This post is part of a mini-series that explains how Microsoft Customers, Azure AD Tenants, Azure Subscriptions and Cloud Solution Providers all work together.
It is aimed at anyone who wishes to purchase Azure resources from a Cloud Solution Provider (CSP) such as NewOrbit, as well as Microsoft Partners who wish to understand the relationship between CSPs and Customers better.
This is an immensely confusing topic that often stumps people who have spent years working with Azure - even as Partners.
I focus on explaining the concepts rather than being 100% technically correct. This means some of the detail is glossed over or simplified.
This series focuses on Partners providing Azure to Customers, but the Microsoft 365 side is inherently linked to this so there will be some straying into that area as well.
In this series, we have looked at all the different relationships and access methods that exist between Microsoft Customers and Partners.
Microsoft are committed to the “Multi-Partner” model where a Customer can work with several different Partners to provide different - or even the same - Microsoft products.
Historically, this was quite difficult as a lot of the Microsoft approach was built on an assumption that a single Partner had to “own” the whole Customer.
It’s been a long journey, but now it is not only possible but actually quite pleasant to work in a Multi-Partner setup.
Importantly, this also allows Partners to work together and form networks where we can introduce each other and work together to provide the best possible service to our Customers.
Don’t create new Microsoft Customers
One key thing to point out, especially to Azure resellers is this: Don’t create a new Microsoft Customer/Tenant just so you can provide Azure services to them. This is a common mistake, partly for historical reasons. It is (no longer) necessary. Instead, set up a reseller relationship with their existing Tenant and create new subscriptions in that Tenant.
You have a reasonable degree of control over what the Customer can see and do in the subscription, including controlling if they can see costs and whether they can purchase Savings Plans or Reserved Instances. This may be useful in certain Managed Services scenarios where you are charging a total price to the Customer.
You cannot, however, completely block the Customer from accessing the subscription: As long as they have the appropriate permissions in the Tenant, they can give themselves whatever role they want in the subscription (this does not override the billing permissions mentioned before). In practice, we find this to actually be of benefit as we can easily give select Customer users access to a subset of functionality, such as the ability to view billing reports or query logs etc.
Two Azure Cloud Solution Providers working with the same Customer
When two different Cloud Solution Providers both provide Azure to the same Customer, they can co-exist perfectly fine. In the default configuration, neither Partner can see anything the other one is doing. The only time there is likely to be a problem with this is if one of the Partners has Global Admin rights to the Tenant itself. As we have seen, they really shouldn’t have this and, if they do, this should be reviewed and probably removed.
Each Partner can use their own Foreign Principals, Lighthouse and Guest Accounts to access their subscription. Each Partner may also use GDAP, typically to be able to see directory users. This is all independent of the other Partner.
A Microsoft 365 MSP working with an Azure CSP
An MSP will often have complete control of the Customer’s Tenant and will need to be involved in setting up the relationship with the Azure Cloud Solution Provider. For example, approving a reseller relationship or a GDAP request is often done by the MSP.
The MSP maintains complete control: The reseller relationship itself only allows the CSP to create Azure Subscriptions under the Tenant and gives no access to the Tenant itself. The MSP stays in control as they will be the ones approving any GDAP requests. Of course, should the CSP request the deprecated DAP (essentially Global Admin), the MSP is well advised to reject this with extreme prejudice.
Conclusion
It is both easy and safe for multiple Partners to provide Microsoft products and services to the same Customer, all at the same time. Microsoft has built up a suite of tools and mechanisms as described in this series to make this possible.
It is, however, very complicated and unfortunately every Partner has to spend significant time and effort to understand all of these relationships, access mechanisms and structures to be able to effectively work with their Customers and other Partners. In truth, we often come across Microsoft support staff who don’t fully understand how all this hangs together - usually because they only focus on one of the areas. As Partners, we have to not only understand all the mechanisms but also how they interact with each other (which can often be in weird and unexpected ways).
It is a shame that this is not more unified from Microsoft’s side - but they at least deserve kudos for moving in the right direction, even it it is all somewhat bitty.
NewOrbit works with many Customers and other Microsoft Partners to deliver Azure services. If you would like to work with us, please get in touch.
