Identity and Rights Management in CSP model


Today I will describe how identity works in CSP model, because it is not obvious for CSP Partners.

The main part of identity process in CSP is based on Azure Active Directory. There are 2 types of directories in CSP – Partner directory and Customer directory. Each CSP Partner authenticates on Partner Center portal using its Azure AD directory. For example, it can be CSPPartner.onmicrosoft.com. Every Azure AD directory name must be unique, it consists of the tenant name (“CSPPartner” in my example) and onmicrosoft.com suffix.

Partner employees logon to Partner Center portal using their Azure AD user account. It can be john@csppartner.onmicrosoft.com or just john@csppartnerdomain.com (to do so Partner should add an existing custom domain to his Azure AD directory first and change user’s domain suffix).

When Partner creates a new Customer on Partner Center portal, a new Office 365 tenant with a new Azure AD directory is created. Is my example it will be “CSP Customer LLC” with CSPCustomer.onmicrosoft.com domain. There are 2 important unique values for the tenant, that you will need to remember (and don’t confuse them) – Tenant GUID and Tenant Name. You can check them on Account page for the specified Customer.

Partner Center Tenant ID

Also new user with a login admin@CSPCustomer.onmicrosoft.com is automatically created and being assigned Global Admin rights in this directory. Its password is shown as plain text at the moment of Customer creation, but it can be changed in the future. Also there is a way to link an existing tenant with existing Azure AD to the CSP Partner account, but I won’t touch this topic in details now.

This Office 365 tenant will have a CSP partner as a Managed Partner (DPOR) assigned. One Customer can have several Managed Partners assigned.

DPOR

BTW, you can add 4 types of user accounts into Azure AD:

  1. Clout-based user account – created directly in this Azure AD (using old Azure Management Portal or Office 365 Admin Portal)
  2. Synced or Federated user account – account, created in on-premise Active Directory and synchronized/federated with Azure Active Directory using ADConnect (or legacy DirSync/ADSync)
  3. Microsoft Account (former LiveID)
  4. User accounts, added from another Azure AD. E.g. you can add user from Partner Azure AD to Customer’s Azure AD.

To understand this in details, I recommend you to use 70-346 course.

capture_002_07062016_210914

So, Partner employees sign in to Partner Center, Office 365 Admin Portal, Azure Portal etc. using their Azure AD credentials. Customer admins sign in to Office 365 Admin Portal, Azure Portal etc. using their Azure AD credentials.

On Partner Center portal there are some capabilities to assign roles to partner users (or create new users in Partner directory with specified roles).

RBAC

“Assists your customer” buttons set the role for Customer management, “Manages you company” buttons set the admin role inside Partner’s Azure AD. These 2 switches are independent.

In “Manages you company” switch you can choose among 4 options:

  1. Leave user as a regular user (no rights to manage Partner’s directory, but you’ll still be able to assign this user some Customer management rights).
  2. Assign User Management Admin role to this user in Partner’s directory
  3. Assign Billing Admin role to this user in Partner’s directory
  4. Assign Global Admin role to this user in Partner’s directory (super user)

Detailed admin role comparison is available here. If this user needs to manage user rights on Partner Center, choose Global Admin or User Management Admin role.

In “Assists your customer” switch you can choose among 4 options:

  1. Not an agent – no rights to create customers and manage their subscriptions and services. But if this user will have Global Admin or User Management admin rights, he will be able to logon to Partner Center or Office 365 Admin Portal and grant himself the required rights.
  2. Sales agent – user will be able to manage Customer subscriptions and billing, but won’t be able to manage Customer’s services (Office 365, Azure etc.)
    capture_003_07062016_211301sales
  3. Helpdesk agent – user won’t be able to manager Customer subscriptions, but will have Office 365 Limited Administration delegated admin rights (equals to Password Admin role)
    capture_003_07062016_211301helpdesk
  4. Admin Agent – user will be able to manage Customer subscription, will have Office 365 Full Administration delegated admin rights (equals to Global Admin role) and Owner rights for Customer Azure subscriptions (super user).
    capture_003_07062016_211301

