TrnDigital Blog

Azure Subscriptions Provisioned through CSP Partners

Posted by Dimitri Ayrapetov
0

Cloud2

One of our long-time clients made the strategic decision to pilot Microsoft Azure to reduce costs and improve platform stability after their external DNS provider crashed. The crash caused their email domain to be unresolved as well as their VPN gateway and numerous other services.

Being a Direct CSP Partner, we were glad to provision them a new Azure Tenant and get them started with a trial before providing an ongoing subscription.

The Problem

After provisioning an Azure Subscription through the CSP Portal, we were not seeing the subscription appear in the client’s Azure Tenant. We ensured that the order status was fulfilled and we tried a number of approaches before opening a Microsoft Support Case.

The Cause

I’ll spare you the details of the 10+ phone calls with Microsoft Support, numerous screen shares, and the journey of being routed to several different teams.

When a new tenant is provisioned for a client, the CSP Partner User that provisions the tenant is automatically added as an external account, typically in the format of:

PartnerEmailAddress#EXT#@ClientTenantName

When an Azure Subscription is created through the CSP Portal, it is assigned a single owner, an Azure AD Principal that is listed as a Group (although the group is not browsable). In our case the name of the Azure AD Principal was:

Foreign Principal for ‘TrnDigital’ in Role ‘TenantAdmins’ (ClientName)

The root cause of the problem was that having an external account in the client’s tenant prevented our login from being treated as the Foreign Principal, therefore not having access to the newly provisioned Azure Subscription.

Know More About Our Microsoft 365 and Consulting Services

The Solution

The solution is to remove the External Account from the Client’s Azure AD. Unfortunately, you cannot remove your own account from Azure AD, so we took the following steps:

  • Created a new Temp Account in the Client’s Azure AD and granted Global Admin rights
  • Logged into https://portal.azure.com using this temp account
  • Deleted the External Account
  • Logged into the Partner CSP Portal
  • Clicked through to Azure Service Management
  • We were able to see the new Azure Subscriptions

Closing Thoughts

We were able to add additional owners to the Azure CSP Subscription to enable our client’s IT team to have control over their resources. However, were not able to add the Foreign Principal to have ownership access over any other client subscriptions. Therefore, we will need to keep an account in their tenant in case we need to support subscriptions that we are not providing through the CSP.

Share:
Previous Post

Helping a Rapidly Growing Professional Services Company leverage Microsoft Office 365 and Azure
Next Post

6 Ways Office 365 Managed Services Help Businesses

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>