Share via

Receiving 'BadRequest' when assigning RBAC role to Azure Subscription for GDAP Partner (ForeignGroup) in Customers tenant

Anonymous
2023-06-16T18:33:36.1533333+00:00

We are receiving the following error when attempting to connect a customer's subscription to our Partner Center GDAP CSP:

New-AzRoleAssignment : Operation returned an invalid status code 'BadRequest'

We are using the following command:

New-AzRoleAssignment -ObjectID "id of agentagents group in the partner tenant" -RoleDefinitionName "Support Request Contributor" -Scope "/subscriptions/customers subscription id" -ObjectType "ForeignGroup"

  • This command is being run by a Global Admin in the customer tenant that has Owner on the subscription.
  • This command was always successful previously prior to 6/1/2023. We have run it successfully in dozens of customer tenants when establishing GDAP relationships for customers with existing subscriptions.
  • I can create a brand-new tenant with a brand-new subscription and successfully establish GDAP in the partner center, but still have this error once I try to add the RBAC to the subscription itself.
  • The ObjectID and RoleDefinitionName are the same ones we have always used.
  • Any tenants that we previously had existing RBAC roles on do not have this error. The command runs successfully even if we remove the existing RBAC role assignment and add it back.
  • We have tried this from every browser known to man including the Cloud Shell from the Azure Portal.
  • This is happening in multiple customer tenants for any new customer that didn't have a gdap relationship established prior to 6/1/2023.
  • Microsoft has been absolutely no help. If I open a ticket up in the customer tenant directly, they open it as a Sev C and it goes nowhere because I get a help desk grade user. I can't open the ticket against premier support with a Sev A because we can't attach the subscription to our premier agreement.
  • The audit log on the subscription for the tenant shows: Principal 'adminagentobjectid' does not exist in the directory 'customertenantid'. Check that you have the correct principal ID. This makes no sense, considering I have specified -ObjectType 'ForeignGroup' so it should be checking the partner tenant!
  • I have scoured the partner center documentation and every forum known to man to find a lead on a solution to this. Can someone please help? This is definitely a backend Microsoft problem, but I can't get connected to the right resources to get help. I'm reaching out to strangers on the internet because our Microsoft Premier Partner Agreement can't even get us the right help. Does anyone know the right person to talk to in order to get traction on this issue? We are dead in the water for properly supporting our customers as a partner because we can't get the right resource at Microsoft to help!

-Casey

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam Law 0 Reputation points
    2024-09-11T17:52:20.16+00:00

    For what it's worth, we had the same issue with granting ourselves access to one of our customer's Azure subscriptions using the foreign security principal. Long and short of the fix is:

    • Must have a Partner Relationship created. Create it by signing into Partner Center > New Customer > copy the link from the email tenant > sign into customer tenant as admin > paste the link and accept the relationship.
    • Connect to customer tenant with PowerShell and grant the access:
      • Connect-AzAccount -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • New-AzRoleAssignment -ObjectID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -RoleDefinitionName "Owner" -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -ObjectType "ForeignGroup"
    • In customer tenant, go to Entra ID > External Identities > Cross-tenant access settings > Org settings > choose inbound access of your partner organization > Trust Settings > choose 'customize' and select 'Trust Multifactor Auth' and 'Trust Compliant Devices'

    This should allow the permission to be added and if you select the subscription in question in the customers tenant > Access Control > Role Assignments > you'll see the 'Foreign Principal for 'PartnerName'' listed.

    Was this answer helpful?

    0 comments
  2. Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator
    2023-06-20T07:14:48.03+00:00

    @Anonymous Apologies for all the trouble you have to go through to fix this, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    We are receiving the following error when attempting to connect a customer's subscription to our Partner Center GDAP CSP:

    New-AzRoleAssignment : Operation returned an invalid status code 'BadRequest'

    We are using the following command:

    New-AzRoleAssignment -ObjectID "id of agentagents group in the partner tenant" -RoleDefinitionName "Support Request Contributor" -Scope "/subscriptions/customers subscription id" -ObjectType "ForeignGroup"

    • This command is being run by a Global Admin in the customer tenant that has Owner on the subscription.
    • This command was always successful previously prior to 6/1/2023. We have run it successfully in dozens of customer tenants when establishing GDAP relationships for customers with existing subscriptions.
    • I can create a brand-new tenant with a brand-new subscription and successfully establish GDAP in the partner center, but still have this error once I try to add the RBAC to the subscription itself.
    • The ObjectID and RoleDefinitionName are the same ones we have always used.
    • Any tenants that we previously had existing RBAC roles on do not have this error. The command runs successfully even if we remove the existing RBAC role assignment and add it back.
    • We have tried this from every browser known to man including the Cloud Shell from the Azure Portal.
    • This is happening in multiple customer tenants for any new customer that didn't have a gdap relationship established prior to 6/1/2023.

    Solution: Resolved by @Anonymous

    User's image

    Was this answer helpful?

  3. Anonymous
    2023-06-16T22:15:55.32+00:00

    Turns out the reseller agreement was not being set up properly when gdap was issued for the customers affected. Issue is resolved.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.