You can also configure these options for Partner user account on Office 365 Admin portal, it will also switch the selection on Partner Center.

capture_001_07062016_123722

Managing Office 365 tenants

To manage Office 365 for a customer, Partners engineers can use several ways:

  1. Go to Customer’s page on Partner Center, click Service Management -> Office 365. Office 365 Admin portal for this tenant will be opened.
    capture_004_07062016_221655
  2. Use Office 365 Partner Admin portal
    capture_006_07062016_223025
  3. Use URL https://portal.office.com/Partner/BeginClientSession.aspx?CTID=TENANDGUID&CSDEST=o365admincenter to open Office 365 Admin portal for that tenant directly.
  4. Use Office 365 PowerShell with Delegated Access Permissions, use Tenant GUID as TenantID.

In both ways Partner engineer must have a user account in Partner’s directory with Helpdesk or Admin agent rights on Partner Center (equals to Limited or Full delegated administration rights in Partner’s Office 365 tenant).

There is no granular control for different Customers, so management rights will be applied to all Customers, managed by this CSP Partner. It means that you can’t assign Helpdesk/Admin agent administration rights only to some Customers – such partner person will be able to manage all Office 365 tenants, which are managed by this CSP Partner (but customer can delete this CSP Partner from the managed partner list to prohibit this).

Also there are no management capabilities based on Azure AD groups – you need to specify management roles directly for user accounts. This is a limitation of Office 365 Partner Management capabilities, not directly related to CSP. Details are here.

Customer admins can manage Office 365 by logging on Office 365 Admin portal using:

  1. Automatically created admin@tenantname.onmicrosoft.com user account, which has Global Admin rights
  2. Their Microsoft ID (former LiveID), which must be added manually to Customer’s directory and assigned proper admin role.
  3. New user, created in Customer’s directory with specified admin role. E.g. john@CSPCustomer.onmicrosoft.com with Global Admin role assigned.

Dynamics CRM and Intune in CSP use identity model similar to Office 365, so I won’t dig into details here.

Managing Azure subscriptions

To manage Customer’s Azure subscription, Partners engineers can use several ways:

  1. Go to Customer’s page on Partner Center, click Service Management -> Microsoft Azure Management Portal. New Azure Portal will be opened.
    capture_004_07062016_221655az
  2. Use URL https://portal.azure.com/TENANTNAME.onmicrosoft.com to open New Azure Portal in a context of this tenant
  3. Use PowerShell for Azure Resource Manager. I’ve showed how to use it here, use Tenant Name for $TenantID variable.

To do this, Partner engineer user account must have Admin Agent rights (Helpdesk Agent is not enough).

That’s how it works… After assigning this role, such user will have Owner rights for all Azure subscriptions of all Customers. This is hardcoded in Azure CSP model – every Azure subscription in CSP has only 1 owner by default. This owner is a group called “Foreign Principal for ‘CSPPartnerName’ in role ‘TenantAdmins’ (CSPCustomer Directory)” (first screenshot – list of default customer’s Azure Subscription owners), and this group has a role assigned – AdminAgents role in Partner’s directory (second screenshot – list of available Roles in Partner’s directory).

capture_005_07062016_164325

capture_003_07062016_154524

So every Partner’s employee, that has Admin Agent rights assigned on Partner Center portal, will be added to AdminAgent Azure AD group in Partner’s directory, which is added to a group “Foreign Principal for ‘CSPPartnerName’ in role ‘TenantAdmins’ (CSPCustomer Directory)” in Customer’s directory, that has Owner rights for all Azure subscriptions of this Customer.

Foreign Principal

BTW – this group (Foreign Principal for ‘CSPPartnerName’ in role ‘TenantAdmins’ (CSPCustomer Directory)) is not visible in Customer’s Azure AD, so you won’t see it if you’ll get a list of all existing group in CustoSmer’s directory. But you can see it if you’ll open Azure Subscription rights blade. And this is the unique case when a group in Azure AD has a group in another Azure AD directory as a member.

