Manage subscriptions and resources under the Azure plan

Appropriate roles: Admin agent

This article explains how Cloud Solution Provider (CSP) partners can use various role-based access control (RBAC) options to get operational control and management of a customer's Azure resources.

When you transition a customer to the Azure plan, you're assigned privileged admin rights in Azure—subscription owner rights through Admin on Behalf of (AOBO) by default.

Note

Admin rights to the Azure subscription can be removed by the customer at the subscription level, resource group level, or workload level.

Partners can get continuous operational control and management of a customer's Azure resources in CSP by using various options available through the role-based access control feature (RBAC).

  • Admin on Behalf of - With AOBO, any user with the Admin agent role in the partner tenant has RBAC owner access to Azure subscriptions that you create through the CSP program.

  • Azure Lighthouse: AOBO doesn't have the flexibility to create distinct groups that work with different customers, or to enable different roles for groups or users. However, using Azure Lighthouse, you can assign different groups to different customers or roles. Because users have the appropriate level of access through Azure delegated resource management, you can reduce the number of users who have the Admin agent role (and thus have full AOBO access). That helps improve security by limiting unnecessary access to your customers' resources. It also gives you more flexibility to manage multiple customers at scale. For more information, see Azure Lighthouse and the Cloud Solution Provider program.

  • Directory or Guest Users or Service Principals: You can delegate granular access to CSP subscriptions by adding users in the customer directory or by adding guest users and assigning specific RBAC roles.

As a security practice, Microsoft recommends assigning users the minimum permissions they need to do their work. For more information, see Azure Active Directory Privileged Identity Management resources.

The following table shows the methods used to associate your PartnerID (formerly MPN ID) with various RBAC access options.

Category Scenario PartnerID association
AOBO CSP direct partner or indirect provider creates the subscription for the customer, making the CSP direct partner or indirect provider the default owner of the subscription using AOBO. CSP direct partner or indirect provider gives indirect reseller access to the subscription using AOBO. Automatic (no partner work required)
Azure Lighthouse Partner creates a new Managed Service offer in Marketplace. The offer is accepted on the CSP subscription and the partner gets access to the CSP subscription. Automatic (no partner work required)
Azure Lighthouse Partner deploys an Azure Resource Manager (ARM) template in Azure subscription Partner must associate the PartnerID with the user or service principal in the partner tenant. For more information, see Link your PartnerID to track your impact on delegated resources.
Directory or Guest user Partner creates a new user or service principal in the customer directory and gives access to the CSP subscription to the user. Partner creates a new user or service principal in the customer directory. Partner adds the user to a group and gives access to the CSP subscription to the group. Partner must associate the PartnerID with the user or service principal in the customer tenant. For more information, see Link a PartnerID to your account that’s used to manage customers.

Confirm that you have admin access

You must have admin access to manage your customer's services and to receive earned credits. For more information about earned credits, see Partner earned credits.

To determine whether you have admin access:

  • Review the daily usage file: Review the unit price and effective unit price in the daily usage file and confirm whether a discount is being applied. If you're receiving the discount, you're the admin.

Create an Azure monitor alert

You can create an activity log Azure Monitor Alert to be notified if your RBAC access is removed from a CSP subscription.

To create an Azure monitor alert:

  1. Create an alert.

    Screenshot of an Azure portal alert.

  2. Select the type of action that you want the alert to take.

    For example, if you specify that you want an email, you'll receive an email notifying you if any role assignment deletion occurs.

    Screenshot in the Azure portal of configuring an alert.

AOBO removal

Customers can manage access to their subscriptions by going to Access Control at the Azure portal. From the Role assignments tab, they can select Remove access.

If a customer removes your access, you can:

Role-based access differs from admin access. Roles delimit precisely what you can and can't do. Admin access is broader.

To see the roles eligible to earn partner earned credit (PEC), see Roles and permissions for the partner earned credit.

Next steps