A notice to our customers: Microsoft are experiencing disruption related to several of their M365 services that could impact your system. We are carefully monitoring the situation. You can be kept updated via Microsoft's service page.
×

Cloud Solution Provider Access via Foreign Principal

24 July 2023 By Frans Lytzen

Title image

This post is part of a mini-series that explains how Microsoft Customers, Azure AD Tenants, Azure Subscriptions and Cloud Solution Providers all work together.

It is aimed at anyone who wishes to purchase Azure resources from a Cloud Solution Provider (CSP) such as NewOrbit, as well as Microsoft Partners who wish to understand the relationship between CSPs and Customers better.

This is an immensely confusing topic that often stumps people who have spent years working with Azure - even as Partners.

I focus on explaining the concepts rather than being 100% technically correct. This means some of the detail is glossed over or simplified.
This series focuses on Partners providing Azure to Customers, but the Microsoft 365 side is inherently linked to this so there will be some straying into that area as well.

A Cloud Solution Provider needs some way to access their Customers’ Azure Subscriptions to help you set things up and to provide support. There are several different ways to do this. The oldest and also the default way is “Foreign Principal” access.

When a Cloud Solution Provider creates an Azure Subscription for a Customer, a special “Foreign Principal” will be given Owner permissions to the new subscription. This Foreign Principal represents a group of users from the Cloud Solution Provider who are allowed to access the subscription.

Confusingly, the Foreign Principal does not exist in the Customer’s Tenant. Instead, it is actually a special security group in the Cloud Solution Provider’s Tenant called “AdminAgents”. Yes, users from a different Tenant to the one the subscription belongs to can be given access to the subscription.

Diagram showing the two different Tenants, users and the AdminAgents security group

Users from the Cloud Solution Provider who are in this special “Admin Agent” security group can access the Customer’s Azure subscription as an Owner.

This is extremely useful for helping the Customer get things set up quickly without needing a lot of technical knowledge. It also allows the Cloud Solution Provider to help the Customer with support tickets and to earn “Partner Earned Credits”.

Don’t use Foreign Principals as the primary access method

Foreign Principal access is useful, but it suffers from one significant weakness: There is only a single AdminAgents security group in the Partner’s Tenant. This means that any Partner user who is a member of this group has access to the Azure subscriptions for all Customers of the Cloud Solution Provider.

As such, the Foreign Principal access should be limited to a small number of highly trusted employees, who can use their access to set up things like Lighthouse and potentially invite guest users (if the appropriate GDAP permissions have also been granted).

For day to day operations, the Partner should use other methods of access, such as Lighthouse or Guest Accounts that can be controlled much more granularly.

What Azure permissions does the Foreign Principal have?

By default, the Foreign Principal has Owner permissions to any Azure Subscription managed by the Partner. This means that they can do almost anything they want to the Azure Subscription.

It is possible to change the permissions for the Foreign Principal, if required. This does make it more difficult for the Partner to do certain things, including the ability to raise support tickets on your behalf. There is also the issue of Partner Earned Credits, which is outside the scope of this post but can be affected.

In short, please give the Partner at the very least “Support Request Contributor”. That role does not have access to any resources in the Customer subscription, but allows the Partner to raise support tickets on the Customer’s behalf and to earn Partner Earned Credits.

What Tenant permissions does the Foreign Principal have?

By default, the Foreign Principal has no access to the Azure AD Tenant.

This means the Partner user has no ability to assign permissions to anything in the Azure Subscription, nor to create or manage Service Principals (except in the indirect form of Managed Identity).

GDAP allows fine-grained access to the Azure Tenant to be granted to the Foreign Principal, but that is the subject of another post.

How to give a Partner user this access

There are two ways for the Cloud Solution Provider to give one of their users Foreign Principal access:

  1. Make the user a member of the AdminAgents Security group.
    or
  2. In Partner Centre, if you go via your personal Profile, you can eventually get to User Management. Find a user in the list and click on them, then select “Assists your Customers” and “Admin Agent”.

The two methods ultimately do the same thing, the Partner Centre option is just a convenience.

As a Partner, you may want to consider using Azure Privileged Identity Management to control access to the AdminAgents group to further reduce who can use this access easily.

How to use the Foreign Principal access

As a Partner user, there are two ways to access the Azure Subscription:

  1. From Partner Centre, go to Customers -> Customer Name -> Subscriptions -> Azure -> “View all resources on Azure portal”.
    Screenshot of the Partner Portal showing how to access Customers Azure resources
  2. In the Azure Portal, go to Lighthouse -> Manage your Customers -> Customers (CSP) -> Select a Customer -> Azure Subscriptions -> Manage resources.
    Screenshot of the Azure Portal showing how to access Customers Azure resources

Note that if the Partner user also has a Guest Account in the Customer’s Tenant, they will not be able to use the Foreign Principal access. This is because the Guest Account will take precedence over the Foreign Principal. If the Partner user tries, they will just be logged in with their Guest Account.

Transferring Subscriptions

As previously mentioned, when a Cloud Solution Provider creates a new Azure subscription for a Customer, the Foreign Principal is automatically created in the subscription.

However, when you transfer an existing Azure Subscription to a new Cloud Solution Provider, the Foreign Principal is not automatically created.

There are two important things to do in this situation:

  1. The Customer has to create the Foreign Principal in the subscription. The easiest way is for the Cloud Solution Provider to create a little PowerShell script and ask the Customer to run this in the Cloud Shell. The script might look like this:
Set-AzContext -SubscriptionId <Customer subscriptions>
New-AzRoleAssignment -ObjectId [AdminAgent group id from Partner's Tenant] -RoleDefinitionName "Owner" -Scope "/subscriptions/<Customer subscription>" -ObjectType "ForeignGroup"
  1. If the subscription was transferred from another Cloud Solution Partner, their Foreign Principal is not automatically deleted and the previous Partner will continue to have access until the Customer manually deletes the old Foreign Principal from the subscription.

Conclusion

Foreign Principal access is easy and convenient for the Cloud Solution Provider and allows them to help and support their Customers as well as raise support tickets on the Customer’s behalf.

However, the Foreign Principal access method is not granular and should not be used for day to day operations.

As a Customer, do talk to your Cloud Solution Provider about how they control access to your Azure subscriptions.

If you would like to discuss this with someone, NewOrbit is always happy to chat. Contact us.

Microsoft Partner Logo Digital and App Innovation

Microsoft Partner Logo Digital and App Innovation