Also you will see a group “Subscription Admins” on the portal, which also has Owner permissions for the subscription. But this is a legacy artifact, inherited from ASM – all Admins and Co-admins in ASM have Owner rights in ARM. It doesn’t make sense for CSP, because there is no ASM here. If you’ll try to manage this group, you’ll see “Failed to get the list of users” error message. So just ignore this group.

ASM

By default, Azure subscriptions can be managed only by Partner’s employees with Admin Agents rights. So even customer’s admin account, that has Global Admin rights in Customer’s Office 365 tenant (admin@tenantname.onmicrosoft.com), won’t be able to manage Azure subscriptions by default. This is done because of the idea, that CSP Partner can manage customer’s Azure subscription instead of a customer. CSP Partner can create VMs, configure Backup or ASR for the customer, and customer don’t even need to access Azure Management portal in this case.

But I face customer-managed Azure subscriptions more frequently among my partners. In this case Customer admin want to access New Azure Portal to manage their Azure subscriptions. You can do it in several ways:

  1. Logon as Partner Admin Agent to New Azure Portal and assign another user Owner rights to the Azure Subscription.
    capture_007_07062016_231737
  2. Logon as Partner Admin Agent to New Azure Portal, create a Resource Group and assign another user Owner rights to this Resource Group. In this case such user will me limited inside a Resource Group, but will be able to create any Azure resources inside this Resource Group (you can limit this by applying Resource Manager Policies).
    capture_008_07062016_232226

After that Customer’s admin will be to access New Azure Portal or use Azure Resource Manager PowerShell.

You can use other Roles instead of Owner for Customer’s admins. You can use Contributor role if you don’t want to allow any access management inside the Subscription, or you can use Reader role if you want to allow Customer admins to view Azure resources, but not to change them. Details about built-in roles in Azure Resource Manager are available here.

In Azure Resource Manager model you can assign rights only to users and groups, that exist in Customer’s directory. You can add external users (Microsoft IDs, Azure AD users from other directories etc. – I’ve described it before) to Customer’s directory and assign access to them. Or you can create a group in Customer’s directory and add users to this group (internal or external), and that assign some access to this group. But you can’t assign access to external group or you can’t add external group to the group in Customer’s directory.

Managing Customer’s Azure AD

Azure AD management can be done through Old Azure Portal, through Office 365 Admin portal or using Azure AD PowerShell cmdlets (don’t confuse them with Azure Resource Manager PowerShell cmdlets).

Office 365 Admin Portal capabilities regarding Azure AD management will be enough for the most customers – creating users and groups, managing membership of the groups, configure On-Premise AD integration etc. But some customers require additional configuration capabilities, which are available only on Old Azure Portal. There are 2 ways to allow customer to manage their Azure AD using Old Azure Portal:

  1. Customer creates a trial Azure account or register MSDN Azure account, after that customer adds an existing Azure AD to this Azure subscription. I’ve described it here.
  2. Partners creates a license-based Subscription to any service, that includes Azure AD: Azure AD Basic, Azure AD Premium or EMS. It won’t be free, but 1 license of Azure AD Basic is ~$1/month, so it’s not a big deal. After that Customer will be able to access Old Azure Portal and manage his Azure AD using a special link on the Partner Center portal.
capture_004_07062016_221655azad

For example, Customer will be able to configure dynamic membership for Azure AD Groups:

capture_002_07062016_153820

Partner can manage his Azure AD directory using Azure AD PowerShell and automate routine identity tasks. BTW – here is the list of groups and roles, created in Partner’s directory after joining CSP Direct:

capture_004_07062016_154814

For example, to assign Admin Agent rights to a user, just assign him AdminAgents role in Partner’s directory using PowerShell.

