Views:

 

TABLE OF CONTENTS

Description

As a Cloud Solution Provider (CSP), we need certain privileges or Azure RBACs on Azure CSP subscriptions to manage Azure usage, provide support and deploy Azure Reserved Instances. 

 

There are 2 options available: 

  1. Provide / Reinstate Admin Privileges (Most Privileged Access) 

  1. Least Privileged Access (Sherweb’s Azure Tenant Governance Policy) 

 

This article outlines how to provide or reinstate the required admin privileges to Sherweb teams for a particular tenant (i.e. “Most Privileged Access). This procedure needs to be followed to complete Azure CSP-to-CSP transfers.

Requirements

  • Have credentials in hands for a user with the Global Administrator role for the tenant to update
     

  • If PowerShell will be used to execute command lines, have Azure Resource Manager and Active Directory cmdlets installed in Windows PowerShell and PowerShell Core. See this article for details: https://www.powershellgallery.com/packages/Az.Resources/
     

  • Know the data location for the tenant (Canada, USA, Europe)

    You can get the data location of the tenant using your account management portal Cumulus if needed.

    Example:
     

    Une image contenant texte, capture d’écran, Police, Page web Description générée automatiquement


     

  • Know the tenant ID


Each tenant (*.onmicrosoft.com) has a unique tenant ID. You can get your tenant ID using the Azure portal.

Example:
 

Une image contenant texte, logiciel, Page web, Site web Description générée automatiquement
 

 

  • Know the Azure CSP subscription(s) ID

    Each Azure subscription has a unique subscription ID. You can get your subscriptions ID using the Azure portal.

    Example:

    Une image contenant texte, logiciel, Page web, Icône d’ordinateur Description générée automatiquement
     

Procedure 

Choose your preferred method to run command lines.

Use templates below. Update variables in brackets with the appropriate values and delete brackets. For [AdminAgents_ID], choose one of the following ID:

  • If the data location is USA: 065b0bfc-1277-41bc-bbb7-9b221db190c0

  • If the data location is Canada: c3e7caf0-c590-4086-9467-abbcd2d62e58

  • If the data location is Europe: 999d911a-e48f-4ed9-8a6b-6b3a07cdf6b0

  • If the data location is UK: 7cc94c08-5bdf-4615-b501-49167881e880

 

PowerShell

Run the following command lines using PowerShell.

  • Update-Module Az.Resources

  • Connect-AzAccount -TenantID "[Customer_Tenant_ID]"

  • Set-AzContext -SubscriptionID “[Azure_CSP_Subscription_ID]

  • New-AzRoleAssignment -ObjectID "[AdminAgents_ID]" -RoleDefinitionName "Owner" -Scope "/subscriptions/<Azure_CSP_Subscription_ID >" -ObjectType “ForeignGroup”

 

Then, repeat the two (2) last command lines for more Azure CSP subscriptions to update for the same tenant.
 

Azure CLI

Run the following command lines using Azure CLI.

 

  • az login --tenant [Customer_Tenant_ID]

  • az account set --subscription [Azure_CSP_Subscription_ID]

  • az role assignment create --role "Owner" --assignee-object-id [AdminAgents_ID] --scope "/subscriptions/<Azure_CSP_Subscription_ID >" --assignee-principal-type “ForeignGroup”

 

Then, repeat the two (2) last command lines for more Azure CSP subscriptions to update for the same tenant.

References

https://learn.microsoft.com/en-us/partner-center/reinstate-csp

https://www.powershellgallery.com/packages/Az.Resources/