Get recognized with Partner Admin Link
Partner Admin Link (PAL) enables Microsoft to identify and recognize partners who drive Azure customer success.
Optimized for managed services where your organization is acting on behalf of the customer, PAL allows you to associate your MPN ID with the credentials that you use to deliver services within the customer's Azure tenant. Microsoft can attribute influence and Azure consumed revenue to your organization based on the account's permissions (RBAC role) and scope (subscription, resource group, resource instance).
Learn more below and check out the new webcast recording from February 7th!
- General: Overview Webcast: Get Recognized for Driving Azure Consumption (Sept 2018)
- PAL Specific: Get Recognized for Driving Azure Consumption on-demand link (Feb 2019)
- For management and consulting services with admin access
- Azure Partner Admin Link Documentation
- Contact: AzurePartnerAdmin@microsoft.com
- For solutions deployed in customer environments
- Azure Customer Usage Attribution Documentation
- Contact: AzureISVPilot@microsoft.com
The reports are partner side under cloud product performance. You have to set the partner assosciation type to Partner Admin Link.
I've not seen any notifications when adding the ID's to a subscription.
Does anybody know what the results are when you combine PAL with PIM (Priviledged Identity Management, feature of AD Premium P2/EMS E5 etc.)? PIM is just-in-time access (only Admin permissions when needed to do specific Admin stuff) at request. In that case you have only Admin permissions for a specific (often quite short) amount of time. PAL only counts when having Admin rights on resources. For a lot of customers it is prefered to have the managed service provider use PIM to get access. What impact is there on PAL? If a partner (by using PIM) only has Admin access for a couple of hours per week, do they only get rewarded for those hours? In that case commercial interests are not aligning with security/GDPR etc. interests. Please advice.
At least frm perspective of Partner Earned Credits in new Azure Commerce Experience, the PAL is measured daily - for a PIM scenario it would be required to measure it every minute. So from this perspective PIM does not fit in this scenario: https://docs.microsoft.com/en-us/partner-center/partner-earned-credit-explanation
And I would be surprised if it works better for incentives, I guess this is only calculated on a daily basis.
Thanks for your prompt answer.
So the Microsoft best practice of using PIM is not aligning very well with the commercial aspects of PAL/PEC (come to think of it, what is the difference between PAL en PEC? I guess by setting PAL, you are able to get PEC?). By using PIM, we'll never get to earning PEC, as we almost never need and thus ask for 24 h access to a customer's environment. I guess it is never wise to put commercial benefits against security best practices. When we are behaving like a good MSP we'll shoot ourselves in the foot by recommending PIM.
@GJ : Yes, setting PAL on a user account from the customer directory or guest account is a way to get PEC: https://docs.microsoft.com/en-us/partner-center/azure-plan-manage
When you use PIM, you wll not earn PEC when all of your accounts as a Partner are removed.
When a customer wants to use PIM, you need to keep at least one account to get PEC - You can then use other measures to secure this account. E.g by setting special conditional access rules for all global admins to restrict AOBO (Foreign Principal) which might be used by all Admin Agents on Partner side. Or removing this foreign principal alltogether and use a guest account or user account linked via PAL and restrict access for this account with Conditional Access.
The general idea for CSP is that the CSP partner manages the environment, so the CSP Partner own the PIM process on behalf of the customer. If the customer insists on doing this himself, you need to use above mentioned workarounds to combine both needs.
Hello, I have this problem,Microsoft Tell: Get access from your customer
Before you link your partner ID, your customer must give you access to their Azure resources by using one of the following options:
Guest user: Your customer can add you as a guest user and assign any role-based access control (RBAC) roles. For more information, see Add guest users from another directory.
Directory account: Your customer can create a user account for you in their own directory and assign any RBAC role.
Service principal: Your customer can add an app or script from your organization in their directory and assign any RBAC role. The identity of the app or script is known as a service principal.
But with only Contributor role i able to see Partner Information to insert partner (pal) ID.
How can i add PAL if customer give me specific role for the subscription?
