Forum Discussion

ivoko's avatar
ivoko
Copper Contributor
Feb 12, 2026

Admin‑On‑Behalf‑Of issue when purchasing subscription

Hello everyone!

I want to reach out to you on the internet and ask if anyone has the same issue as we do when creating PAYG Azure subscriptions in a customer's tenant, in which we have delegated access via GDAP through PartnerCenter. It is a bit AI formatted question.

 

When an Azure NCE subscription is created for a customer via an Indirect Provider portal, the CSP Admin Agent (foreign principal) is not automatically assigned Owner on the subscription.

As a result:

  • AOBO (Admin‑On‑Behalf‑Of) does not activate
  • The subscription is invisible to the partner when accessing Azure via Partner Center service links
  • The partner cannot manage and deploy to a subscription they just provided

This breaks the expected delegated administration flow.

AOBO explanation from a Microsoft https://learn.microsoft.com/en-us/shows/cspdev/module-11-admin-on-behalf-of-aobo

Expected Behavior

For CSP‑created Azure subscriptions:

  • The CSP Admin Agent group should automatically receive Owner (or equivalent) on the subscription
  • AOBO should work immediately, without customer involvement
  • The partner should be able to see the subscription in Azure Portal and deploy resources

Actual Behavior Observed

For Azure NCE subscriptions created via an Indirect Provider:

  • No RBAC assignment is created for the foreign AdminAgent group
  • The subscription is visible only to users inside the customer tenant
  • Partner Center role (Admin Agent foreign group) is present, but without Azure RBAC.

Required Customer Workaround

For each new Azure NCE subscription, the customer must:

  1. Sign in as Global Admin
  2. Use “Elevate access to manage all Azure subscriptions and management groups”
  3. Assign themselves Owner on the subscription
  4. Manually assign Owner to the partner’s foreign AdminAgent group

Only after this does AOBO start working.

Example

Partner tries to access the subscription:

https://portal.azure.com/#@customer.onmicrosoft.com/resource/subscriptions/<subscription-id>/overview

But there is no subscription visible "None of the entries matched the given filter"

https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#step-1-elevate-access-for-a-global-administrator from the customer's global admin.

and manual RBAC fix in Cloud console:

az role assignment create \
--assignee-object-id "<AdminAgent-Foreign-Group-ObjectId>" \
--role "Owner" \
--scope "/subscriptions/<subscription-id>" \
--assignee-principal-type "ForeignGroup"

After this, AOBO works as expected for delegated administrators (foreign user accounts).

Why This Is a Problem

  • Partners sell Azure subscriptions that they cannot access
  • Forces resources from customers to involvement from customers
  • Breaks delegated administration principles

For Indirect CSPs managing many tenants, this is a decent operational blocker.

Key Question to Microsoft / Community

  • Does anyone else struggle with this?
  • Is this behavior by design for Azure NCE + Indirect CSP?
    • Am I missing some point of view on why not to do it in the suggested way?
Architecture
azure
Delegated
partner
RBAC
Subscriptions
No RepliesBe the first to reply