Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Take the survey
Reply
YannicV
‎04-26-2022 01:55 PM
Visitor 1
‎04-26-2022 01:55 PM

Granular administration

Since the beginning of the year the Granular Administration function is available in the customer section of the partner center. We are switching our customers to this Granular Administration away from the "old" delegated admin (which makes us a +- a global admin at our customers, which a lot of customers are not happy with).

 

The concept behind this Granular Administration is clear to us and matches with what we and our customers want, but unfortunately the practical link between the "Azure AD" roles that you need to select and the things that we are doing in Azure Portal (NOT the Azure AD portal) is very unclear to us. 

 

We want to be able to be the owner of a subscription (which we buy with our direct reseller TechData in our customers Azure AD and is billed on us through TechData) and deploy/manage/develop resources in that subscription, without having access to anything else in their Azure AD. The users in the customers Azure AD must be able to access our resources with their credentials.

 

With the "old" delegated this is possible, but with the new Granular Adminstration we are not able to find the correct Azure AD roles to reach this goal. We don't want to keep doing this "trail and error" on a customers AD because this gives not a good impression to our customer.

 

Is there anybody here who used the new Granauler Administration function in the partner center and has solved this problem?

 

 

 

Labels:
Preview file
86 KB
0 Kudos
1 REPLY 1
JanoschUlmer
Microsoft
‎04-27-2022 03:03 AM
Microsoft
‎04-27-2022 03:03 AM

@YannicV : Neither the old DAP system nor GDAP will affect Azure Subscription permissions, this happens on a different layer (DAP/GDAP: AzureAD roles; Azure Subscription doe use Azure RBAC for permission management), there is no AzureAD role you can request to get access to an Azure Subscription.

 

Whenever a Partner provisions an Azure Subscription, the system will set the Azure RBAC permission as Owner by default (AdminAgents in the Partner tenant will be owner of the subscription - visible by the "Foreign Principal" permission in IAM for the Azure Subscription, this concept is also being referred to as "AOBO" - Admin on behalf of) - this happens regardless if DAP, GDAP or none of those two are present.  In your scenario, your Indirect provider will have this permission automatically.

 

Some providers are able to also add the Indirect Resellers AdminAgents to Azure subscription permissions automatically (e.g. if the Provider knows the ObjectID of the Resellers AdminAgent Groups), if they are not any other owner of the subscription can create a Foreign Principal on the customers subscription  for the Admin Agents in your Indirect Reseller CSP tenant

 

While GDAP does not change anything fundamentally on that, GDAP offers one new approach.

Before, when Partners wanted to manage Azure services, but not have AzureAD permissions the only open was to remove DAP, the Azure subscription of the customer then could only be accessed by entering the direct url (portal.azure.com/customertenant.onmicrosoft.com), not via Partner Center anymore.

With GDAP, you can now do the following on top (the option mentioned for DAP also still works): 

 - create a group under the "AdminAgents" group in the Partner tenant;

 - In the GDAP Admin relationship request, request "Directory Reader", and map Directory Reader to this nested group under AdminAgents group.

 - If there is a Foreign Principal set for your Admin Agents, member of this nested group can access the Azure Management Portal with limited directory permissions, while acting as Owner with regards to Azure service management.

 

Btw - Personally, I would rather look into using Azure Lighthouse for management.

 

If you have additional questions, feel free to raise a ticket in my team (see signature):

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Follow Us
    Share