Those who have worked at a Cloud Solution Provider (CSP) organization with access to the MSP Expert tool for migrating subscriptions from EA to CSP will know that one of the post migration steps is to grant the Foreign Principal representing the CSP as either an Owner or Reader on the migrated subscriptions. This step can be easily missed because you can see the subscriptions in the Partner portal with the billing details but will quickly notice that you cannot open tickets for the migrated subscriptions because they are not present when you’re logged into the client’s Azure portal as the CSP due to the lack of permissions.
Attempting to apply the permissions from within https://portal.azure.com will reveal that you cannot simply click into the IAM blade to assign the Owner or Reader role because the Foreign Principal will not be searchable. The only way to perform this operation is to use PowerShell and the present Microsoft documentation doesn’t appear to have instructions for this specific operation (this is the closest one I could find: https://docs.microsoft.com/en-us/partner-center/revoke-reinstate-csp?tabs=workspaces-view) so I would like to share the cmdlets and a script for it.
PowerShell Cmdlets
The following assumes that you have an existing subscription with the Foreign Principal assigned with a role to it as we’ll need to retrieve the ObjectID of the Foreign Principal from a subscription then use it to assign to another subscription. If there isn’t a subscription with the Foreign Principal already assigned with a role, you can temporarily provision a new subscription from the Partner Central portal in the Azure Plan.
1. Install and import the Az module if it is not present:
Install-Module -Name Az
Import-Module -Name Az
2. Connect to the Azure tenant:
Connect-AzAccount
3. Obtain the subscription ID of a subscription that already has the Foreign Principal ID assigned a role:
Get-AzSubscription
4. Create a variable to store the subscription ID that has the Foreign Principal ID assigned a role:
$subscriptionID = "/subscriptions/<replaceWithSubID>"
5. Retrieve the Foreign Principal object along with its attributes and values:
Get-AzRoleAssignment -Scope $subscriptionID | Where-Object {$_.DisplayName -match "Foreign Principal*"}
6. Create a variable to store the Foreign Principal’s ObjectID value:
$foreignPrincipalObjectID = Get-AzRoleAssignment -Scope $subscriptionID | Where-Object {$_.DisplayName -match "Foreign Principal*"} | Select -expand ObjectID
7. Retrieve the subscription ID of the subscription that you want to grant the Foreign Principal permissions:
Get-AzSubscription
8. Update the variable to store the subscription ID that you want to assign the Foreign Principal:
$subscriptionID = "/subscriptions/<replaceWithSubID>"
9. Grant the Foreign Principal either Reader or Owner permissions to the subscription:
New-AzRoleAssignment -ObjectId $foreignPrincipalObjectID -Scope $subscriptionID -RoleDefinitionName Reader -ObjectType "ForeignGroup"
**Note that I’ve had mixed results with the -ObjectType parameter. Some tenants appear to require it and some do not. If an error is thrown indicating the ObjectType is unknown, remove the -ObjectType "ForeignGroup"
**Note If you are granting Reader role to the Foreign Principal, you will also need to grant the "Support Request Contributor" role in order to open support tickets from the Azure portal.
New-AzRoleAssignment -ObjectId $foreignPrincipalObjectID -Scope $subscriptionID -RoleDefinitionName "Support Request Contributor" -ObjectType "ForeignGroup"
PowerShell Script
I’ve created a PowerShell script that will perform the following:
- Use the Connect-AzAccount to connect to Azure
- Retrieve the list of subscriptions and prompt the user to select one that already has the Foreign Principal assigned with a role
- Retrieve the list of Foreign Principals assigned to the subscription and prompt the user to select the one that will be used to assign a role for another subscription
- Retrieve the list of subscriptions again and prompt the user to select one that we are to assign the Foreign Principal assigned with a role
- Prompt the user to choose whether to assign the Foreign Principal the Owner or Reader role
- If Reader role is selected, prompt user if they want to also add the Support Request Contributor as well (tickets cannot be opened if the CSP Foreign Principal has Reader role but not Support Request Contributor role)
- Prompt the user to confirm the assignment with Y or N
- Output the result
This AssignSubscriptionRoleToForeignIdentity.ps1 script can be found on my GitHub account: https://github.com/terenceluk/Azure-CSP/tree/main/Role-Assigment
--------------------------------------------------------------------------------------------------------------------------
The following is a screenshot of a subscription that has the Tech Data Corporation Foreign Principal assigned the Owner role:
The following is a screenshot after using the script to assign the same Tech Data Corporation Foreign Principal the Reader role:
I hope this will help anyone who might be looking for a demonstration on how this.
3 comments:
Thank you sir
Thank you!
This was very helpful.
Thank you! In my case the DisplayName was blank and I was able to find the ID in portal by clicking the Foreign Principle. Once I got the ID, I was able to add using the PowerShell commands.
Post a Comment