Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Take the survey
Reply
Omar_C
Level 1 Contributor
‎09-13-2022 05:14 AM
Level 1 Contributor
‎09-13-2022 05:14 AM

GDAP and Visual Studio license management in Azure

Hello,

 

We are going to issue a granular administration request for one of our clients. To serve you we need access to the following products:

 

Visual Studio Marketplace and Manage Visual Studio Subscriptions, in this case we do not know what role we have to request from the client in order to continue managing their VS licenses.

 

Could you tell us what ROL we should request?

 

Thank you very much for your help.

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS
v-jillarmour
Community Manager
‎09-13-2022 04:15 PM
Community Manager
‎09-13-2022 04:15 PM

@Omar_C I don't know anything about this, but I would suggest opening a Support ticket and having them help you. Do you agree @JanoschUlmer ?

 

You could also register for one of the weekly CSP Security Updates and Q&A Sessions and ask there possibly? 

 

Also wanted to make sure you saw this post on GDAP in docs yesterday: Extended timelines: Securing the partner ecosystem by transitioning to GDAP

 

I hope this helps?

View solution in original post

JanoschUlmer
Microsoft
‎09-14-2022 03:50 AM
Microsoft
In response to Omar_C
‎09-14-2022 03:50 AM

@Omar_C : In order to be able to provision Visual Studio, the GDAP Azure AD role is actually not really important, you need to have Contributor permission on the Azure subscription since all is happening on Azure.

 

As Partner the AdminAgents in your org get Owner permissions on Azure automatically (for Azure subscriptions you provision).

 

Specifically for Azure & thus also Visual Studio you should then create a nested group under your Admin Agents group, and then assign a the GDAP role of "Directory Reader" (or higher") to this group - this enables Azure subscription management and thus adding Visual Studio subscriptions on the Azure Subscription. 

See here for documentation on this specific scenario:  Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Docs

 

I strongly advise you do not use AdminAgents, but add permissions for HelpDeskAgents on the customers Azure subscriptions instead and then do the same as described above, but for the HelpDeskAgent group. This approach is described in the same article: https://docs.microsoft.com/en-us/partner-center/gdap-supported-workloads#alternative-azure-gdap-guidance-without-using-admin-agent The benefit is that AdminAgents have privileges in Partner Center - so if employees should only be able to manage customers, and not change settings within Partner Center, do not make them Admin Agent.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

View solution in original post

4 REPLIES 4
v-jillarmour
Community Manager
‎09-13-2022 04:15 PM
Community Manager
‎09-13-2022 04:15 PM

@Omar_C I don't know anything about this, but I would suggest opening a Support ticket and having them help you. Do you agree @JanoschUlmer ?

 

You could also register for one of the weekly CSP Security Updates and Q&A Sessions and ask there possibly? 

 

Also wanted to make sure you saw this post on GDAP in docs yesterday: Extended timelines: Securing the partner ecosystem by transitioning to GDAP

 

I hope this helps?

Omar_C
Level 1 Contributor
‎09-14-2022 01:01 AM
Level 1 Contributor
In response to v-jillarmour
‎09-14-2022 01:01 AM

Thank you @v-jillarmour,

It does what you suggest.

Greetings

0 Kudos
JanoschUlmer
Microsoft
‎09-14-2022 03:50 AM
Microsoft
In response to Omar_C
‎09-14-2022 03:50 AM

@Omar_C : In order to be able to provision Visual Studio, the GDAP Azure AD role is actually not really important, you need to have Contributor permission on the Azure subscription since all is happening on Azure.

 

As Partner the AdminAgents in your org get Owner permissions on Azure automatically (for Azure subscriptions you provision).

 

Specifically for Azure & thus also Visual Studio you should then create a nested group under your Admin Agents group, and then assign a the GDAP role of "Directory Reader" (or higher") to this group - this enables Azure subscription management and thus adding Visual Studio subscriptions on the Azure Subscription. 

See here for documentation on this specific scenario:  Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Docs

 

I strongly advise you do not use AdminAgents, but add permissions for HelpDeskAgents on the customers Azure subscriptions instead and then do the same as described above, but for the HelpDeskAgent group. This approach is described in the same article: https://docs.microsoft.com/en-us/partner-center/gdap-supported-workloads#alternative-azure-gdap-guidance-without-using-admin-agent The benefit is that AdminAgents have privileges in Partner Center - so if employees should only be able to manage customers, and not change settings within Partner Center, do not make them Admin Agent.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Omar_C
Level 1 Contributor
‎09-15-2022 10:57 AM
Level 1 Contributor
In response to JanoschUlmer
‎09-15-2022 10:57 AM

Hello @JanoschUlmer ,

 

Thank you very much for your help, the option that you propose in the first link seems easier to implement, we will start there.

 

Very well explained.

 

Thank you very much again.

 

Follow Us
    Share