Azure Subscription Role Assignments within Tier 2 Seller and Indirect Provider Model

Introduction

This article will explain the basic principles and cover work instructions that will provide a step-by-step guide on how to assign foreign principal* which is acting Admin Agent group on every Tier 2 as well as Indirect Provider Azure Active Directory tenant.

In this article

• Prerequisites
• Step 1 (Can be done by Seller and Distributor alike)
• Step 2 (Customer Tenant Part)

Prerequisites

To carry out the process, you will need to make sure you meet the following requirements, and have access to the Seller and Customer tenant:

1. You need to know the Microsoft ID of the Seller's tenant you have a partnership with.

2. Customer's tenant ID or fully qualified domain is known.

3. Azure Subscription ID is known to which you intend to assign foreign principal.

4. You have at least an Admin Agent role assigned to your Indirect Provider Tenant.

Step 1 (Can be done by Seller and Distributor alike)

Login to Microsoft Partner Center using your Indirect Distributor credentials, then open a new tab in your incognito session and access the following link https://portal.azure.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx (provide indirect seller id here)

If there are no conditional policies in place on the Seller's side - you will be able to access the tenant AAD, then navigate to Groups and locate Admin Agent object ID (known as Foreign Principal) - copy this ID. If policies are blocking the access - please contact the seller to provide the Admin Agent Object ID.

Step 2 (Customer Tenant Part)

From Partner Center - find the customer that you would like to assign the foreign principal to, this customer needs to have an active partnership with the aforementioned Seller entity for this to work.

Press on the marked link:



Find the subscription that you would like to assign permission to and copy the subscription ID:


Now that you have all the needed information the assignment can now be performed. The reason, why this can only be done from the console, is very simple - Microsoft Azure Portal UI does not provide support for this operation.

For all intents and purposes, I will be showing the AzureRM Powershell version that supports this assignment:
1. Connect-AzureRmAccount -TenantId Provide_Customer's_TenantId_Here 
Provide your Indirect Provider Credentials here.
2. New-AzureRmRoleAssignment -RoleDefinitionName owner -ObjectId ADMIN_AGENT_OBJECTID_HERE -Scope "/subscriptions/SUBSCRIPTION_ID_HERE"

If everything goes according to plan, there should be a similar output in your console:



To verify if the seller has access to the Subscription, just refresh the Azure Portal Role assignment blade:

* foreign principal is what allows CSP partners to interact with their customers' tenants through federated access and provide the necessary support within the scope of O365/Azure/Dynamics.

Summary

To assign a foreign principal (Admin Agent group) to a Customer's Azure Active Directory Tenant, you need the Seller's Microsoft tenant ID, Customer's tenant ID or domain, Azure Subscription ID, and Admin Agent role access to your Indirect Provider Tenant. The process involves two main steps: first, access the Seller's tenant through Microsoft Partner Center to locate and copy the Admin Agent object ID (foreign principal), either directly through Azure Active Directory or by requesting it from the Seller if conditional policies block access. Second, navigate to the Customer tenant in Microsoft Partner Center, identify the target Subscription, and use AzureRM PowerShell commands to assign the foreign principal with owner permissions to the specified Subscription scope. This assignment must be performed through PowerShell console as the Microsoft Azure Portal UI does not support this operation. Once completed, the Seller will have federated access to provide support within the scope of Office 365, Azure, and Dynamics products. You can verify successful assignment by refreshing the Azure Portal Role assignment blade.