How to reinstate management of Azure-customers in Partner Portal
When managing a lot of customers with Azure Subscriptions, one possible solution of centralized management is via the Microsoft Partner Portal. Here you can manage all your CSP-customers from one place. This works really well with Microsoft 365 tenants where you just need to make sure you are registered as partner with admin rights. This, however, is not always so straight forward with Azure Subscriptions. At some point you may take over a customer or some variant of where your organization is not the original creator of the subscription. This is where the fun begins…
The Problem:
Partner Portal relies on a couple of groups in your Azure AD where one is called “AdminAgents” to delegate admin rights to people you choose. The problem here is… it creates a role assignment in Azure only once without any real way of maintaining this relation later. Besides of PowerShell of course. After some Googling I found this article from Microsoft: https://docs.microsoft.com/en-us/partner-center/revoke-reinstate-csp with some hints and tips. Tried it. It failed. Stating that “The PrincipalId ‘FFFFFfffffffFFFFFFFffff’ has type ‘ForeignGroup’ , which is different from specified PrinciaplType ‘Group’”. Hmmm! Besides that funny typo at the end this error states there is something wrong either with my group or the format I´m pasting in – or something.
The Solution:
I had this theory that I needed to declare something. So I looked up the cmdlet New-AzRoleAssignment in Microsoft Docs and scrolled down to a parameter called “-ObjectType”. I thought I could try that… It wouldn´t hurt so much, would it?!
The cmdlet ran without any issue! And after logging into Partner Portal I could confirm that it actually did the trick. We can now finally get all our customers managed via the same interface.
This is what I actually did:
- Opened PowerShell, connected to our tenant with Connect-AzAccount and ran cmdlet Get-AzADGroup -DisplayName AdminAgents
- Took note of the “id”
- Logget off our tenant and into the customer´s
- Ran the following command (Just imagine some SIDs instead of the placeholders): New-AzRoleAssignment -ObjectID “” -RoleDefinitionName “Owner” -ObjectType “ForeignGroup” -Scope “/subscriptions/”
And voilá! There´s really not more to it. I´m glad we could figure this out and I hope this is somewhat helpful for you as well! Please let me know if this worked out for you, or if I missed anything 🙂