Category Archives: CSP

CSP delegation on non CSP azure subscriptions

If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription by default. Lets say the customer also has an existing subscription (maybe a non-profit donation?).

When you add your accounts as Owner to the existing tenant’s (non-csp) subscription, your users are added as Guest accounts in the customer’s Azure AD. This removes the delegated CSP rights on the CSP subscription because the references to foreign accounts break due to the new guest accounts having the same UPN.

So, alternatively, use

Get-AzureRmRoleAssignment -Scope "/subscriptions/<CSP SUBSCRIPTION ID>

on the CSP subscription to get the Foreign Principal ID for your own tenant. Then use

New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/ 
<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner

to add the foreign principal ID to the existing customer subscription to get delegated access 🙂