This article will focus on how a CSP Direct partner can delegate administration across its customers. First we will provide an overview of the AAD tenants that play a part in this story. There are two common setups commonly faced:
[ThoVuy]
* I believe this article is only aimed at CSP direct. Right? Might need to use Herman's ppt to clarify what that is and which ones aren't the scope of this article.
- The CSP Direct partner has a separate AAD tenant for corporate and for CSP.
- The CSP Direct partner has a shared AAD tenant for corporate and for CSP.
In those diagrams we see there are various Azure Active Directory (AAD) tenants in play:
- Corporate AAD: used by the CSP partner to use O365 for his own employees (for example)
- CSP Direct AAD: used by the CSP partner to manage their customers in Partner Center
- CSP Direct Shared Services AAD *: used by the CSP partner for Azure partner shared services
- Customer AAD: used by the customer to access O365 and/or Azure subscriptions
The only difference between both setups is that some CSP partners have only one AAD for both corporate use and CSP customer management. The remainder of the article below applies for both setups.
The Shared Services AAD tenant and the Azure subscriptions linked to that are out of scope for this article. The idea of this article is to clearly describe what options there are for a CSP Direct partner to delegate access for it's staff to their customers O365 and Azure Subscriptions.
The concept of delegation of administration is to allow a certain group of people, e.g. a team at the CSP partner, manage customers their Azure and O365 services. For smaller organisations it might be fine if a staff employee is either an admin or not. Especially if there's only a limited amount of customers to manage. Larger CSP's might be looking for a granular way to assign permissions. Here are some examples:
- A dedicated group for managing O365 services
- A dedicated group to manage the Azure services for a big customer
- Non-admin permissions for staff that's on standby and only need to do a first evaluation of potential issues
Before we talk approaches a brief overview will be given of what's possible out of the box. Delegation of administration can be done for tasks in the Partner Center portal (e.g. create new customers) or against Customer O365 or Azure Subscriptions (e.g. create a new mailbox or a resource in Azure).
There are various roles available in Partner Center. These roles exist in the CSP Direct AAD tenant and can be assigned to users. From Partners: Offer delegated administration. The two most relevant roles for this article are the helpdesk and admin agent roles.
-
Helpdesk Agent:
- Limited administration
- Has the same privileges as the password admin role for the companies you support.
- User won't be able to manager Customer subscriptions, but will have Office 365 Limited Administration delegated admin rights (equals to Password Admin role)
-
admin agent:
- Full administration
- Has the same privileges as the global admin role for the companies you support
- User will be able to manage Customer subscription, will have Office 365 Full Administration delegated admin rights (equals to Global Admin role) and Owner rights for Customer Azure subscriptions (super user).
The following articles provide a good introduction to the built-in capabilities of Partner Center:
There is no granular control for different Customers when using the helpdesk or admin agent roles. This means that the privileges that comes with these roles will be applied to all customers managed by this CSP Partner. In other words, the employee granted the role can help every customer that's managed by this CSP partner.
To manage Office 365 for a customer, Partners engineers can use several ways:
- Go to Customer's page on Partner Center, click Service Management -> Office 365. Office 365 Admin portal for this tenant will be opened.
- Use Office 365 Partner Admin portal
- Use URL https://portal.office.com/Partner/BeginClientSession.aspx?CTID=**TENANDGUID**&CSDEST=o365admincenter to open Office 365 Admin portal for that tenant directly.
- Use Office 365 PowerShell with Delegated Access Permissions, use Tenant GUID as TenantID.
Similar for Azure, a user that's assigned the admin agent role, will have Owner rights for all Azure subscriptions of all Customers. This is embeded in the Azure CSP model. Every Azure subscription in CSP only has 1 owner by default. This owner is a group called "Foreign Principal for 'CSPPartnerName' in role 'TenantAdmins' (CSPCustomer Directory)". This group is not visible in the customer's Azure AD, so you won't see it if you'll get a list of all existing group in the customer's directory. But you can see the group if you open the Azure Subscription access control blade.
