Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Reply
Omar_C
Level 1 Contributor

GDAP and Visual Studio license management in Azure

Hello,

 

We are going to issue a granular administration request for one of our clients. To serve you we need access to the following products:

 

Visual Studio Marketplace and Manage Visual Studio Subscriptions, in this case we do not know what role we have to request from the client in order to continue managing their VS licenses.

 

Could you tell us what ROL we should request?

 

Thank you very much for your help.

2 ACCEPTED SOLUTIONS
v-jillarmour
Community Manager

@Omar_C I don't know anything about this, but I would suggest opening a Support ticket and having them help you. Do you agree @JanoschUlmer ?

 

You could also register for one of the weekly CSP Security Updates and Q&A Sessions and ask there possibly? 

 

Also wanted to make sure you saw this post on GDAP in docs yesterday: Extended timelines: Securing the partner ecosystem by transitioning to GDAP

 

I hope this helps?

View solution in original post

JanoschUlmer
Microsoft

@Omar_C : In order to be able to provision Visual Studio, the GDAP Azure AD role is actually not really important, you need to have Contributor permission on the Azure subscription since all is happening on Azure.

 

As Partner the AdminAgents in your org get Owner permissions on Azure automatically (for Azure subscriptions you provision).

 

Specifically for Azure & thus also Visual Studio you should then create a nested group under your Admin Agents group, and then assign a the GDAP role of "Directory Reader" (or higher") to this group - this enables Azure subscription management and thus adding Visual Studio subscriptions on the Azure Subscription. 

See here for documentation on this specific scenario:  Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Docs

 

I strongly advise you do not use AdminAgents, but add permissions for HelpDeskAgents on the customers Azure subscriptions instead and then do the same as described above, but for the HelpDeskAgent group. This approach is described in the same article: https://docs.microsoft.com/en-us/partner-center/gdap-supported-workloads#alternative-azure-gdap-guidance-without-using-admin-agent The benefit is that AdminAgents have privileges in Partner Center - so if employees should only be able to manage customers, and not change settings within Partner Center, do not make them Admin Agent.

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

View solution in original post

4 REPLIES 4
v-jillarmour
Community Manager

@Omar_C I don't know anything about this, but I would suggest opening a Support ticket and having them help you. Do you agree @JanoschUlmer ?

 

You could also register for one of the weekly CSP Security Updates and Q&A Sessions and ask there possibly? 

 

Also wanted to make sure you saw this post on GDAP in docs yesterday: Extended timelines: Securing the partner ecosystem by transitioning to GDAP

 

I hope this helps?

Omar_C
Level 1 Contributor

Thank you @v-jillarmour,

It does what you suggest.

Greetings

JanoschUlmer
Microsoft

@Omar_C : In order to be able to provision Visual Studio, the GDAP Azure AD role is actually not really important, you need to have Contributor permission on the Azure subscription since all is happening on Azure.

 

As Partner the AdminAgents in your org get Owner permissions on Azure automatically (for Azure subscriptions you provision).

 

Specifically for Azure & thus also Visual Studio you should then create a nested group under your Admin Agents group, and then assign a the GDAP role of "Directory Reader" (or higher") to this group - this enables Azure subscription management and thus adding Visual Studio subscriptions on the Azure Subscription. 

See here for documentation on this specific scenario:  Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Docs

 

I strongly advise you do not use AdminAgents, but add permissions for HelpDeskAgents on the customers Azure subscriptions instead and then do the same as described above, but for the HelpDeskAgent group. This approach is described in the same article: https://docs.microsoft.com/en-us/partner-center/gdap-supported-workloads#alternative-azure-gdap-guidance-without-using-admin-agent The benefit is that AdminAgents have privileges in Partner Center - so if employees should only be able to manage customers, and not change settings within Partner Center, do not make them Admin Agent.

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
Omar_C
Level 1 Contributor

Hello @JanoschUlmer ,

 

Thank you very much for your help, the option that you propose in the first link seems easier to implement, we will start there.

 

Very well explained.

 

Thank you very much again.