Use CSP’s AOBO to manage Azure subscriptions from other channels

Microsoft’s Cloud Solution Provider program is a great option for service providers that provide managed services on Azure. It enables the partner to provide a single bill encompassing both cloud services costs and managed services costs to the customer. There are scenarios where the customer may have purchased Azure through another licensing channel and wants the service provider to take over management of the environment. For CSP partners, they can leverage the existing identity model that CSP provides to manage Azure subscriptions provisioned through other licensing channels. This is enabled by establishing a reseller relationship with the existing tenant and then assigning permissions to the appropriate group in the partner’s AAD tenant.

  1. Log in to Partner Center using your admin CSP credentials and generate a link to establish a reseller relationship from Dashboard > CSP > Customers > Request reseller relationship.
  2. Send the link to the customer to have them accept the invitation and authorize the CSP relationship.
  3. Once authorized, the customer can see the Partner in Admin Center under Partner Relationships
  4. As a partner, you will now find the customer in your Customer List in Partner Center under Dashboard > CSP > Customers.
  5. Open the Azure Active Directory Admin Center, browse Groups and select the group you want to have access to the customer’s subscription (note: You must select either AdminAgents or HelpdeskAgents groups). Copy the Object ID of the group.
  6. Using PowerShell, an existing admin in the customer’s subscription will need to grant the partner’s group permissions to the subscription using the New-AzureRmRoleAssignment cmdlet. Permissions can use any Role Definition (ie. Reader, Contributor, Owner) in the customer’s subscription and can be scoped appropriately (ie. Subscription, Resource Group, Resource).
    New-AzureRmRoleAssignment -ObjectId 50c74629-d946-40cb-9123-819ae3ddd105 -RoleDefinitionName Reader -Scope /subscriptions/bbd470a5-a7be-41c4-a1f2-fd9c776a977d

  7. The partner can now use the link to the Azure portal from Partner Center to manage the customer’s subscription.

  8. The partner can also manage the subscription using PowerShell by using the TenantId parameter.
    Login-AzureRmAccount -TenantId 7d82b0b6-a196-46ec-9f36-5afe127177a2

Enforcing MFA for partner AAD tenant in CSP

The Cloud Solution Provider program from Microsoft is a great way for partners to bundles their managed services with Microsoft first-party cloud services like Azure. CSP partners use Partner Center to manage their customers by logging in using identities in their Azure AD tenant. This happens using a concept of Admin-on-behalf-of in CSP which allows them to manage their customer’s cloud services. Given that these identities have access to multiple customers, they are prime targets for bad actors. As such, partners frequently want to enable multi-factor authentication to help secure these identities. Azure AD supports this natively, however, there is some additional configuration necessary to ensure it is enforced when managing customer’s Azure environments. Follow these steps to enable MFA on a partner AAD tenant and enforce it when managing a customer’s AAD subscription.

Configure an AAD user for MFA

  1. To configure MFA on the partner’s AAD tenant, go to https://aad.portal.azure.com. Click on Azure Active Directory from the menu and then select Users. From the Menu bar, select Multi-factor Authentication.
  2. This will open a new window to MFA settings for users. You can enable a specific user by finding them from the list and selecting enable, or using the bulk update link at the top.
  3. Review the deployment guide, and select the enable multi-factor auth button when prompted.
  4. The next time the user logs in, they will be prompted to configure MFA.
  5. The user can choose to receive a phone call, SMS text message or use the Mobile Application for multi-factor auth.
  6. Now when the user logs in to Partner Center they will be prompted for multi-factor authentication and receive a notification per their preferred MFA settings.

Enforce MFA on a customer’s tenant

Even though we have configured MFA for the partner’s AAD user, we need to ensure it is enforced when managing the customer’s Azure subscription. This gets tricky with CSP and Admin-on-behalf-of – because the user will be managing a customer’s Azure environment, it’s the customer’s MFA settings that will decide whether MFA is necessary for logins. This means we need to create a conditional access policy in the customer’s Azure subscription in order for MFA to be applied to partner’s users. To set this up for the customer, they need at least 1 license of Azure AD Premium provisioned for their tenant.

  1. To configure the customer’s tenant, login to the Azure portal for the customer: https://portal.azure.com/tenant.onmicrosoft.com. Click on Azure Active Directory from the menu and then Conditional access.
  2. Next, we’ll create a policy that enforces MFA for all users when managing Azure. Select New Policy.
  3. Configure the policy to apply to All users, select the Microsoft Azure Management cloud application and Require multi-factor authentication under Grant access. Switch the policy On under Enable Policy, then click Create.

Now, MFA will be enforced any time a user attempts to manage Azure – including a partner’s AAD users. Note that the partner’s users can use the shortcut URL (https://portal.azure.com/tenant.onmicrosoft.com) only if they have already authenticated using MFA. If they have not authenticated using MFA and attempt to access the portal or PowerShell on behalf of the customer, the sign-in will fail.