Plan for the Cloud Solution Provider service

The Cloud Solution Provider (CSP) service gives Microsoft partners access to Microsoft cloud services within one platform. It supports partners to:

  • Own the customer lifecycle and end-to-end relationship.
  • Set pricing, terms, and directly bill customers.
  • Directly provision and manage subscriptions.
  • Attach services that add value.
  • Be the customer's first point of contact for support.

Azure in CSP is an Azure plan with various subscriptions that are hosted by the partner's Microsoft Partner Agreement (MPA). The MPA is similar to the Microsoft customer agreement. Both are hosted on the modern commerce platform and use a simplified purchase agreement.

Diagram that shows an MPA hierarchy.


The partner CSP completely manages an MPA.

Design considerations

  • A CSP reseller relationship must exist between the partner and each Microsoft Entra tenant in which the customer wants to provision a new Azure plan and CSP subscriptions.

  • Only the partner can provision an Azure plan and CSP subscriptions.

  • A specific set of criteria can be used to determine whether a subscription should be suspended; a partner can also suspend a subscription.

  • The partner can allow customers to view their Azure usage fees on a per customer basis. For more information, see Enable the policy to view Azure usage charges. Partners can also use other tools to provide customers with access to their charges.

  • By default, only the partner Azure Reservations can be purchased by the partner for their customer. However, the Customer Permissions feature grants customers permission to purchase Azure Reservations from their CSP.

Design recommendations

  • Work with your CSP partner to ensure that Azure Lighthouse is used for administer on behalf of (AOBO) access for most support scenarios. For more information, see Azure Lighthouse and the Cloud Solution Provider program.

  • Partners, should use, or migrate, to granular delegated admin privileges (GDAP) instead of utilizing delegated admin privileges (DAP).

  • Follow and implement the Customer security best practices

  • Partners should follow and implement the CSP security best practices

  • Work with your CSP partner to understand how to create support cases and escalation processes.

  • Discuss how to create self-service subscriptions with your CSP partner.

  • Use Microsoft Cost Management reports and views. These reports can use Azure metadata, like tags and location, to explore and analyze your organization's costs.

  • Any user that has permissions upon an invoice section, billing profile or billing account to create subscriptions, as detailed here, must be protected with Multi-Factor Authentication (MFA) as any other privileged account should be as documented here

Next steps

Learn how to improve your security posture by defining your Microsoft Entra tenants.