Granular access to different Customers

Some partners which to separate their engineers, which manage Office 365 subscriptions, and those who manager Azure subscriptions. Or they want one group to manage SMB customers, and another group to manage Enterprise customers, and users from SMB team must not have an access to EPG customers subscriptions.

This is not an easy task, but it can be done in some way.

So, Partner has a technical support engineer called James with a user account james@csppartner.onmicrosoft.com. Here are some cases:

  1. If you want James to manage Office 365 customer subscriptions only, and don’t allow any Azure subscription management or Partner directory management, just assign “Helpdesk agent” role to this user on Partner Center (or Limited Administration delegated rights on Partner’s Office 365 Admin Portal)
  2. If you want James to manage Office 365 for specific customers only, then add his user account as external user to each Customer’s directory and assign Global Admin role, or use even  more granular access.
  3. If you want James to manage Azure for specific customers only, add his user account as external user to each Customer’s directory and assign Owner rights to every Azure subscription that is being created
  4. If you want James and his colleagues to manage Office 365 for a specific Enterprise customer, add all their user accounts to Customer’s directory and assign each of them corresponding administration rights in Customer’s directory individually (admin roles can’t be assigned to Azure AD groups)
  5. If you want James and his colleagues to manage Azure for a specific Enterprise customer, add all their user accounts to Customer’s directory, create Azure AD group (static or dynamic) and assign Owner rights for Azure Subscriptions to this group (you can’t assign rights to foreign group).

If CSP Partner has a lot of customers with Office 365, Azure, EMS and Dynamics CRM subscriptions, if he has different units which need to manage and support different CSP subscriptions – then I recommend to use something that will leverage “Just In Time Administration” and “Just Enough Administration” ideas. This is not implemented in Partner Center portal, but partners can do that by themselves:

  1. Partner creates a special portal with Azure AD authentication.
  2. Partner engineer logon to this portal, choose a customer from the list, choose a service (e.g. Office 365 or Azure – or even more granular) and requests administration permissions
  3. Portal generates an e-mail message with a ApproveDecline request and sends it to Customer’s main point of contact
  4. Customer’s main contact person clicks “Approve” button in the e-mail, and Portal launches a PowerShell script (or triggers REST API) to grant the requested administration rights to that engineer.
  5. In 2 hours the admin access is automatically revoked.

I want to clarify – this is only my idea, that is not implemented by Microsoft right now, but it can be implemented by partner’s in-house developers or using 3rd party admin panel. So keep this idea in mind.

That’s all for today. I hope that topic of Identity and Security in CSP became more clear for you.

UPD1: Thx a lot to my colleague K.P. for this nice diagram about identity processes in CSP Indirect model:

CSP Indirect

 UPD2: Thx to my colleague Bart for the great example how to work with Partner Center and assign permissions in PowerShell.

Comments (21)

  1. chilberto says:

    Thanks Kirill. Appreciate you putting this together as it cleared up some things for me.

  2. Niek says:

    Hi Kirill,
    Interesting article. I’m not quite sure if I will now be able to do what I would like… let me explain this scenario:

    As CSP we provide various BI solutions on Azure services. Most customers already have Office365, so they don’t want me to be able to manage that. They do want me to be able to set up Azure subscriptions and manage those. I haven’t found a way to accomplish this, while this sounds like a very plausible scenario for me (I didn’t even think about the fact that it wouldn’t be possible).
    Why isn’t there a way to choose your CSP-role? A simple box that states: Ask for confirmation as Azure Solution Provider, ask conf. for O365 provider, etc. Most companies by now have already some subscriptons at some companies, and you don’t want each partner to have the same delegated admin access.

    But a long story short: What do I tell the customer they have to do, in order for us as CSP to only have Azure admin rights (including the right to create a new subscription), but not being able to manage their AD (only to read from it) ?

    1. Customer can remove your partner account from Managing Partners list, so you won’t be able to manage Office 365 on behalf of the customer. But you will be able to create subscriptions and manage Azure subscriptions for the customer.

