There are two security groups in the partner's Azure AD tenant—Azure Admin (Contributor) and Azure View (Reader) —that are used for delegated administration. In order to see subscriptions in the Azure portal, you need to be a member of one of these two groups.
When a customer grants delegated administration privilege to a partner:
-
The Azure Admin group is assigned to the Global Administrator role in the customer's Azure AD tenant that has administrative capabilities.
-
The Azure View group is assigned to the Helpdesk Administrator role in the customer's Azure AD tenant for read-only view.
Each Azure subscription has its own set of resource management roles. Before a CSP partner can manage a customer's Azure subscription, the partner must be assigned to one or more roles under the Azure subscription. Specifically:
- When a customer accepts a reseller invitation and grants delegated administration privilege to a partner, the partner doesn't automatically get access to existing Azure subscriptions under the customer tenant.
- When the Cloud Solution Provider (CSP) partner provisions a new Azure subscription for the customer, the Admin Agents group under the CSP partner tenant is automatically assigned the Owner role under the subscription. Based on this role assignment, members of the group can access and manage resources under the subscription.
- When a customer removes delegated administration privileges from a partner using Office 365 Portal, the partner can still manage the customer's Azure subscription as long as the partner is still assigned to one or more roles under the subscription. To stop the partner from managing the Azure subscription, the customer must remove the role assignment.
Steps to enable permissions on Azure Subscriptions from within PRISM
- Navigate to the Microsoft CSP program tile under the Programs tab.
- Navigate to the Manage Existing Tenants tile
- Navigate to the tenant and click on Manage
- Click on Manage next to the subscription to set the access level
- Under the Manage Subscription page, select the type of access level and click on Update Access
- Once the access level is updated in PRISM, it will reflect the tenant's access level in the Microsoft Partner centre
Comments
0 comments
Please sign in to leave a comment.