Add Foreign Principal Group to Azure subscription

As a Cloud Solution Provider we work a lot with Microsofts Partner Center. But not every customer has an Azure subscription that has been bought through the CSP model.
Because we try to allign our procedures we where looking into accessing Azure subscriptions through Parnter Center. This will also cut the number of seperate logins we have.
To achieve this we are looking in how to add the Foreign Prinicpal Group to Azure subscriptions.


  • An existing Azure subscription delivered through the CSP model
  • PowerShell AZ module
  • An account with rights in the Azure subscription

Getting the ObjectId

Before we can add the Foreign Prinicpal Group to a non CSP Azure subscription, we need to get some details from an existing Azure subscription delivered through the CSP model.
Get a TenantID from one of your existing CSP Azure Subscriptions and run the PowerShell code below.

Connect-AzAccount -Tenant '{TenandId}'
Get-AZRoleAssignment -Scope /subscriptions/{SubscriptionId} | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

After running the above PowerShell script, you will get the information we need.

PS C:\Users\HeyAzureGuy> Get-AZRoleAssignment -Scope /subscriptions/*** | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***
ObjectId    : ***

Setting the Foreign Principal

Now we have our ObjectId we can assign this object to non CSP Azure Subscriptions, like subscriptions from an Enterprise Agreement for instance.
Login to the Azure subscription where you would like to add the Foreign Principal and run the following command:

New-AZRoleAssignment -ObjectId '{ObjectId from previous step}' -RoleDefinitionName {Owner, Reader, Contributer or what ever role you like} -Scope /subscriptions/***

When you have completed the steps above, you will see a confirmation:

PS C:\Users\DaniëlEtten> New-AZRoleAssignment -ObjectId '***' -RoleDefinitionName Reader -Scope /subscriptions/***

RoleAssignmentId   : /subscriptions/***/providers/Microsoft.Authorization/roleAssignments/***
Scope              : /subscriptions/***
DisplayName        : Foreign Principal for '***' in Role 'TenantAdmins' (***
SignInName         : 
RoleDefinitionName : Reader
RoleDefinitionId   : ***
ObjectId           : ***
ObjectType         : Group
CanDelegate        : False

Have a cloudy day!

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

6 thoughts on “Add Foreign Principal Group to Azure subscription

  1. Pingback: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials - Hey Azure Guy!

  2. Jesper

    This only works, if you partner up with the tentant, where you want to you want to add “adminAgents” to subscriptions.

    Therefor to get it to work on EA subscription, you must be a CSP partner with the Tenant, where the subscription is added.

    If you are not a CSP Partner with the tentant, you will get this error:
    New-AZRoleAssignment : Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
    At line:1 char:1
    + New-AZRoleAssignment -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx – …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

  3. Roushan

    Is there any rest API to know whether the foreign principle is assigned to a CSP customer or not ?

  4. Josef Darmenia

    Hi all, when running the above command, from a few days ago i’m receiving the below response:
    New-AzRoleAssignment : The PrincipalId ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’ has type ‘ForeignGroup’ , which is different from specified PrinciaplType ‘Group’.
    Anybody experience a similar issue, and if yes have you managed to solve it?

    1. Tom

      Josef – I have the same error. I have been actively working with Microsoft on this issue, but no progress so far. I will reply back once I do

  5. Tom

    Josef – I had the same issue. The reason it doesn’t work is that for some reason it still preferred the AzureRM module vs. the Az(Azure) module. Try using this:
    # Subscription owner can open PowerShell as Administrator and Install the AzureRM module
    Install-Module -Name AzureRM -AllowClobber -Scope AllUsers

    # Once installed, import the module to PowerShell
    Import-Module -Name AzureRM

    At this point, PowerShell is ready to go for the desired operation. The next set of commands are as follows:

    # Subscription owner logs in to customer’s tenant
    Add-AzureRMAccount –Tenant

    # Check that you are operating on the right subscription by getting the subscription details

    # Assign Owner role to the desired AdminAgent group within the preferred subscription
    New-AzureRMRoleAssignment –ObjectId -RoleDefinitionName “Owner” –Scope “/subscriptions/”

    Note: is not required while executing the operation.


Leave a Reply

Your email address will not be published. Required fields are marked *