Access Customer Azure Subscriptions - Indirect Partners

Gaining Access to Customer Azure Subscriptions (Indirect Partners)

As an indirect Microsoft partner, you don’t automatically receive access to your customer’s Azure subscriptions through Partner Center.
However, you can still gain access  by adding your partner tenant’s Admin Agent group (Or your GDAP security group) to their subscription. This allows you to manage it using your partner login, similar to delegated permissions in Microsoft Admin Center. 


Why This Matters

To use Sync 365’s automated Azure billing feature  as an indirect provider, you must have access to your customers’ Azure subscriptions. Completing the steps below will enable automated billing to run correctly.

Prerequisites - Patner/MSP Tenant

Get the AdminAgents (Or Security group used for GDAP) Object ID from your tenant (The MSP Tenant)

  1. Log into your MSP tenant via https://portal.azure.com using an account with group admin privileges.

  2. Go to Microsoft Entra> Groups.

  3. Search for the group named "AdminAgents".

  4. Copy the Object ID of that group — you’ll need this for the access script.

   This Object ID allows us to grant your tenant access to customer subscriptions for billing automation.


Add access to the customers Azure Subscription

There are 2 easy ways to give your partner tenant access to the customers azure subscription.

Choose one of these methods to complete

Powershell

This powershell script requires Az.Resources, Az.Reservations and Az.Accounts. These will be installed if needed.

  1. Either save the below script or copy it into Powershell.
  2. Run the script
  3. Sign in as the Global Administrator of the customer tenant  you want to add access to.
  4. Enter in the ObjectID for AdminAgents that you got above
  5. Wait for script to complete


# Define required modules
$requiredModules = @("Az.Resources", "Az.Reservations", "Az.Accounts")

foreach ($module in $requiredModules) {
    if (-not (Get-Module -ListAvailable -Name $module)) {
        Write-Host "$module not found. Installing..."
        try {
            Install-Module -Name $module -Scope CurrentUser -Repository PSGallery -Force
            Write-Host "$module installed successfully."
            Import-Module $module -ErrorAction Stop
        } catch {
            Write-Error "Failed to install $module. Error: $_"
        }
    } else {
        Write-Host "$module is already installed."
    }
}

Write-Output "This script assigns 'Owner' role to your AdminAgents group for all customer Azure CSP Subscriptions and Reservations."
Write-Output "Please log in with the tenant's Global Admin."

Connect-AzAccount

# Get AdminAgents group Object ID
$partnerId = Read-Host -Prompt "Enter the objectId of your AdminAgents group"

# Get all enabled subscriptions
$subscriptions = Get-AzSubscription | Where-Object { $_.State -eq "Enabled" }
Write-Output "Found $($subscriptions.Count) enabled subscriptions."

# Assign role on all subscriptions
foreach ($sub in $subscriptions) {
    $scope = "/subscriptions/$($sub.Id)"
    New-AzRoleAssignment -ObjectId $partnerId -ObjectType ForeignGroup -RoleDefinitionName Owner -Scope $scope
    Write-Output "Access granted on subscription: $($sub.Name)"
}

# Get all reservations
$reservations = Get-AzReservation
Write-Output "Found $($reservations.Count) reservations."

# Assign role on all reservations
foreach ($res in $reservations) {
    New-AzRoleAssignment -ObjectId $partnerId -ObjectType ForeignGroup -RoleDefinitionName Owner -Scope $res.Id
    Write-Output "Access granted on reservation: $($res.DisplayName)"
}

Write-Output "`nDelegated permissions successfully added to all available subscriptions and reservations."
Pause


Azure Portal CLI

  1. Log into https://portal.azure.com as the global administrator for the client tenant.
  2. Click on the Azure CLI button 
  3. Accept defaults to create a storage account for its use if required.
  4. Copy the below script and paste it into the azure CLI. NOTE: You must paste as plain text (right click> paste as plain text or ctrl+shift+v
  5. Enter in your AdminAgents ObjectID when prompted.
Write-Output "This script assigns 'Owner' role to your AdminAgents group for all customer Azure CSP Subscriptions and Reservations."

az login
# Ensure logged in
az account show > $null 2>&1
if ($LASTEXITCODE -ne 0) {
    Write-Output "You must log in first using 'az login'."
    exit 1
}

# Get AdminAgents group Object ID
$partnerId = Read-Host -Prompt "Enter the objectId of your AdminAgents group"

# Get all subscriptions
# Get current tenant ID (after az login)
$currentTenantId = (az account show --query tenantId -o tsv)

# Filter subscriptions by tenant
$subscriptions = az account list --query "[?state=='Enabled' && tenantId=='$currentTenantId'].{id:id, name:name}" -o json | ConvertFrom-Json

Write-Output "Found $($subscriptions.Count) enabled subscriptions."

# Assign role to each subscription
foreach ($sub in $subscriptions) {
    $scope = "/subscriptions/$($sub.id)"
    az role assignment create `
        --assignee-object-id $partnerId `
        --assignee-principal-type ForeignGroup `
        --role "Owner" `
        --scope $scope | Out-Null
    Write-Output "Access granted on subscription: $($sub.name)"
}

# Get reservations (requires az resource list access and appropriate API permissions)
$reservations = az resource list --resource-type "Microsoft.Capacity/reservationOrders/reservations" -o json | ConvertFrom-Json
Write-Output "Found $($reservations.Count) reservations."

foreach ($res in $reservations) {
    az role assignment create `
        --assignee-object-id $partnerId `
        --assignee-principal-type ForeignGroup `
        --role "Owner" `
        --scope $res.id | Out-Null
    Write-Output "Access granted on reservation: $($res.name)"
}

Write-Output "`nDelegated permissions successfully added to all available subscriptions and reservations."
Pause

    • Related Articles

    • Azure Automated Billing - Initial Setup (Indirect CSP)

      Overview As an Indirect CSP partner, you work through a distributor to access Microsoft services. This guide covers initial setup including vendor markup configuration to start using our Azure Automated Billing. Prerequisites PSA configured in Sync ...

    • Azure Automated Billing - Overview

      What is Azure Automated Billing? Azure Automated Billing is a feature that streamlines the process of billing your customers for their Azure consumption. Instead of manually uploading CSV files, the system automatically retrieves consumption data ...

    • Azure Automated Billing - Initial Setup (Direct CSP)

      Overview As a Direct CSP partner, you have direct access to Microsoft Partner Center and can automatically retrieve Azure consumption data for all your customers. This guide walks you through the initial setup process to start using Azure Automated ...

    • Azure Automated Billing - Managing Reserved Instances

      Overview For Indirect CSP's, Azure Reserved Instances (RIs) require manual configuration of cost and sell prices before they can be billed automatically. What Are Reserved Instances? Reserved Instances: Pre-purchased Azure capacity at discounted rate ...

    • Bill by Subscription ID

      In some occasions you may have a client that has multiple subscriptions for a license, or a monthly and annual term for the license. These may include subscriptions that you to not provide so you may need to bill them by your specific subscription ID ...