUID.
$TenantID="tenantname.onmicrosoft.com"
$SubscriptionID="subscriptionID"
Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
$UserGUID="userguidprovidedbythecustomer"
#Select the required role for the user - Owner, Contributor or Reader.
$Role = "Owner"
New-AzureRmRoleAssignment -ObjectID $UserGUID -RoleDefinitionName $Role -Scope /subscriptions/$SubscriptionID
Don't worry about an error - that's OK in this case. Cmdlet tries to verify that user has been granted the corresponding rights, but it fails because you don't have access to Azure AD.
Customer will be able to access Azure CSP subscription on the Azure Portal and manage rights inside the subscription by himself now.
Comments
- Anonymous
January 28, 2017
Maybe another similar question. Is it possible to add delegated administrator rights to CSP partner without moving Office 365 tenant or Azure subscription to CSP?- Anonymous
January 28, 2017
This is not a typical case for CSP, but customer can create a user inside his Azure AD (or add an existing Microsoft Account) and assign Owner rights for Azure subscription to that user. After that partner will be able to logon under that user to portal.azure.com and administer Azure services on behalf of the user.- Anonymous
January 31, 2017
This sounds like classic scenario for service oriented partners which sometime become CSP reseller. For example, some customers want to provide services of maintain Exchange or Azure from one partner and buy licenses and services for SharePoint from other company. So tenant was added as CSP to one Microsoft Partner. Now, to second partner only delegated admin rights are needed. But this partner is also CSP reseller. There are still so many companies which buy things and services separately. Maybe CSP will change that for some future time completely.
- Anonymous
- Anonymous
- Anonymous
February 02, 2017
Thanks Kirill!So, what happens when I give some rights to a customer within Azure before he/she revokes my delegated admin priveledges? Will that user still have access or not? I just got word back from Microsoft that this 'works by design' and that O365 and Azure management can/will not be seperated. I totally agree with Kazzan that customers tend to buy from different companies (especialy if you are a niche player in, let's say, data warehouseing.. in that case you have no business / interest in selling O365, but you do sell Azure ...)- Anonymous
February 15, 2017
If you provide access to a user, these rights will not be removed if your delegated admin rights has been revoked.- Anonymous
February 15, 2017
Yes, that's true.
- Anonymous
- Anonymous
- Anonymous
April 26, 2017
Hi! I have a similar question, but in the opposite. I have an Azure subscription through a CSP. But I'm also granted a Bizpark subscription with great credit, but with another login. My CSP isn't collaborating to get this subscription done/ changed, once I won't spend money with them anymore. What should I do? Thanks,- Anonymous
April 26, 2017
Let me clarify - you want to move from Azure CSP to Azure subscription in BizSpark?
- Anonymous
- Anonymous
May 06, 2017
Hi,I add a "self-service" customer admin inside the "Contributor" role inside a dedicated security group.we can see the customer users and groups..... - Anonymous
May 14, 2017
Is there way to use REST API to provide this role assignment for a subscription to the user instead of via powershell or via azure portal?