Managing access to Azure subscriptions

PRISM enables partners to manage access to their customer’s Azure subscriptions directly from the PRISM Portal. Three access levels are available – None, Reader and Contributor – which correspond to standard Azure roles.

Getting set up

This feature works by assigning the role to the ‘AdminAgents’ security group from your partner Azure tenant. The role is assigned on a per-Azure subscription basis, giving granular access on-demand.

Before using this feature, PRISM needs to know the identifier of the ‘AdminAgents’ security group from your partner Azure tenant. When this is not yet set up, the following notice will be displayed when managing a customer’s tenant under the Microsoft CSP program. Click the ‘Click here to start setting up’ button to launch Azure Connect and get set up.

When Azure Connect is launched it will prompt you to sign in to your partner Azure tenant using administrative credentials.

Upon signing in, you will be asked to grant permission to read directory data. This permission is only needed during the setup process and can be revoked afterward (see below)

Next, details of your partner Azure tenant and ‘AdminAgents’ security group will be displayed. Confirm the details then click Save.

Once the process is complete, a confirmation message will appear. To finalise the process, navigate to the Microsoft My Apps site and revoke permission granted earlier. Then, sign out of your administrative account.

When viewing the customer’s tenant in the PRISM Portal, it will now display your ‘AdminAgents’ security group identifier. If you need to change the security group, click ‘Change’ which will launch Azure Connect again.

Changing Azure subscription access

To update access from the PRISM Portal, navigate to the customer’s Azure subscription, select the desired role, and click Update Access.

Troubleshooting

• Sign-In Approval Required

When signing in to your partner Azure tenant using an administrative account, you may be prompted to request approval for the required permissions. This occurs due to policy of your partner Azure tenant, and the request goes to the administrators of your partner Azure tenant for approval.

• No ‘AdminAgents’ Group Found

After launching Azure Connect and signing in with an administrative account, an alert may be displayed that no ‘AdminAgents’ security groups were found.

This can occur when the administrative account doesn’t have the necessary permissions, or no ‘AdminAgents’ security group exists in your partner Azure tenant.