Provide or reinstate admin privileges on Azure CSP subscriptions



TABLE OF CONTENTS

Description

As a Cloud Solution Provider (CSP), we need admin privileges on Azure CSP subscriptions to manage Azure usage, provide support and deploy Azure Reserved Instances. Please follow this article to provide or reinstate the required admin privileges to Sherweb teams for a particular tenant. This procedure needs to be followed to complete Azure CSP-to-CSP transfers.

Requirements

  • Have credentials in hands for a user with the Global Administrator role for the tenant to update

  • If PowerShell will be used to execute command lines, have Azure Resource Manager and Active Directory cmdlets installed in Windows PowerShell and PowerShell Core. See this article for details: https://www.powershellgallery.com/packages/Az.Resources/

  • Know the data location for the tenant (Canada, USA, Europe)

    You can get the data location of the tenant using your account management portal Cumulus if needed.

    Example:

    Une image contenant texte, capture d’écran, Police, Page web Description générée automatiquement


  • Know the tenant ID


Each tenant (*.onmicrosoft.com) has a unique tenant ID. You can get your tenant ID using the Azure portal.

Example:

Une image contenant texte, logiciel, Page web, Site web Description générée automatiquement

 

  • Know the Azure CSP subscription(s) ID

    Each Azure subscription has a unique subscription ID. You can get your subscriptions ID using the Azure portal.

    Example:

    Une image contenant texte, logiciel, Page web, Icône d’ordinateur Description générée automatiquement

Procedure 

Choose your preferred method to run command lines.

Use templates below. Update variables in brackets with the appropriate values and delete brackets. For [AdminAgents_ID], choose one of the following ID:

  • If the data location is USA: 065b0bfc-1277-41bc-bbb7-9b221db190c0
  • If the data location is Canada: c3e7caf0-c590-4086-9467-abbcd2d62e58
  • If the data location is Europe: 999d911a-e48f-4ed9-8a6b-6b3a07cdf6b0

PowerShell

Run the following command lines using PowerShell.

  • Update-Module Az.Resources
  • Connect-AzAccount -TenantID "[Customer_Tenant_ID]"
  • Set-AzContext -SubscriptionID "[Azure_CSP_Subscription_ID]"
  • New-AzRoleAssignment -ObjectID "[AdminAgents_ID]" -RoleDefinitionName "Owner" -Scope "/subscriptions/<CSP subscription ID>" -ObjectType "ForeignGroup"

    Then, repeat the two (2) last command lines for more Azure CSP subscriptions to update for the same tenant.


Azure CLI

Run the following command lines using Azure CLI.


  • az login --tenant [Customer_Tenant_ID]
  • az account set --subscription [Azure_CSP_Subscription_ID]
  • az role assignment create --role "Owner" --assignee-object-id [AdminAgents_ID] --scope "/subscriptions/<CSP Subscription Id>" --assignee-principal-type "ForeignGroup"

    Then, repeat the two (2) last command lines for more Azure CSP subscriptions to update for the same tenant.

References

https://learn.microsoft.com/en-us/partner-center/reinstate-csp

https://www.powershellgallery.com/packages/Az.Resources/