When I try to get access to influenced revenue reporting for linked partner ID through Partner Center Dashboard or MyInsights Dashboard, the message 'Revenue and Performance reporting requires permission from your Primary contact.' appears. Together with our Primary Contact I looked into permissions etc., but it turns out I have all possible permissions (Global Admin, Admin agent etc.). What specific permission or configuration is required to get access?
James - I am still slightly confused over whether;
- The customer needs to add you using an Azure AD role - and if so does it have to be a specific role?, or
- The customer can simply add your MPN ID to the subscription themselves and that will work?
It is not 100% clear, as always!
And specifically the guidance on roles at the end of the article: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3QuW2 - in short: Owner & Contributor
Partner Admin Link works on on account level, not a subscription/tenant level. Partner ID on subscrption level is "Partner of Record/DPOR wand will not work for PEC.
just looking for some clarification on PAL...
a few different scenarios:
if we have a team of 5 that are doing work for a single client and all gain access to a client's environment as contributors to different Azure Subscriptions (lets just say 5 here for example), the reporting or recognition would be for 5 different sets of resources, correct?
opposite of that, same situation, if only 1 of those people assign PAL, that means we are missing out on 4 other sets/resources of PAL recognition. Correct?
we have the same 5 team members, and they all have the same access to a clients subscriptions, and only 1 person has PAL. Are we covered for the entire environment and getting PAL recognition for everything that all 5 team members are working on? or are we missing out on any PAL recognition in this scenario.
the going in strategy is obviously everyone put PAL on, all day long. 🙂
i just want to make sure how this shows up to our reporting and what happens in specific situations we are seeing with our teams and clients above.
Correct on all 3 counts.
On point 3 you can't get the credit 5 times becuase 5 usres have access to the enviroment. Just setup one user account with the access to all the Azure resoruce groups needed by your organisation and leave that just to do PAL's is the way I'm working to keep things simple and incase one of teh team leaves you don't have to set up again.
when you say "leave that just to do PAL" - are you creating some sort of PAL dummy user just for this purpose?
thanks for the confirmation on the above scenarios.
Yes that has the same rights. Probelm is with a user account if the user leaves and the account gets deleted you'll lose the assoication, and also its easier to track as we know what the account is for.
When I try to set the PAL via Portal or Command Line, I get the error "PartnerIdInvalid - The Partner ID is not valid", although my MPN Id is correct. What could be possible reasons for this?
Thank you and best regards,
Maybe you're not using a location specific partner ID? Try looking them up here:
**The AzurePartnerAdmin@microsoft.com doesn't work - mails are getting bounced. **
We are helping one of our customers in migrating their work loads to Azure.
However, there are many Resource Groups in their Subscription. And, we have worked only on few Resource Groups. Is it possible to associated us at RG level? If not, by any chance, Microsoft is planning to add this feature in near future? Please let us know.
If you use PAL to associate your MPN ID with the credentials that you use in the customer's environment, the recognition and Azure revenue attribution is according to the scope of your permissions. For example, if your user account has access to a subset of RGs within the subscription, you will be recognized for the revenue generated by resources within those groups. In fact, PAL association is granular to the invidual resource level.
So the short answer is yes 🙂
P.S. We decommissioned that DL in order to scale through this community and the formal support channels.
If i am an owner for the subscription, do i get the azure revenue attribution for all the resource groups and Subsets in the subscription even for new deployments as well?
I have a customer for which I have deployed resources for him, suppose if he gives access to my user account across the Subscription. Will I get the PAL usage for the entire subscription or only for the resources which I have deployed with my user account?
I have deployed a VM and my colleague deployed Network Infra, can we add PAL using same credentials or it needs to be done on a individual level?
@Bharath from experience if you have a user account that has access across the subscription then you get the PAL usage for the entire subscription as its works on what the account has access to and you've said that in this case its the subcription. Anything that is subsequently deployed you also get the credit for.
The idea is that you should only have access to the reources (ie resource groups) that you are responsible for and require the PAL recognition for. If you are only responsible for specific resource groups then the customer has incorrectly given you additional access going against best practice, but to your advantage.
If you both have access to the VM and network then you only need to add on the one account or both if not to get the credit for both.