Reinstate admin privileges for a customer's Azure CSP subscriptions
Appropriate roles: Global admin | Admin agent
As a Cloud Solution Provider (CSP) program partner, your customers often rely on you to manage their Azure usage and their systems. You'll need admin privileges to help them. If you don't already have admin privileges, you can work with your customer to reinstate them.
Admin privileges for Azure in the CSP program
Some admin privileges are granted automatically when you establish a reseller relationship with the customer. Others must be granted to you by the customer. There are two levels of admin privileges for Azure in CSP.
- Tenant-level admin privileges (that is, delegated admin privileges) give you access to your customers' tenants. This access allows you to do administrative functions such as add and manage users, reset passwords, and manage user licenses. You get these privileges when establishing CSP reseller relationships with customers.
- Subscription-level admin privileges give you complete access to your customers' Azure CSP subscriptions. This access allows you to provision and manage their Azure resources. You get these privileges when creating Azure CSP subscriptions for your customers.
How to reinstate your CSP admin privileges
You can work with your customer to regain delegated admin privileges.
Sign in to your Partner Center dashboard.
From the Partner Center menu, select Customers.
Choose the customer you're working with and request a reseller relationship. This action emails a link to your customer.
Once your customer approves the reseller relationship request via the link provided, connect to the partner tenant to get the
object IDof the AdminAgents group.
Connect-AzAccount -Tenant "Partner tenant" # Get Object ID of AdminAgents group Get-AzADGroup -DisplayName AdminAgents
Ensure that your customer has:
- The role of owner or user access administrator
- Permissions to create role assignments at the subscription level
To complete the process, your customer must then do the following, using either PowerShell or Azure CLI.
If using PowerShell, the customer must update the
The customer should connect to the tenant in which the CSP subscription exists.
Connect-AzAccount -TenantID "<Customer tenant>"
az login --tenant <Customer tenant>
The customer should next connect to the subscription. This is only applicable if the user has role assignment permissions over multiple subscriptions in the tenant.
Set-AzContext -SubscriptionID <"CSP Subscription ID">
az account set --subscription <CSP Subscription ID>
The customer can then create the role assignment.
New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName "Owner" -Scope "/subscriptions/'<CSP subscription ID>'"
az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "/subscriptions/<CSP Subscription Id>"
Instead of granting owner permissions at the subscription level, you can grant them at the resource group or resource level:
At the resource group level
New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName Owner -Scope "/subscriptions/'SubscriptionID of CSP subscription'/resourceGroups/'Resource group name'"
az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "/subscriptions/<CSP Subscription Id>//resourceGroups/<Resource group name>"
At the resource level
New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName Owner -Scope "<Resource URI>"
az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "<Resource URI>"
If the above steps don't work or you get errors when attempting them, try the following "catch-all" procedure to reinstate admin rights for your customer:
Install-Module -Name Az.Resources -Force -Verbose Import-Module -Name Az.Resources -Verbose -MinimumVersion 4.1.1 Connect-AzAccount -Tenant <customer tenant> Set-AzContext -SubscriptionId <customer subscriptions> New-AzRoleAssignment -ObjectId <principal ID> -RoleDefinitionName "Owner" -Scope "/subscriptions/<customer subscription>" -ObjectType "ForeignGroup"
If the customer is unable to complete step 6, suggest the following command and provide the resulting
newRoleAssignment.log file to Microsoft for further analysis:
New-AzRoleAssignment -ObjectId <principal ID> -RoleDefinitionName "Owner" -Scope "/subscriptions/<customer subscription>" -ObjectType "ForeignGroup" -Debug > newRoleAssignment.log
If the "catch-all" procedure fails during the
Import-Module, try the following steps:
- If the import fails because the module is in use, restart the PowerShell session by closing and reopening all windows.
- Check the version of
Get-Module Az.Resources -ListAvailable.
- If version 4.1.1 isn't within the available list, you must use
Update-Module Az.Resources -Force.
- If the error states that
Az.Accountsneeds to be a specific version, update that module as well, replacing
Az.Accounts. You must then restart the PowerShell session.