Admin‑On‑Behalf‑Of issue when purchasing subscription
Hello everyone! I want to reach out to you on the internet and ask if anyone has the same issue as we do when creating PAYG Azure subscriptions in a customer's tenant, in which we have delegated access via GDAP through PartnerCenter. It is a bit AI formatted question. When an Azure NCE subscription is created for a customer via an Indirect Provider portal, the CSP Admin Agent (foreign principal) is not automatically assigned Owner on the subscription. As a result: AOBO (Admin‑On‑Behalf‑Of) does not activate The subscription is invisible to the partner when accessing Azure via Partner Center service links The partner cannot manage and deploy to a subscription they just provided This breaks the expected delegated administration flow. Expected Behavior For CSP‑created Azure subscriptions: The CSP Admin Agent group should automatically receive Owner (or equivalent) on the subscription AOBO should work immediately, without customer involvement The partner should be able to see the subscription in Azure Portal and deploy resources Actual Behavior Observed For Azure NCE subscriptions created via an Indirect Provider: No RBAC assignment is created for the foreign AdminAgent group The subscription is visible only to users inside the customer tenant Partner Center role (Admin Agent foreign group) is present, but without Azure RBAC. Required Customer Workaround For each new Azure NCE subscription, the customer must: Sign in as Global Admin Use “Elevate access to manage all Azure subscriptions and management groups” Assign themselves Owner on the subscription Manually assign Owner to the partner’s foreign AdminAgent group Only after this does AOBO start working. Example Partner tries to access the subscription: https://portal.azure.com/#@customer.onmicrosoft.com/resource/subscriptions/<subscription-id>/overview But there is no subscription visible "None of the entries matched the given filter" https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#step-1-elevate-access-for-a-global-administrator from the customer's global admin. and manual RBAC fix in Cloud console: az role assignment create \ --assignee-object-id "<AdminAgent-Foreign-Group-ObjectId>" \ --role "Owner" \ --scope "/subscriptions/<subscription-id>" \ --assignee-principal-type "ForeignGroup" After this, AOBO works as expected for delegated administrators (foreign user accounts). Why This Is a Problem Partners sell Azure subscriptions that they cannot access Forces resources from customers to involvement from customers Breaks delegated administration principles For Indirect CSPs managing many tenants, this is a decent operational blocker. Key Question to Microsoft / Community Does anyone else struggle with this? Is this behavior by design for Azure NCE + Indirect CSP? Am I missing some point of view on why not to do it in the suggested way?
Network Design Ideas for VMs in Azure
Hello, I am analyzing the current Azure environment at my new job and trying to figure out the architectural choices mostly networking wise. Currently, we have 10 VMs and each VM has its own VNet and they are all in the same region. In my experience so far, I have never seen such network design in Azure before. If all VMs are in the same region, we could have one Vnet and utilize subnets and NSGs to segment the VMs and control the traffic. Having so many different VNets makes it very complex to manage. Looking for opinions what other people think. Is this just a bad design or just to keep the VMs separate from each other.Best Practices for Designing a Hub-and-Spoke Architecture in Azure
A Hub-and-Spoke architecture is a widely used networking topology in Azure that helps organizations centralize network management, enhance security, and optimize connectivity. However, designing an efficient Hub-and-Spoke model requires careful planning regarding network security, scalability, and cost optimization. What are the core components of a Hub-and-Spoke architecture in Azure? What factors should be considered when designing the hub (e.g., Virtual Network Gateway, Firewall, Security controls)? What are the key challenges you've encountered while implementing a Hub-and-Spoke architecture in Azure, and how have you addressed them?Managing Multiple VMs on Azure Similar to Workspace One
Hello, I currently manage an infrastructure of approximately 100 VMs. I would like to perform activities on Azure such as: Installing/removing apps Viewing all installed apps on the VMs Adding shortcuts to the desktop Adjusting timezone/date and time I am looking for a solution that can handle these tasks, similar to what Workspace One does, but for Windows Servers. How do you currently manage these tasks? Thank you! Feel free to post this on the Microsoft forum. If you need any further assistance, let me know!
