As a Cloud Solution Provider we work a lot with Microsofts Partner Center. But not every customer has an Azure subscription that has been bought through the CSP model.
Because we try to allign our procedures we where looking into accessing Azure subscriptions through Parnter Center. This will also cut the number of seperate logins we have.
To achieve this we are looking in how to add the Foreign Prinicpal Group to Azure subscriptions.
Prerequisites
- An existing Azure subscription delivered through the CSP model
- PowerShell AZ module
- An account with rights in the Azure subscription
Getting the ObjectId
Before we can add the Foreign Prinicpal Group to a non CSP Azure subscription, we need to get some details from an existing Azure subscription delivered through the CSP model.
Get a TenantID from one of your existing CSP Azure Subscriptions and run the PowerShell code below.
|
1 2 |
Connect-AzAccount -Tenant '{TenandId}' Get-AZRoleAssignment -Scope /subscriptions/{SubscriptionId} | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID |
After running the above PowerShell script, you will get the information we need.
|
1 2 3 4 |
PS C:\Users\HeyAzureGuy> Get-AZRoleAssignment -Scope /subscriptions/*** | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com) ObjectId : *** |
Setting the Foreign Principal
Now we have our ObjectId we can assign this object to non CSP Azure Subscriptions, like subscriptions from an Enterprise Agreement for instance.
Login to the Azure subscription where you would like to add the Foreign Principal and run the following command:
|
1 |
New-AZRoleAssignment -ObjectId '{ObjectId from previous step}' -RoleDefinitionName {Owner, Reader, Contributer or what ever role you like} -Scope /subscriptions/*** |
When you have completed the steps above, you will see a confirmation:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
PS C:\Users\DaniëlEtten> New-AZRoleAssignment -ObjectId '***' -RoleDefinitionName Reader -Scope /subscriptions/*** RoleAssignmentId : /subscriptions/***/providers/Microsoft.Authorization/roleAssignments/*** Scope : /subscriptions/*** DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com) SignInName : RoleDefinitionName : Reader RoleDefinitionId : *** ObjectId : *** ObjectType : Group CanDelegate : False |
Have a cloudy day!
Loading...
Pingback: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials - Hey Azure Guy!