Reinstate admin privileges for a customer's Azure CSP subscriptions

Appropriate roles: Global admin | Admin agent

As a Cloud Solution Provider (CSP) program partner, your customers often rely on you to manage their Azure usage and their systems. You'll need admin privileges to help them. If you don't already have admin privileges, you can work with your customer to reinstate them.

Admin privileges for Azure in the CSP program

Some admin privileges are granted automatically when you establish a reseller relationship with the customer. Others must be granted to you by the customer. There are two levels of admin privileges for Azure in CSP.

  • Tenant-level admin privileges (that is, delegated admin privileges) give you access to your customers' tenants. This access allows you to do administrative functions such as add and manage users, reset passwords, and manage user licenses. You get these privileges when establishing CSP reseller relationships with customers.
  • Subscription-level admin privileges give you complete access to your customers' Azure CSP subscriptions. This access allows you to provision and manage their Azure resources. You get these privileges when creating Azure CSP subscriptions for your customers.

How to reinstate your CSP admin privileges

You can work with your customer to regain delegated admin privileges.

  1. Sign in to your Partner Center dashboard.

  2. From the Partner Center menu, select Customers.

  3. Choose the customer you're working with and request a reseller relationship. This action emails a link to your customer.

    Email example of create reseller relationship.

  4. Once your customer approves the reseller relationship request via the link provided, connect to the partner tenant to get the object ID of the AdminAgents group.

    Connect-AzAccount -Tenant "Partner tenant"
    # Get Object ID of AdminAgents group
    Get-AzADGroup -DisplayName AdminAgents
    
  5. Ensure that your customer has:

    1. The role of owner or user access administrator
    2. Permissions to create role assignments at the subscription level
  6. To complete the process, your customer must then do the following, using either PowerShell or Azure CLI.

    1. If using PowerShell, the customer must update the Az.Resources module.

      Update-Module Az.Resources
      
    2. The customer should connect to the tenant in which the CSP subscription exists.

      Connect-AzAccount -TenantID "<Customer tenant>"
      
      az login --tenant <Customer tenant>
      
    3. The customer should next connect to the subscription. This is only applicable if the user has role assignment permissions over multiple subscriptions in the tenant.

      Set-AzContext -SubscriptionID <"CSP Subscription ID">
      
      az account set --subscription <CSP Subscription ID>
      
    4. The customer can then create the role assignment.

      New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName "Owner" -Scope "/subscriptions/'<CSP subscription ID>'"
      
      az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "/subscriptions/<CSP Subscription Id>"
      

Instead of granting owner permissions at the subscription level, you can grant them at the resource group or resource level:

  • At the resource group level

    New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName Owner -Scope "/subscriptions/'SubscriptionID of CSP subscription'/resourceGroups/'Resource group name'"
    
    az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "/subscriptions/<CSP Subscription Id>//resourceGroups/<Resource group name>"
    
  • At the resource level

    New-AzRoleAssignment -ObjectID "<Object ID of the AdminAgents group from step 4>" -RoleDefinitionName Owner -Scope "<Resource URI>"
    
    az role assignment create --role "Owner" --assignee-object-id <Object ID of the AdminAgents group from step 4> --scope "<Resource URI>"
    

If the above steps don't work or you get errors when attempting them, try the following "catch-all" procedure to reinstate admin rights for your customer:

Install-Module -Name Az.Resources -Force -Verbose
Import-Module -Name Az.Resources -Verbose -MinimumVersion 4.1.1
Connect-AzAccount -Tenant <customer tenant>
Set-AzContext -SubscriptionId <customer subscriptions>
New-AzRoleAssignment -ObjectId <principal ID> -RoleDefinitionName "Owner" -Scope "/subscriptions/<customer subscription>" -ObjectType "ForeignGroup"

Troubleshooting

If the customer is unable to complete step 6, suggest the following command and provide the resulting newRoleAssignment.log file to Microsoft for further analysis:

New-AzRoleAssignment -ObjectId <principal ID> -RoleDefinitionName "Owner" -Scope "/subscriptions/<customer subscription>" -ObjectType "ForeignGroup" -Debug > newRoleAssignment.log

If the "catch-all" procedure fails during the Import-Module, try the following steps:

  • If the import fails because the module is in use, restart the PowerShell session by closing and reopening all windows.
  • Check the version of Az.Resources with Get-Module Az.Resources -ListAvailable.
  • If version 4.1.1 isn't within the available list, you must use Update-Module Az.Resources -Force.
  • If the error states that Az.Accounts needs to be a specific version, update that module as well, replacing Az.Resources with Az.Accounts. You must then restart the PowerShell session.

Next steps