Azure Subscription Role Assignments within Tier 2 Seller and Indirect Provider Model

This article will explain the basic principles and cover work instructions that will provide a step-by-step guide on how to assign foreign principal* which is acting Admin Agent group on every Tier 2 as well as Indirect Provider Azure Active Directory tenant.

To carry out the process, you will need to make sure you meet the following requirements, and have access to the Seller and Customer tenant:

1. You need to know the Microsoft ID of the Seller's tenant you have a partnership with.

2. Customer's tenant ID or fully qualified domain is known.

3. Azure Subscription ID is known to which you intend to assign foreign principal.

4. You have at least an Admin Agent role assigned to your Indirect Provider Tenant.

Step 1 (Can be done by Seller and Distributor alike):

Login to Microsoft Partner Center using your Indirect Distributor credentials, then open a new tab in your incognito session and access the following link https://portal.azure.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx (provide indirect seller id here)

If there are no conditional policies in place on the Seller's side - you will be able to access the tenant AAD, then navigate to Groups and locate Admin Agent object ID (known as Foreign Principal) - copy this ID. If policies are blocking the access - please contact the seller to provide the Admin Agent Object ID.mceclip0.png

Step 2 (Customer Tenant Part):

From Partner Center - find the customer that you would like to assign the foreign principal to, this customer needs to have an active partnership with the aforementioned Seller entity for this to work.

Press on the marked link:

mceclip1.png

Find the subscription that you would like to assign permission to and copy the subscription ID:
mceclip2.png

Now that you have all the needed information the assignment can now be performed. The reason, why this can only be done from the console, is very simple - Microsoft Azure Portal UI does not provide support for this operation.

For all intents and purposes, I will be showing the AzureRM Powershell version that supports this assignment:
1. Connect-AzureRmAccount -TenantId Provide_Customer's_TenantId_Here 
Provide your Indirect Provider Credentials here.
2. New-AzureRmRoleAssignment -RoleDefinitionName owner -ObjectId ADMIN_AGENT_OBJECTID_HERE -Scope "/subscriptions/SUBSCRIPTION_ID_HERE"

If everything goes according to plan, there should be a similar output in your console:

mceclip3.png

To verify if the seller has access to the Subscription, just refresh the Azure Portal Role assignment blade:
mceclip4.png
* foreign principal is what allows CSP partners to interact with their customers' tenants through federated access and provide the necessary support within the scope of O365/Azure/Dynamics.

Was this article helpful?

2 out of 3 found this helpful

Add comment

Please sign in to leave a comment.