Add Foreign Principal Group to Azure subscription

As a Cloud Solution Provider we work a lot with Microsofts Partner Center. But not every customer has an Azure subscription that has been bought through the CSP model.
Because we try to allign our procedures we where looking into accessing Azure subscriptions through Parnter Center. This will also cut the number of seperate logins we have.
To achieve this we are looking in how to add the Foreign Prinicpal Group to Azure subscriptions.

Prerequisites

  • An existing Azure subscription delivered through the CSP model
  • PowerShell AZ module
  • An account with rights in the Azure subscription

Getting the ObjectId

Before we can add the Foreign Prinicpal Group to a non CSP Azure subscription, we need to get some details from an existing Azure subscription delivered through the CSP model.
Get a TenantID from one of your existing CSP Azure Subscriptions and run the PowerShell code below.

Connect-AzAccount -Tenant '{TenandId}'
Get-AZRoleAssignment -Scope /subscriptions/{SubscriptionId} | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

After running the above PowerShell script, you will get the information we need.

PS C:\Users\HeyAzureGuy> Get-AZRoleAssignment -Scope /subscriptions/*** | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
ObjectId    : ***

Setting the Foreign Principal

Now we have our ObjectId we can assign this object to non CSP Azure Subscriptions, like subscriptions from an Enterprise Agreement for instance.
Login to the Azure subscription where you would like to add the Foreign Principal and run the following command:

New-AZRoleAssignment -ObjectId '{ObjectId from previous step}' -RoleDefinitionName {Owner, Reader, Contributer or what ever role you like} -Scope /subscriptions/***

When you have completed the steps above, you will see a confirmation:

PS C:\Users\DaniƫlEtten> New-AZRoleAssignment -ObjectId '***' -RoleDefinitionName Reader -Scope /subscriptions/***


RoleAssignmentId   : /subscriptions/***/providers/Microsoft.Authorization/roleAssignments/***
Scope              : /subscriptions/***
DisplayName        : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
SignInName         : 
RoleDefinitionName : Reader
RoleDefinitionId   : ***
ObjectId           : ***
ObjectType         : Group
CanDelegate        : False

Have a cloudy day!

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

One thought on “Add Foreign Principal Group to Azure subscription

  1. Pingback: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials - Hey Azure Guy!

Leave a Reply

Your email address will not be published. Required fields are marked *