Azure Subscription Role Assignments within Tier 2 Seller and Indirect Provider Model

This article will explain the basic principles and cover work instructions that will provide a step-by-step guide on how to assign foreign principal* which is acting Admin Agent group on every Tier 2 as well as Indirect Provider Azure Active Directory tenant.

In order to carry out the process, you will need to make sure you meet the following requirements, have access to the Seller and Customer tenant:

1. You need to know the Microsoft Id of the Sellers's tenant you have a partnership with.

2. Customer's tenant Id or fully qualified domain is known.

3. Azure Subscription Id is known to which you intend to assign foreign principal.

4. You have at least an Admin Agent role assigned on your Indirect Provider Tenant.


Step 1 (Can be done by Seller and Distributor alike):
Login to Microsoft Partner Center using your Indirect Distributor credentials, then open in a new tab in your incognito session and access the following link (provide indirect seller id here)

If there are no conditional policies in place on the Seller's side - you will be able to access the tenants AAD, then navigate to Groups and locate Admin Agent object Id (as known as Foreign Principal) - copy this Id. If there are policies blocking the access - please contact the seller to provide the Admin Agent Object Id.


Step 2 (Customer Tenant Part):

From Partner Center - find the customer that you would like to assign the foreign principal to, this customer needs to have an active partnership with the aforementioned Seller entity for this to work.

Press on the marked link:


Find the subscription that you would like to assign the permission to and copy the subscription ID:

Now that you have all the needed information the assignment can now be performed. The reason, why this can only be done from the console, is very simple - Microsoft Azure Portal UI does not provide support for this operation.

For all intents and purposes, I will be showing the AzureRM Powershell version that supports this assignment:
1. Connect-AzureRmAccount -TenantId Provide_Customer's_TenantId_Here 
Provide your Indirect Provider Credentials here.
2. New-AzureRmRoleAssignment -RoleDefinitionName owner -ObjectId ADMIN_AGENT_OBJECTID_HERE -Scope "/subscriptions/SUBSCRIPTION_ID_HERE"

If everything goes according to plan, there should be a similar output in your console:


To verify if the seller has access to the Subscription, just refresh the Azure Portal Role assignment blade:

* foreign principal is what allows CSP partners to interact with their customers' tenants through federated access and provide the necessary support within the scope of O365/Azure/Dynamics.

Was this article helpful?

2 out of 2 found this helpful

Add comment

Please sign in to leave a comment.