      1. Niek says:

        Hi Kirill,
        I have a screenshot here from my partner portal… For the customer that removed us from the delegated admins in O365, it states under Administer services: You don’t have delegated administrative permissions for this customer. So the link to the Azure Management Portal is also gone (as all other links) I can only click: Ask for support permissions. In that case we will be added as Managing Parner again, but that’s not what we want in this case.
        To have us removed as O365 admin I let the customer follow this post: https://blogs.technet.microsoft.com/uspartner_ts2team/2016/04/30/removing-the-csp-as-delegated-admin-in-office-365-customer-tenants/

        You say we can still manage their Azure subscriptions… how would we be able to do this?

        1. Niek says:

          I tried filling in the custom URL for the portal (https://portal.azure.com/customer.name.xx), and I was able to get into this management portal of Azure… but as there are no active subscriptions yet, I could not do anything nor view the AD. So I’m pretty sure that without delegated admin rights it is not possible to create or manage Azure subscriptions as CSP….

          1. Hi Niek!
            That’s interesting. Give me some time, I’ll check this in my Partner Center account.
            But you are describing the scenario, that should work. Real life example: Customer has Office 365 in EA, and LAR manages it (delegated admin). Customer purchases Azure services from another partner through CSP. CSP Partner doesn’t have any rights to manage Office 365, but he needs to be able to manage Azure subscription.
            I will check that.

          2. Niek says:

            Thanks a lot Kirill!
            I’m really struggeling with this, as for a lot of customer it is a dealbreaker right now, and I don’t have a fitting answer for them.

          3. In my case it worked. What I did:
            1) Logged in to Partner Center under a partner user account with Admin Agent rights.
            2) Created a new Customer with a new tenant.
            3) Logged on to Office 365 admin portal under admin@tenantname.onmicrosoft.com and removed a partner record from Managing Parners list.
            4) I’ve checked that partner user account don’t have any access to manage Office 365 and don’t see users in the tenant.
            5) While I couldn’t open Azure Management console in Partner Center using Service Management menu (it showed “Ask for support permissions” action instead), I was able to log on to https://portal.azure.com/tenantname.onmicrosoft.com using partner user account. I had Owner rights for that subscription.

            This demonstrated a case when partner can’t manage Azure AD or Office 365, but can manage Azure subscription. The only thing that don’t work is IAM. I couldn’t manage resource permissions using partner user account on Azure portal because that user wasn’t able to get the list of users in tenant’s directory.
            In CSP model Azure subscription is owned by CSP partner and customer can’t remove that rights. Customer don’t have any rights for the CSP subscription, rights need to be granted by the partner first. This is right because partner is always responsible for the bill and need to have control of all Usage-based resources.

  3. Peter says:

    Hi Kirill,
    Interesting article!
    Is there a powershell or api to add external users from one AAD account to another? Say I want to add external user/group from one tenant under CSP to another tenant’s subscription.

    1. You can use Azure AD B2B COllaboration for that, but capabilities are limited and I’m not sure that it can be done via PowerShell. Check here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-collaboration-overview

  4. Hello, I have a partner account and my user has Admin Agents permissions. I created a customer and assigned an azure subscription. The problem is that on entering https://resources.azure.com I can not see the subscriptions of my customers. Help me and thanks

    1. Looks like Azure Resource Explorer doesn’t support tenant switch. Since your partner user account and customer Azure subscriptions live in different tenants, you won’t see them.

      1. Hi, thanks for your response.

        I am developing a partner application and I need to manage my clients’ azure resources through that application.

        Here are the scenarios:

        1.- I enter the site https://partnercenter.microsoft.com with my partner user, then I go to the clients section and select a client. Finally I go to their subscriptions and there is the subscription of azure. By clicking on “All resources (Azure portal)” I enter the azure portal with my partner user but within the directory of my client. By going to the subscriptions section, I actually see your subscription and I own it because of Foreign Principal. I can fully manage subscription resources.

        2. I enter portal.azure.com with my partner user. When I enter the subscriptions section, I do not see any subscriptions even though I own my clients’ subscriptions through scenario 1.

