Forum Discussion
kimiolek00
Jan 15, 2025Copper Contributor
How to Manage Access to Azure Subscriptions in CSP as an Indirect Provider?
Hi,
I have a question about managing access to Azure subscriptions in the CSP model as an Indirect Provider (Distributor).
- Granting Access to Customers: What is the correct way to grant access to Azure subscriptions for customers? Are there any recommended practices or tools to simplify this process?
- Automation: Is it possible to automate the process of granting access? If yes, what tools or scripts could be helpful?
- Permissions: What permissions are required to smoothly assign such access?
- Is it necessary to configure GDAP (Granular Delegated Admin Privileges)?
- Or is using a Foreign Principal sufficient?
Iām looking for detailed insights to understand the differences between these approaches and to choose the best solution.
Thanks in advance for any tips and guidance! š
- Granting access to customers: assuming you have Ownership of a deployed Azure sub, and the appropriate GDAP permissions, you can assign RBAC roles to whomever you'd like. You can use any tool that is normally used for managing permissions in Azure. Azure PowerShell is one: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell
- Automation: see above, but be careful automating this because you may not know who from the customer should actually have rights to that Azure sub. By default an end-customer global admin can just grant access to the azure sub themselves.
- Permissions: if you sell the Azure sub, you should already have Owner permissions assigned to your AOBO admin agent group. I believe you will also need GDAP to at least enumerate a customer directory and assign permissions, so Global Reader or Directory Reader would work.
- joshuahickokCopper Contributor
- Granting access to customers: assuming you have Ownership of a deployed Azure sub, and the appropriate GDAP permissions, you can assign RBAC roles to whomever you'd like. You can use any tool that is normally used for managing permissions in Azure. Azure PowerShell is one: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell
- Automation: see above, but be careful automating this because you may not know who from the customer should actually have rights to that Azure sub. By default an end-customer global admin can just grant access to the azure sub themselves.
- Permissions: if you sell the Azure sub, you should already have Owner permissions assigned to your AOBO admin agent group. I believe you will also need GDAP to at least enumerate a customer directory and assign permissions, so Global Reader or Directory Reader would work.
- JillArmourMicrosoft
Community Manager
The team responded with these resources:
Manage users and licenses - Partner Center | Microsoft Learn
Assign or revoke licenses to multiple users - Partner Center | Microsoft Learn
- kimiolek00Copper Contributor
Thank you for your response. However, the documentation links you provided do not appear to be relevant to the issue I outlined. Could you please assist me further in addressing the specific matter at hand?
I appreciate your support and look forward to your guidance.
- JillArmourMicrosoft
Community Manager
The team needs some time to get back to us with a response, but in the meantime they did share this resource:
https://learn.microsoft.com/en-us/partner-center/customers/assign-azure-subscriptions
- JillArmourMicrosoft
Community Manager
kimiolek00 I have forwarded this to the team, I will post when they respond.