Add Foreign Principal Group to Azure subscription

As a Cloud Solution Provider we work a lot with Microsofts Partner Center. But not every customer has an Azure subscription that has been bought through the CSP model.
Because we try to allign our procedures we where looking into accessing Azure subscriptions through Parnter Center. This will also cut the number of seperate logins we have.
To achieve this we are looking in how to add the Foreign Prinicpal Group to Azure subscriptions.

Prerequisites

  • An existing Azure subscription delivered through the CSP model
  • PowerShell AZ module
  • An account with rights in the Azure subscription

Getting the ObjectId

Before we can add the Foreign Prinicpal Group to a non CSP Azure subscription, we need to get some details from an existing Azure subscription delivered through the CSP model.
Get a TenantID from one of your existing CSP Azure Subscriptions and run the PowerShell code below.

Connect-AzAccount -Tenant '{TenandId}'
Get-AZRoleAssignment -Scope /subscriptions/{SubscriptionId} | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

After running the above PowerShell script, you will get the information we need.

PS C:\Users\HeyAzureGuy> Get-AZRoleAssignment -Scope /subscriptions/*** | where DisplayName -like 'Foreign Principal*' | fl DisplayName, ObjectID

DisplayName : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
ObjectId    : ***

Setting the Foreign Principal

Now we have our ObjectId we can assign this object to non CSP Azure Subscriptions, like subscriptions from an Enterprise Agreement for instance.
Login to the Azure subscription where you would like to add the Foreign Principal and run the following command:

New-AZRoleAssignment -ObjectId '{ObjectId from previous step}' -RoleDefinitionName {Owner, Reader, Contributer or what ever role you like} -Scope /subscriptions/***

When you have completed the steps above, you will see a confirmation:

PS C:\Users\DaniƫlEtten> New-AZRoleAssignment -ObjectId '***' -RoleDefinitionName Reader -Scope /subscriptions/***


RoleAssignmentId   : /subscriptions/***/providers/Microsoft.Authorization/roleAssignments/***
Scope              : /subscriptions/***
DisplayName        : Foreign Principal for '***' in Role 'TenantAdmins' (***.onmicrosoft.com)
SignInName         : 
RoleDefinitionName : Reader
RoleDefinitionId   : ***
ObjectId           : ***
ObjectType         : Group
CanDelegate        : False

Have a cloudy day!

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

3 thoughts on “Add Foreign Principal Group to Azure subscription

  1. Pingback: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials - Hey Azure Guy!

  2. Jesper

    This only works, if you partner up with the tentant, where you want to you want to add “adminAgents” to subscriptions.

    Therefor to get it to work on EA subscription, you must be a CSP partner with the Tenant, where the subscription is added.

    If you are not a CSP Partner with the tentant, you will get this error:
    New-AZRoleAssignment : Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
    At line:1 char:1
    + New-AZRoleAssignment -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx – …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

    Reply
  3. Roushan

    Is there any rest API to know whether the foreign principle is assigned to a CSP customer or not ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *