Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
66 questions
How to onboard customer with multiple eligible authorisations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 14.000000000000002%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
tm19
5
Reputation points
How do I onboard a customer subscription but with multiple eligible Authorisations. The sample file listed here only shows you how to add one. Microsoft documentation does now show you how to onboard a customer with more than one eligible authorization. I've tried to add 2 PIM roles, and while the onboarding deployment succeeds, it only registers the one of the eligible authorizations. Sample file below:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"value": "Test Offer"
},
"mspOfferDescription": {
"value": "Test"
},
"managedByTenantId": {
"value": "000-0000-0000-00000-0000"
},
"authorizations": {
"value": [
{
"principalId": "000-0000-0000-00000-0000",
"roleDefinitionId": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
"principalIdDisplayName": "Billing Reader"
},
{
"principalId": "000-0000-0000-00000-0000",
"roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"principalIdDisplayName": "Reader"
}
]
},
"eligibleAuthorizations":{
"value": [
{
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "None",
"maximumActivationDuration": "PT8H"
},
"principalId": "000-0000-0000-00000-0000",
"principalIdDisplayName": "Contributor",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
],
"value": [
{
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "None",
"maximumActivationDuration": "PT8H"
},
"principalId": "000-0000-0000-00000-0000",
"principalIdDisplayName": "Virtual Machine Contributor",
"roleDefinitionId": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
}
]
}
}
}
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT 17,556 Reputation points2023-04-20T15:37:23.5266667+00:00 @tm19 Welcome to Microsoft Q&A Platform and thanks for your query. Community SME's in this topic or our team will review your scenario and circle back at the possible earliest time.
-
tm19 5 Reputation points
2023-04-25T12:30:38.7766667+00:00 Hi there, was there any update on this? Appreciate any help, thanks.
-
SwathiDhanwada-MSFT 17,556 Reputation points
2023-04-26T15:55:05.71+00:00 @tm19 Apologies for the late response. Can you please try to deploy below template and check if it works for you ? I made simple change to your existing template.
{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "mspOfferName": { "value": "Test Offer" }, "mspOfferDescription": { "value": "Test" }, "managedByTenantId": { "value": "000-0000-0000-00000-0000" }, "authorizations": { "value": [ { "principalId": "000-0000-0000-00000-0000", "roleDefinitionId": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", "principalIdDisplayName": "Billing Reader" }, { "principalId": "000-0000-0000-00000-0000", "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7", "principalIdDisplayName": "Reader" } ] }, "eligibleAuthorizations":{ "value": [ { "justInTimeAccessPolicy": { "multiFactorAuthProvider": "None", "maximumActivationDuration": "PT8H" }, "principalId": "000-0000-0000-00000-0000", "principalIdDisplayName": "Contributor", "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" }, { "justInTimeAccessPolicy": { "multiFactorAuthProvider": "None", "maximumActivationDuration": "PT8H" }, "principalId": "000-0000-0000-00000-0000", "principalIdDisplayName": "Virtual Machine Contributor", "roleDefinitionId": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" } ] } } } -
tm19 5 Reputation points
2023-04-27T13:18:47.7433333+00:00 Hi, no sorry that does not work unfortunately. It comes up with the below error. I do not know what it is actually referring to with that "registration definition", as that ID does not exist anywhere in the JSON. Have you managed to get more than 1 PIM role working in a test environment, I'm keen to understand if it's an issue my environment, issue with the code arrangement, or even if more than ONE eligible authorization is supported via json onboarding. Are you able to confirm if what I'm trying to achieve is even supported/possible? The documentation does not cover my scenario.
Sign in to comment