Azure subscription rights challenge in CSP

Let's imagine a situation when you are a CSP Partner and you provide Azure services to your customer. Customer purchases Office 365 licenses from another reseller (e.g. under Enterprise Agreement), and that reseller is a managing partner (delegated admin) for customer's tenant. Customer wants you to manage Azure services only, and don't manage Office 365.

You've assigned a reseller relationship with customer's tenant, so you can assign cloud service subscriptions. But customer don't want to let you manage Office 365 services or view user accounts in Azure AD, so he removes you from Managing Partners list. So one partner (or customer itself) has access to manage Office 365 and Azure AD, and CSP partner manages Azure subscription. Real life situation, right? capture_27012017_113421

 By default, you will face some issues in that case:

  1. You (and only you) own Azure subscription in CSP as a partner. You can manage anything inside Azure CSP subscription and customer can't revoke those rights.
  2. Customer don't have any access to Azure CSP subscription by default, even with Global Admin rights in the tenant.
  3. If you'll try to assign any rights to the customer inside that Azure subscription, you won't be able to do that in a usual way, because you don't see any users in customer's directory. You won't be able to do that on Azure Portal neither through PowerShell in a direct way.

 capture_27012017_120017

capture_27012017_115804

But I've found a workaround trick. You can ask your customer to provide a GUID of a user inside Customer's tenant and assign rights directly to that GUID. After that customer will be able to manage user rights himself.

 Ask your customer to install MSOL PowerShell module and do the following:

 #Connect to Azure AD using tenant's Global Admin or another existing user account
Connect-MsolService
#Get GUID of the required user account
$User = Get-MsolUser -UserPrincipalname user@tenantname.onmicrosoft.com$User.ObjectID

capture_27012017_113850

Ask your customer to send you that GUID. Then do the following using Azure Resource Manager PowerShell:

 #Install Azure Resource Manager PowerShell module
Install-Module AzureRM
#Login using Partner Center AdminAgent user account
Login-AzureRmAccount
#Select Azure subscription in customer's tenant and assign Owner rights the Azure AD user with specified GUID.
$TenantID="tenantname.onmicrosoft.com"
$SubscriptionID="subscriptionID"
Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
$UserGUID="userguidprovidedbythecustomer"
#Select the required role for the user - Owner, Contributor or Reader.
$Role = "Owner"
New-AzureRmRoleAssignment -ObjectID $UserGUID -RoleDefinitionName $Role -Scope /subscriptions/$SubscriptionID

capture_27012017_112133

Don't worry about an error - that's OK in this case. Cmdlet tries to verify that user has been granted the corresponding rights, but it fails because you don't have access to Azure AD.

Customer will be able to access Azure CSP subscription on the Azure Portal and manage rights inside the subscription by himself now.

capture_27012017_112817

capture_27012017_112929