Limits with my on prem AD DS domain wit "_" 😑
Hello every body, Here is my situation. I have a domain name : "domain_contoso.com" that all my servers were joined to it, and i don't have a synchronisation with MS Entra ID. My project now, is to migrate my servers to azure and i'm confused. In fact, i want to extend my active directory with this domain on a vm azure and configure trust and replication but the problem that i can't create a verified domain with the "_" and MS Entra Id doesn't accept that also. So, my questions are : - If i purchase a new verified domain "domaincontoso.com" where is without the "_" and i added it to MS Entra ID, then, i synchronise all my users from "domain_contoso.com" to MS Entra ID and i extend the same active directory on prem to a vm on azure with a config for the replication. That's work ? There's no risks ? - if i purchase a new verified domain "contoso.com" and create a new active directory on a vm azure witb this domain then , i configure the synchronisation to MS Entra ID. Also, i configure the trust with the on prem "domain_contoso.com" to ensure that all users on prem AD can access to the server with the new domain in Azure after migration. What is the best solution ? And what are the + and - ? Thank you very muchStore a file in Azure and make it accessible over the Internet
I wish to store a txt file in Azure and make it so that the file is accessible when someone goes to it's corresponding URL. No need for access control or authentication The file contain a filter list that the ABP extension will access via URL and this txt file will be stored somewhere in Azure. What Azure solution can I use for this which keeps the price down for us?Video Recording: Azure Architecture Best Practices
The video recording from the free online event where I was presenting together with Microsoft Cloud Solution Architect, Dominik Zemp, about Azure Architecture Best Practices is now available. In this session, you will learn about proven guidance that’s designed to help you, architect, create and implement the business and technology strategies necessary for your organization to succeed in the cloud. It provides best practices, documentation, and tools that cloud architects, IT professionals, and business decision-makers need to successfully achieve their short- and long-term objectives. We will be focusing on topics like the Cloud Adoption Framework and the new Enterprise-Scale landing zone architecture. Azure Architecture Best Practices Virtual Event Agenda: Introduction Why Azure Architecture? Introduction to the Cloud Adoption Framework What is Enterprise-Scale? Build landing zones with Enterprise-Scale Critical design areas Deployment using AzOps Demo Build on top of Enterprise-Scale – Well-Architected Framework for workloads and apps Q&A
Move on-prem environment to Azure migration
Hi there, I'm working on a customer with a traditional Windows AD domain. The customer wants to have all their Windows VMs (now running on VMWare) to Azure. For the clients we recently managed to make all devices Azure AD Joined only. M365 suite is used for Teams/SharePoint/ExchangeOnline, Defender for endpoint and Endpointmanager for client management. We have no domain joined computers anymore. All the users are still in Azure AD Connect that syncs to Azure AD. Printers are on universal print and files to Teams/SharePoint. We now have a large file share that we could not migrate to sharepoint. We would like to have this on Azure Files. Right now we are in the start of creating an Azure subscription. What should be the best route to take for this? On-prem there are a couple Windows (apps) VMs that we would like to 'lift and shift' to Azure. These app servers are used for legacy/history checking... If there is any clear path or documentation that we can consult, would like to know. Thanks in advance!
On Premise Data Gateway
I have a web application that calls some Logic App HTTPS endpoints to retrieve data from an on premise SQL server via the on-prem data gateway. I have noticed that when I hit the api first thing in the morning the initial call is extremely slow but subsequent calls are what I would expect. I dont see this with other endpoints that dont use a gateway. This leads me to believe that the gateway is "spinning down". Are there any settings to prevent this from happening or do I have to create a schedule of some sort to call it every so often to keep it fresh. Thanks.
