Introduction to Microsoft CSP
The Cloud Solution Provider Program (CSP) is a program developed by Microsoft for providers of cloud-based solutions. It offers a simple way to market Microsoft cloud services such as Microsoft 365 or Azure in combination with cloud solutions from other manufacturers and your own solutions. So you can refine them with additional services such as managed services. As a Microsoft partner in the Cloud Solution Provider Program, you determine the provision, management, support, and direct billing with your customers. There are two different CSP models available, made to fit the needs and sizes of all kinds of partner companies.
The Direct-CSP Model: In the direct CSP model, Microsoft partners contract directly with Microsoft, sell directly to end customers, and are fully responsible for all steps from provisioning to support to billing. The direct CSP model is primarily aimed for larger companies.
The Indirect-CSP Model: In the indirect CSP model, Microsoft partners first enter into an agreement with a Cloud Solution Distributor or Indirect CSP Provider. The Cloud Solution Distributor offers cloud services from Microsoft and other providers in a special portal – the Cloud Marketplace. The scope and functionality of different cloud marketplaces can vary depending on the CSP provider.
Manage subscriptions and resources as a Microsoft CSP
This blog post discusses how Cloud Solution Provider (CSP) partners can use role-based access control (RBAC) to manage a customer’s Azure resources.
There are several ways to maintain operational control and management of a customer’s Azure resources:
- Admin on Behalf of (AOBO): Any user with the Admin agent role in the partner tenant has RBAC owner access to Azure subscriptions created through the CSP program.
- Azure Lighthouse: This allows for the assignment of different groups to different customers or roles, improving security and providing more flexibility to manage multiple customers at scale.
- Directory or Guest Users or Service Principals: Granular access to CSP subscriptions can be delegated by adding users in the customer directory or by adding guest users and assigning specific RBAC roles.
Admin on Behalf of (AOBO)
When you order an Azure plan (Subscription) for the customer over a CSP, the partner is assigned privilege rights via Admin on Behalf of (AOBO).
There are two security groups in the partner’s Microsoft Entra tenant used for those RBAC permissions: Admin Agents and Helpdesk Agents.
However, if a customer removes these delegated admin privileges, the RBAC assignments are removed, and the partner will no longer be able to manage the customer’s Subscription and Resources.
NOTE: The AOBO is not directly linked to the GDAP permissions. For more information visit: Workloads supported by granular delegated admin privileges (GDAP) – Partner Center | Microsoft Learn
Difference of AOBO and Azure Lighthouse
AOBO allows any user with the Admin Agent role in your tenant to have access to Azure subscriptions. However, it lacks flexibility as it doesn’t allow the creation of distinct groups for different customers or roles.
On the other hand, Azure Lighthouse provides more flexibility by allowing the assignment of different groups to different customers or roles. It improves security by limiting unnecessary access to customer resources and allows management of multiple customers at scale. It also enables granting additional permissions to users on a just-in-time basis to minimize permanent assignments. Onboarding a subscription through the CSP program can be performed by any user with the Admin Agent role in the customer’s tenant.
Source: Cloud Solution Provider-Programm Handbuch.pdf, Manage subscriptions and resources under the Azure plan, Get delegated administration privileges from a customer, Workloads supported by granular delegated admin privileges (GDAP), Azure Lighthouse and the Cloud Solution Provider program