Azure subscription rights challenge in CSP


Let’s imagine a situation when you are a CSP Partner and you provide Azure services to your customer. Customer purchases Office 365 licenses from another reseller (e.g. under Enterprise Agreement), and that reseller is a managing partner (delegated admin) for customer’s tenant. Customer wants you to manage Azure services only, and don’t manage Office 365.

You’ve assigned a reseller relationship with customer’s tenant, so you can assign cloud service subscriptions. But customer don’t want to let you manage Office 365 services or view user accounts in Azure AD, so he removes you from Managing Partners list. So one partner (or customer itself) has access to manage Office 365 and Azure AD, and CSP partner manages Azure subscription. Real life situation, right?

capture_27012017_113421

 By default, you will face some issues in that case:

  1. You (and only you) own Azure subscription in CSP as a partner. You can manage anything inside Azure CSP subscription and customer can’t revoke those rights.
  2. Customer don’t have any access to Azure CSP subscription by default, even with Global Admin rights in the tenant.
  3. If you’ll try to assign any rights to the customer inside that Azure subscription, you won’t be able to do that in a usual way, because you don’t see any users in customer’s directory. You won’t be able to do that on Azure Portal neither through PowerShell in a direct way.

 capture_27012017_120017

capture_27012017_115804

But I’ve found a workaround trick. You can ask your customer to provide a GUID of a user inside Customer’s tenant and assign rights directly to that GUID. After that customer will be able to manage user rights himself.

 Ask your customer to install MSOL PowerShell module and do the following:

#Connect to Azure AD using tenant's Global Admin or another existing user account
Connect-MsolService
#Get GUID of the required user account
$User = Get-MsolUser -UserPrincipalname user@tenantname.onmicrosoft.com
$User.ObjectID

capture_27012017_113850

Ask your customer to send you that GUID. Then do the following using Azure Resource Manager PowerShell:

#Install Azure Resource Manager PowerShell module
Install-Module AzureRM
#Login using Partner Center AdminAgent user account
Login-AzureRmAccount
#Select Azure subscription in customer's tenant and assign Owner rights the Azure AD user with specified GUID.
$TenantID="tenantname.onmicrosoft.com"
$SubscriptionID="subscriptionID"
Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
$UserGUID="userguidprovidedbythecustomer"
#Select the required role for the user - Owner, Contributor or Reader.
$Role = "Owner"
New-AzureRmRoleAssignment -ObjectID $UserGUID -RoleDefinitionName $Role -Scope /subscriptions/$SubscriptionID

capture_27012017_112133

Don’t worry about an error – that’s OK in this case. Cmdlet tries to verify that user has been granted the corresponding rights, but it fails because you don’t have access to Azure AD.

Customer will be able to access Azure CSP subscription on the Azure Portal and manage rights inside the subscription by himself now.

capture_27012017_112817

capture_27012017_112929

Comments (6)

  1. Kazzan says:

    Maybe another similar question. Is it possible to add delegated administrator rights to CSP partner without moving Office 365 tenant or Azure subscription to CSP?

    1. This is not a typical case for CSP, but customer can create a user inside his Azure AD (or add an existing Microsoft Account) and assign Owner rights for Azure subscription to that user. After that partner will be able to logon under that user to portal.azure.com and administer Azure services on behalf of the user.

      1. Kazzan says:

        This sounds like classic scenario for service oriented partners which sometime become CSP reseller. For example, some customers want to provide services of maintain Exchange or Azure from one partner and buy licenses and services for SharePoint from other company. So tenant was added as CSP to one Microsoft Partner. Now, to second partner only delegated admin rights are needed. But this partner is also CSP reseller. There are still so many companies which buy things and services separately. Maybe CSP will change that for some future time completely.

  2. Niek says:

    Thanks Kirill!
    So, what happens when I give some rights to a customer within Azure before he/she revokes my delegated admin priveledges? Will that user still have access or not? I just got word back from Microsoft that this ‘works by design’ and that O365 and Azure management can/will not be seperated. I totally agree with Kazzan that customers tend to buy from different companies (especialy if you are a niche player in, let’s say, data warehouseing.. in that case you have no business / interest in selling O365, but you do sell Azure …)

    1. If you provide access to a user, these rights will not be removed if your delegated admin rights has been revoked.

Skip to main content