Azure subscription rights challenge in CSP
Let's imagine a situation when you are a CSP Partner and you provide Azure services to your customer. Customer purchases Office 365 licenses from another reseller (e.g. under Enterprise Agreement), and that reseller is a managing partner (delegated admin) for customer's tenant. Customer wants you to manage Azure services only, and don't manage Office 365.
You've assigned a reseller relationship with customer's tenant, so you can assign cloud service subscriptions. But customer don't want to let you manage Office 365 services or view user accounts in Azure AD, so he removes you from Managing Partners list. So one partner (or customer itself) has access to manage Office 365 and Azure AD, and CSP partner manages Azure subscription. Real life situation, right?
By default, you will face some issues in that case:
- You (and only you) own Azure subscription in CSP as a partner. You can manage anything inside Azure CSP subscription and customer can't revoke those rights.
- Customer don't have any access to Azure CSP subscription by default, even with Global Admin rights in the tenant.
- If you'll try to assign any rights to the customer inside that Azure subscription, you won't be able to do that in a usual way, because you don't see any users in customer's directory. You won't be able to do that on Azure Portal neither through PowerShell in a direct way.
But I've found a workaround trick. You can ask your customer to provide a GUID of a user inside Customer's tenant and assign rights directly to that GUID. After that customer will be able to manage user rights himself.
Ask your customer to install MSOL PowerShell module and do the following:
#Connect to Azure AD using tenant's Global Admin or another existing user account Connect-MsolService #Get GUID of the required user account $User = Get-MsolUser -UserPrincipalname firstname.lastname@example.org$User.ObjectID
Ask your customer to send you that GUID. Then do the following using Azure Resource Manager PowerShell:
#Install Azure Resource Manager PowerShell module Install-Module AzureRM #Login using Partner Center AdminAgent user account Login-AzureRmAccount #Select Azure subscription in customer's tenant and assign Owner rights the Azure AD user with specified GUID. $TenantID="tenantname.onmicrosoft.com" $SubscriptionID="subscriptionID" Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID $UserGUID="userguidprovidedbythecustomer" #Select the required role for the user - Owner, Contributor or Reader. $Role = "Owner" New-AzureRmRoleAssignment -ObjectID $UserGUID -RoleDefinitionName $Role -Scope /subscriptions/$SubscriptionID
Don't worry about an error - that's OK in this case. Cmdlet tries to verify that user has been granted the corresponding rights, but it fails because you don't have access to Azure AD.
Customer will be able to access Azure CSP subscription on the Azure Portal and manage rights inside the subscription by himself now.