As a Cloud Solution Provider we work a lot with Microsofts Partner Center. But not every customer has an Azure subscription that has been bought through the CSP model.
Because we try to allign our procedures we where looking into accessing Azure subscriptions through Parnter Center. This will also cut the number of seperate logins we have.
To achieve this we are looking in how to add the Foreign Prinicpal Group to Azure subscriptions.
Prerequisites
- An existing Azure subscription delivered through the CSP model
- PowerShell AZ module
- An account with rights in the Azure subscription
Getting the ObjectId
Before we can add the Foreign Prinicpal Group to a non CSP Azure subscription, we need to get some details from an existing Azure subscription delivered through the CSP model.
Get a TenantID from one of your existing CSP Azure Subscriptions and run the PowerShell code below.
Connect-AzAccount -Tenant '{TenandId}'
Get-AZRoleAssignment -Scope /subscriptions/{SubscriptionId} | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID
After running the above PowerShell script, you will get the information we need.
PS C:\Users\HeyAzureGuy> Get-AZRoleAssignment -Scope /subscriptions/*** | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID
DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
ObjectId : ***
Setting the Foreign Principal
Now we have our ObjectId we can assign this object to non CSP Azure Subscriptions, like subscriptions from an Enterprise Agreement for instance.
Login to the Azure subscription where you would like to add the Foreign Principal and run the following command:
New-AZRoleAssignment -ObjectId '{ObjectId from previous step}' -RoleDefinitionName {Owner, Reader, Contributer or what ever role you like} -Scope /subscriptions/***
When you have completed the steps above, you will see a confirmation:
PS C:\Users\DaniƫlEtten> New-AZRoleAssignment -ObjectId '***' -RoleDefinitionName Reader -Scope /subscriptions/***
RoleAssignmentId : /subscriptions/***/providers/Microsoft.Authorization/roleAssignments/***
Scope : /subscriptions/***
DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
SignInName :
RoleDefinitionName : Reader
RoleDefinitionId : ***
ObjectId : ***
ObjectType : Group
CanDelegate : False
Have a cloudy day!
Pingback: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials - Hey Azure Guy!
This only works, if you partner up with the tentant, where you want to you want to add “adminAgents” to subscriptions.
Therefor to get it to work on EA subscription, you must be a CSP partner with the Tenant, where the subscription is added.
If you are not a CSP Partner with the tentant, you will get this error:
New-AZRoleAssignment : Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
At line:1 char:1
+ New-AZRoleAssignment -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
Is there any rest API to know whether the foreign principle is assigned to a CSP customer or not ?