Manage subscriptions and resources under the Azure plan
Appropriate roles: Admin agent
This article explains how Cloud Solution Provider (CSP) partners can use different role-based access control (RBAC) options to gain operational control and management of a customer's Azure resources. When you transition a customer to the Azure plan, you are assigned privileged admin rights in Azure (subscription owner rights through admin on behalf of) by default.
Admin rights to the Azure subscription can be removed by the customer at a subscription, resource group, or workload level.
Partners can gain 24x7 operational control and management of a customer's Azure resources in CSP by using different options provided through the role-based access control feature (RBAC).
Admin on Behalf Of (AOBO) - With AOBO, any user with the Admin Agent role in the partner tenant will have RBAC owner access to Azure subscriptions that you create through the CSP program.
Azure Lighthouse: AOBO doesn't allow the flexibility to create distinct groups that work with different customers, or to enable different roles for groups or users. Using Azure Lighthouse, you can assign different groups to different customers or roles. Because users will have the appropriate level of access through Azure delegated resource management, you can reduce the number of users who have the Admin Agent role (and thus have full AOBO access). This helps improve security by limiting unnecessary access to your customers' resources. It also gives you more flexibility to manage multiple customers at scale. For more information, read Azure Lighthouse and the Cloud Solution Provider program.
Directory or Guest Users or Service Principals: You can delegate granular access to CSP subscriptions by adding users in the customer directory or adding guest users and assigning specific RBAC roles.
As a security practice, Microsoft recommends that users have the minimum permissions they need to do their work. See Azure Active Directory Privileged Identity Management resources.
Link your partner ID (MPN ID) to your credentials for managing customer's Azure resources
The following table shows the methods used to associate your partner ID with various RBAC access options.
|Category||Scenario||MPN ID association|
|AOBO||CSP direct partner or indirect provider creates the subscription for the customer, making the CSP direct partner or indirect provider default owner of the subscription using AOBO. CSP direct partner or indirect provider give indirect reseller access to the subscription using AOBO.||Automatic (no partner work required)|
|Azure Lighthouse||Partner creates a new Managed Services offer in Marketplace. This offer is accepted on the CSP subscription and partner gets access to the CSP subscription.||Automatic (no partner work required)|
|Azure Lighthouse||Partner deploys ARM template in Azure subscription||Partner needs to associate the MPN ID to the user or service principal in the partner tenant. For more information, see Link your partner ID to track your impact on delegated resources.|
|Directory or guest user||Partner creates a new user or service principal in the customer directory and gives access to the CSP subscription to the user. Partner creates a new user or service principal in the customer directory. Partner adds the user to a group and gives access to the CSP subscription to the group.||Partner needs to associate the MPN ID to the user or service principal in the customer tenant. For more information - Link Partner ID.|
Confirm that you have admin access
You require admin access to manage your customer's services and to received earned credits. Read Partner earned credits for detailed information on earned credits. You have two ways to make sure you know that you have admin access.
Review the daily usage file. This can be determined by reviewing the unit price and effective unit price within the daily usage file and confirming if a discount is being applied. If you are receiving the discount, you are the admin.
Create an Azure monitor alert. You can create an Azure Monitor activity log alert to be notified of when your RBAC access is removed from CSP subscription.
Create an Azure monitor alert
Select the type of action you want the alert to take. For example, if you specify that you want an email, you will receive an email notifying you if any role assignment deletion occurs.
Customers can manage access to their subscriptions by going to Access Control on the Azure portal. From the Role assignments tab, they select Remove access. If a customer removes your access, you can:
Talk with your customer to see if admin access can be reinstated.
Use the access provided through role-based access control (RBAC).
Use access provided through Azure Lighthouse.
Role-based access differs from admin access. Roles delimit precisely what you can and can't do. Admin access is broader.
To see the roles eligible to earn PEC, read Roles and permissions for the partner earned credit.