Change permissions of foreign principals

Introduction

As a Cloud Solution Provider (CSP) partner, you are responsible for managing your customers’ Azure usage and systems, which requires admin privileges. These privileges can be reinstated by your customer if not already in place.

There are two levels of admin privileges in Azure under the CSP program:

  • Tenant-level admin privileges: These are automatically granted when you establish a reseller relationship with a customer. They allow you to perform administrative functions such as adding and managing users, resetting passwords, and managing user licenses.
  • Subscription-level admin privileges: These are granted when creating Azure CSP subscriptions for your customers. They provide complete access to your customers’ Azure CSP subscriptions, enabling you to provision and manage their Azure resources.

Changing AOBO permissions

In some cases, you have to reinstate or change the AOBO permissions. To add or change permissions to a subscription, firstly, you have to have a valid delegated admin partner connection. Unless the connection isn’t in place, you cannot add or change a foreign principal group of your partner.

You can either use PowerShell or the Azure CLI. If you are using PowerShell you need the Az.Resources module.

  1. In the first step, you have to get your Admin Agent or Helpdesk Agent group ID of your partner tenant. To do so, copy the ID via Azure Portal or get it via PowerShell:
    Connect-AzAccount -Tenant “Partner tenant”
    # Get Object ID of AdminAgents group
    Get-AzADGroup -DisplayName AdminAgents
  2. Afterwards, connect to your customer’s tenant, in which the CSP subscription exits. Connect with a user, which has the perissions to assign permissions to the subscription.
    PowerShell
    Connect-AzAccount -TenantID “<Customer tenant>”
    Azure CLI
    az login –tenant <Customer tenant>
  3. After successfully connecting to the customer tenant, select the subscription.
    PowerShell
    Set-AzContext -SubscriptionID “<CSP Subscription ID>”
    Azure CLI
    az account set –subscription <CSP Subscription ID>
  4. Now you can assign, for example, the Owner role to the partner’s Admin Agents group on the subscription.
    PowerShell
    New-AzRoleAssignment -ObjectID “<Object ID of the AdminAgents group from step 1 of your actions section>” -RoleDefinitionName “Owner” -Scope “/subscriptions/<CSP subscription ID>” -ObjectType “ForeignGroup”
    Azure CLI
    az role assignment create –role “Owner” –assignee-object-id <Object ID of the AdminAgents group from step 1> –scope “/subscriptions/<CSP Subscription Id>” –assignee-principal-type “ForeignGroup”
  5. Instead of granting owner permissions at the subscription level, they can be granted at the resource group or resource level too.
    PowerShell
    New-AzRoleAssignment -ObjectID “<Object ID of the AdminAgents group from step 1>” -RoleDefinitionName Owner -Scope “/subscriptions/<SubscriptionID of CSP subscription>/resourceGroups/<Resource group name>” -ObjectType “ForeignGroup”

    New-AzRoleAssignment -ObjectID “<Object ID of the AdminAgents group from step 1>” -RoleDefinitionName Owner -Scope “<Resource URI>” -ObjectType “ForeignGroup”

    Azure CLI
    az role assignment create –role “Owner” –assignee-object-id <Object ID of the AdminAgents group from step 1> –scope “/subscriptions/<CSP Subscription Id>/resourceGroups/<Resource group name>” –assignee-principal-type “ForeignGroup”

    az role assignment create –role “Owner” –assignee-object-id <Object ID of the AdminAgents group from step 1> –scope “<Resource URI>” –assignee-principal-type “ForeignGroup”

Source: Reinstate admin privileges for a customer’s Azure CSP subscriptions

You might also like