CSP delegation on non CSP azure subscriptions

If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription. Lets say the customer also has an existing subscription.

When you add your accounts as Owner to the existing tenant subscription, your users are added as Guest accounts in the customer’s Azure AD. This removes the delegated CSP subscriptions because the reference to the foreign accounts breaks.

So, alternatively, use

Get-AzureRmRoleAssignment -Scope "/subscriptions/<SUBSCRIPTION ID>

on the CSP subscription to get the Foreign Principal ID for your own tenant. Then use

New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/ 
<SUBSCRIPTION ID>" -RoleDefinitionName Owner

to add the foreign principal ID to the existing customer subscription to get delegated access 🙂

 

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of