        Can scenario 1 be replicated through an application? Thank you

        1. This is a limitation of Azure Resource Explorer portal, not a limitation of ARM. In your case just use PowerShell, X-CLI or REST to work with Azure Resources.

          Login-AzureRmAccount
          $TenantID=”testtestest.onmicrosoft.com”
          $SubscriptionID=”64E8EB57-ABAB-4488-6BD2-15CE6B1A25D1″
          Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
          Get-AzureRmResourceGroup

        2. If you are logging in with Partner Center admin, you need to specify a customer tenant name. For example, to manage Azure CSP subscription of a customer customer.onmicrosoft.com with Partner Center Admin credentials, use such link:
          http://portal.azure.com/tenantname.onmicrosoft.com
          Then you will see all Azure CSP subscriptions in that tenant (=directory).

          1. Thanks again for your time.

            I need to replicate this scenario using the REST API:

            1.- Open powershell, then use the command:

            $ Sub = customer subscription
            $ Tenant = tenant id of the same client

            Login-AzureRmAccount -SubscriptionId $ sub -TenantId $ tenant

            2.- Then in the terminal appears:

            VERBOSE: To sign in, use the web browser to open the page
            https://aka.ms/devicelogin and enter the code XXXXXXX to authenticate.

            3.- When I authenticate with my partner account, then in the terminal it appears:

            Environment: AzureCloud
            Account: user@company.onmicrosoft.com (partner user email)
            TenantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX (tenantId of my client)
            SubscriptionId: XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX (my customer’s subscription)
            SubscriptionName: Microsoft Azure
            CurrentStorageAccount:

            4.- Given this I can see the resources of my customer 🙂

            Is it possible to replicate this from the REST API? I tried everything and I did not get the same result. Thank you very much

  5. Kirill great article. Quick question, our application currently (for Azure Pay As You Go accounts) needs to authenticate to Azure AD, we create a Contributor user and then read ARM metrics via REST. But for CSP partners, who have multiple subscriptions, this means that they need to authenticate our app to each subscription individually (and create a user in each subscription) which causes a lot of new work for our CSP customers. What is the best way, using REST, to allow our app to authenticate to all of associated CSP subscriptions for a specific Partner?

    1. I suppose that granting that app Admin Rights in the Partner Center is the only possible option here.

      1. Well, we are looking to grant rights to CSP Admin’s sub-accounts in Azure.

  6. Hello,
    I still can not see the subscriptions of my clients.
    I have a CSP account and activate sandbox mode. Then I create clients and assign each one an Azure subscription.

    Then using my sanbox global administrator account at resources.azure.com or powershell using the Get-AzureRmResource command, I can not see the list of subscriptions for my clients, despite having the privilege of managing their subscriptions as owner of these Through the admin account in the CSP program.

    Help and thanks.

  7. Bilel says:

    Hi Kirill,

    I have a user in the group “AdminAgents” as a CSP Partner. I can use the CSP API for adding new tenant, create subscription and manage users. But, I need in addition to manage domains that’s not provided by CSP API.
    So, I’m trying to use Microsoft Graph API in stead.
    I registered an aplication as Web app/Api, make it “Multi Tenant” and add the needed permissions. Using AD Oauth, I can get the autorization code using the “https://login.microsoftonline.com/common/oauth2/authorize”. With this code I can generate a token for my own tenant “https://login.microsoftonline.com/partner.onmicrosoft.com/oauth2/token” and use it to get access to Microsoft Graph API. The problem is whene I use the customer tenant “https://login.microsoftonline.com/customer .onmicrosoft.com/oauth2/token” for generating the token. It return this error: “Error validating credentials. … The provided access grant is invalid or malformed.”

    I’ve been guided by this doc: https://developer.microsoft.com/en-us/graph/docs/authorization/auth_cloudsolutionprovider. All steps was succeded.

    Please, I need help.
    Thanks,

Skip to main content