Azure CSP customer - downgrade foreign principal CSP group – what can get wrong?

Hello @Anonymous ,

Thanks for reaching out.

This is hardcoded in Azure CSP model, every Partner's employee, that has Admin Agent rights assigned on Partner Center portal, will be added to "AdminAgent " Azure AD group in Partner's directory, which is added to a group "Foreign Principal for 'CSPPartnerName' in role 'TenantAdmins' (CSPCustomer Directory)" in Customer's directory, that has Owner rights for all Azure subscriptions of this Customer.

BTW, this group (Foreign Principal for 'CSPPartnerName' in role 'TenantAdmins' (CSPCustomer Directory) ) is not visible in Customer's Azure AD, so you won't see it if you'll get a list of all existing group in CustoSmer's directory. But you can see it if you'll open Azure Subscription rights blade. And this is the unique case when a group in Azure AD has a group in another Azure AD directory as a member.

By default, Azure subscriptions can be managed only by Partner's employees with Admin Agents rights. So even customer's admin account, that has Global Admin rights in Customer's Office 365 tenant (admin@tenantname.onmicrosoft.com), won't be able to manage Azure subscriptions by default. This is done because of the idea, that CSP Partner can manage customer's Azure subscription instead of a customer. CSP Partner can create VMs, configure Backup or ASR for the customer, and customer don't even need to access Azure Management portal in this case.

But I face customer-managed Azure subscriptions more frequently among my partners. In this case Customer admin want to access Azure Portal to manage their Azure subscriptions. You can do it in several ways:

• Logon as Partner Admin Agent to New Azure Portal and assign another user Owner rights to the Azure Subscription.
• Logon as Partner Admin Agent to New Azure Portal, create a Resource Group and assign another user Owner rights to this Resource Group. In this case such user will me limited inside a Resource Group, but will be able to create any Azure resources inside this Resource Group

After that Customer's admin will be to access Azure Portal or use Azure Resource Manager PowerShell.

You can use other Roles instead of Owner for Customer's admins. You can use Contributor role if you don't want to allow any access management inside the Subscription, or you can use Reader role if you want to allow Customer admins to view Azure resources, but not to change them. Details about built-in roles in Azure Resource Manager are available here.

In Azure Resource Manager model you can assign rights only to users and groups, that exist in Customer's directory. You can add external users (Microsoft IDs, Azure AD users from other directories etc. - I've described it before) to Customer's directory and assign access to them. Or you can create a group in Customer's directory and add users to this group (internal or external), and that assign some access to this group. But you can't assign access to external group or you can't add external group to the group in Customer's directory.

Hope this helps.

More information refer. Identity and Rights Management in CSP model.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.