To manage the Azure subscription of a customer there are various approaches that can be used:
- Go to Customer's page on Partner Center, click Service Management -> Microsoft Azure Management Portal. The Azure Portal will open.
- Use URL https://portal.azure.com/**TENANTNAME**.onmicrosoft.com to open the Azure Portal in the context of this tenant
- Use PowerShell for Azure Resource Manager. This is explained below. Fill in the Tenant Name and Azure Subscription ID
$TenantID="Tenant Name.onmicrosoft.com"
$SubscriptionID="Azure Subscription ID"
Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
If you want to provide access to a customer employee regular Azure RBAC principles apply.
As explained in the introduction the admin agent role doesn't offer any granularity options. It's granting the user full access to all CSP customers of that Partner. The table below outlines the admin agent role solution and some of the alternatives that offer better granularity options.
Advantages | Challenges | Conclusion | |
---|---|---|---|
Add staff to Partner Center helpdesk and admin agent roles | -good customer admin UI switching experience for both O365 and Azure - Single staff identity - built-in, no automation needed |
- no granularity between customers - no granularity on Azure (subscriptions/Roles) |
Works fine but granularity is lacking |
Invite staff users in customer AAD using B2B invite | - Single staff identity - Switching between Azure customer subscriptions possible - allows per customer, per user, per subscription role assignment |
- Doesn't work for O365! No customer tenant switching possible in O365 admin portal - requires some kind of automation |
Not feasible for O365 |
Create new staff users in customer AAD | - Works with both Azure and O365 - allows per customer, per user, per subscription role assignment |
- Staff has multiple identities - Customer tenant switching is possible but tedious (different logon sessions) - If MFA is required multiple license for the same staff employee have to be foreseen - requires some kind of automation |
A lot of overhead/challenges |
Invite staff users in customer AAD using B2B invite for Azure, leverage admin agent roles for O365 ("Hybrid solution") | - Single staff identity - allows per customer, per user, per subscription role assignment (Azure Only) - good customer admin UI switching experience for both O365 and Azure Partner can configure MFA on single identity |
- different approaches for O365 and Azure - requires some kind of automation - O365 services still can't be delegated in a granular (per customer) way |
Preferred solution if helpdesk/admin agent roles are too restricted |
When choosing for the hybrid approach it's important to understand the following things:
- Staff employees that are assigned the admin agent role in order to be able to manage O365 can also manage all Azure subscriptions belonging to CSP customers
- People that are assigned the admin agent role should not be invited as B2B guests in customers tenants. There might be undocumented side effects of this
- Reserved Instances can only be created by people assigned with the admin agent role. Even a subscription owner can't create a reserved instance.
- Ending the relationship between the partner and the customer is something that's part of the Partner Center portal. This is explained here. Keep in mind that this will revoke all admin agent related permissions, but the users that were B2B invited and assigned one or more roles will still have those permissions!
Azure AD comes with privileged Identity Management. This allows you to assign admin permissions for O365 or Azure in an on-demand/just int ime manner. As a requirement for PIM you need valid Azure AD Premium P2 licenses for the users using this feature. Given that in B2B invite model you're inviting your staff members in each customer tenant you'd need to apply PIM in each customer tenant. From the CSP Partner point of view this isn't a recommended approach.
A CSP Partner could decide to build something leveraging the REST API's of both the Partner Center and Azure AD. This solution could consist of creating a service principal in each customer AAD tenant at customer onboarding time. This principal would be delegated the right to invite people into the directory.
Next to that an application could be built that allows a staff member to enumerate the customers that member is entitled to work with. Once that list is retrieved a customer could be selected and the staff member could be invited "just in time" in the customer AAD tenant. A cleanup process could run on a regular interval to remove the invited users again.
- To verify:
- RI doesn't work with B2B invite: confirmed
- Support blade?
Additional reading: