Views:

Azure tenant governance policy

Permission guidelines for your Azure Subscriptions with Sherweb

The purpose of this document is to share Sherweb’s Azure tenant governance policy which aligns with Microsoft’s Azure security best practices, including least privilege access and Zero Trust principles.

As the owner of your Azure Subscriptions, it’s important to understand what permissions are set automatically and what options you have when assigning permissions to Sherweb.

For additional information on how this impacts your relationship with Sherweb, please refer to the Azure Service Schedule.

Default permissions for all Azure Subscriptions

Whether you create a new Azure Subscription under the Sherweb tenant or transfer in an existing Azure Subscription from outside of Sherweb, the following will occur:

The Sherweb Admin Agent (or Foreign Principal or Service Principal) will automatically be created on the Azure Subscription
Owner permissions will automatically be assigned to this role

For transfers only:

To ensure we can support you through the transfer process, Owner permissions will need to be maintained on the Azure Subscription for 10 days (or until the transfer is complete). After the transfer is complete, you can adjust access for Sherweb’s Foreign Principal on the Azure Subscription.

What least privilege access Azure RBAC roles should be assigned so Sherweb can support you?

Below are the Azure role-based access control (RBAC) roles that we recommend so you can receive:

Your Sherweb Azure discount (for Partners only)
Support from Sherweb for CSP Indirect Provider-only actions, including:
- Requesting quota increases via the Azure Portal
- Cancelling existing Azure Reservations

Note on your Sherweb Azure discount and support scope

If at least one partner earned credit (PEC) eligible role is not assigned to the Sherweb Foreign Principal, you will not receive your Sherweb Azure discount. Sherweb will also have limited to no ability to support you on your Azure Subscription.

Support action	Azure RBAC role	Purpose	PEC eligible Enables Sherweb Azure discount
Submitting Microsoft support tickets	Support Request Contributor	Allows Sherweb to open support tickets with Microsoft on your behalf via the Azure Portal	✅ Yes
Requesting quota increases	Quota Request Operator	Enables quota increase requests via the Azure Portal	No
Cancelling Azure Reservations	Reservations Administrator	Required to cancel Reserved Instances	No

Learn more about the available built-in Azure RBAC roles that you can assign to your Azure Subscription

How to assign least privilege access Azure RBAC roles to maintain support and your Azure discount

Here’s a step-by-step look at what’s required to assign the minimum level of permissions for Sherweb to support your Azure Subscription and for you to retain your Azure discount with Sherweb.

Step 1: Log in to your Azure Subscription and open PowerShell

Go to the Azure Portal
Follow the instructions under Start Cloud Shell

Step 2: Connect to your Azure account via PowerShell

In the Azure Cloud Shell interface, add the following command and hit Enter
- Connect-AzAccount-UseDeviceAuthentication

Step 3: Remove any existing privileged roles assigned to Sherweb on your Azure Subscription

Follow instructions here to remove Azure role assignments

Step 4: Assign new permissions

Below are the scripts to assign specific permissions to a user (i.e., Foreign Principal) on your Azure Subscription.

Note: For <ADMIN_AGENTS_OBJECT_ID>, choose one of the following IDs:

If the data location is USA: 065b0bfc-1277-41bc-bbb7-9b221db190c0
If the data location is Canada: c3e7caf0-c590-4086-9467-abbcd2d62e58
If the data location is Europe (main): e0ba3fef-0a31-4139-a9d4-4711b4324da4
If the data location is Europe (secondary): 999d911a-e48f-4ed9-8a6b-6b3a07cdf6b0
If the data location is in UK: 7cc94c08-5bdf-4615-b501-49167881e880

Quota Request Operator

New-AzRoleAssignment
- ObjectID "<ADMIN_AGENTS_OBJECT_ID>"
- RoleDefinitionName "Quota Request Operator"
- Scope "/subscriptions/ <Azure_CSP_Subscription_ID> "
- ObjectType "ForeignGroup"

Support Request Contributor

New-AzRoleAssignment
- ObjectID "<ADMIN_AGENTS_OBJECT_ID>"
- RoleDefinitionName “Support Request Contributor”
- Scope "/subscriptions/” <Azure_CSP_Subscription_ID> "
- ObjectType "ForeignGroup"

Reservations Administrator

New-AzRoleAssignment
- Scope "/providers/Microsoft.Capacity"
- PrincipalID "<ADMIN_AGENTS_OBJECT_ID>"
- RoleDefinitionName “Reservations Administrator”

Additional resources

Azure built-in roles: Details on the various built-in roles one can assign to a user on an Azure Subscription.
Roles and permissions required to receive partner earned credit: Additional information on which built-in Azure roles are eligible for partner earned credit (PEC).
Best practices for Azure RBAC: A set of best practices around assigning Azure roles to users on an Azure Subscription.

Keywords: Azure tenant governance, Sherweb, Azure Subscriptions, permissions, least privilege access, Zero Trust, Azure RBAC roles, Sherweb Azure discount, Foreign Principal, Owner permissions, quota increases, Azure Reservations, CSP Indirect Provider, partner earned credit

HelpdeskCompany Name

Sherweb Azure Tenant Governance Policy