Gaining Access to Customer Azure Subscriptions (Indirect Partners)

Modified on Thu, 10 Apr at 12:42 AM

As an indirect Microsoft partner, you don’t automatically receive access to your customer’s Azure subscriptions through Partner Center. However, you can still gain access by adding your partner tenant’s Admin Agent group to their subscription. This allows you to manage it using your partner login, similar to delegated permissions in Microsoft Admin Center.

Why This Matters

To use Sync 365’s automated Azure billing feature as an indirect provider, you must have access to your customers’ Azure subscriptions. Completing the steps below will enable automated billing to run correctly.

Prerequisites - Patner/MSP Tenant

Get the AdminAgents Object ID from your tenant (The MSP Tenant)

Log into your MSP tenant via https://portal.azure.com using an account with group admin privileges.
Go to Microsoft Entra > Groups.
Search for the group named "AdminAgents".
Copy the Object ID of that group — you’ll need this for the access script.

? This Object ID allows us to grant your tenant access to customer subscriptions for billing automation.

Add access to the customers Azure Subscription

There are 2 easy ways to give your partner tenant access to the customers azure subscription.

Choose one of these methods to complete

Powershell

This powershell script requires Az.Resources, Az.Reservations and Az.Accounts. These will be installed if needed.

Either save the below script or copy it into Powershell.
Run the script
Sign in as the Global Administrator of the customer tenant you want to add access to.
Enter in the ObjectID for AdminAgents that you got above
Wait for script to complete

# Define required modules
$requiredModules = @("Az.Resources", "Az.Reservations", "Az.Accounts")

foreach ($module in $requiredModules) {
    if (-not (Get-Module -ListAvailable -Name $module)) {
        Write-Host "$module not found. Installing..."
        try {
            Install-Module -Name $module -Scope CurrentUser -Repository PSGallery -Force
            Write-Host "$module installed successfully."
            Import-Module $module -ErrorAction Stop
        } catch {
            Write-Error "Failed to install $module. Error: $_"
        }
    } else {
        Write-Host "$module is already installed."
    }
}

Write-Output "This script assigns 'Owner' role to your AdminAgents group for all customer Azure CSP Subscriptions and Reservations."
Write-Output "Please log in with the tenant's Global Admin."

Connect-AzAccount

# Get AdminAgents group Object ID
$partnerId = Read-Host -Prompt "Enter the objectId of your AdminAgents group"

# Get all enabled subscriptions
$subscriptions = Get-AzSubscription | Where-Object { $_.State -eq "Enabled" }
Write-Output "Found $($subscriptions.Count) enabled subscriptions."

# Assign role on all subscriptions
foreach ($sub in $subscriptions) {
    $scope = "/subscriptions/$($sub.Id)"
    New-AzRoleAssignment -ObjectId $partnerId -ObjectType ForeignGroup -RoleDefinitionName Owner -Scope $scope
    Write-Output "Access granted on subscription: $($sub.Name)"
}

# Get all reservations
$reservations = Get-AzReservation
Write-Output "Found $($reservations.Count) reservations."

# Assign role on all reservations
foreach ($res in $reservations) {
    New-AzRoleAssignment -ObjectId $partnerId -ObjectType ForeignGroup -RoleDefinitionName Owner -Scope $res.Id
    Write-Output "Access granted on reservation: $($res.DisplayName)"
}

Write-Output "`nDelegated permissions successfully added to all available subscriptions and reservations."
Pause

Azure Portal CLI

Log into https://portal.azure.com as the global administrator for the client tenant.
Click on the AzureCLI button
Accept defaults to create a storage account for its use if required.
Copy the below script and paste it into the azure CLI. NOTE: You must paste as plain text (right click > paste as plain text or ctrl+shift+v

Enter in your AdminAgents ObjectID when prompted.

Write-Output "This script assigns 'Owner' role to your AdminAgents group for all customer Azure CSP Subscriptions and Reservations."

az login
# Ensure logged in
az account show > $null 2>&1
if ($LASTEXITCODE -ne 0) {
    Write-Output "You must log in first using 'az login'."
    exit 1
}

# Get AdminAgents group Object ID
$partnerId = Read-Host -Prompt "Enter the objectId of your AdminAgents group"

# Get all subscriptions
# Get current tenant ID (after az login)
$currentTenantId = (az account show --query tenantId -o tsv)

# Filter subscriptions by tenant
$subscriptions = az account list --query "[?state=='Enabled' && tenantId=='$currentTenantId'].{id:id, name:name}" -o json | ConvertFrom-Json

Write-Output "Found $($subscriptions.Count) enabled subscriptions."

# Assign role to each subscription
foreach ($sub in $subscriptions) {
    $scope = "/subscriptions/$($sub.id)"
    az role assignment create `
        --assignee-object-id $partnerId `
        --assignee-principal-type ForeignGroup `
        --role "Owner" `
        --scope $scope | Out-Null
    Write-Output "Access granted on subscription: $($sub.name)"
}

# Get reservations (requires az resource list access and appropriate API permissions)
$reservations = az resource list --resource-type "Microsoft.Capacity/reservationOrders/reservations" -o json | ConvertFrom-Json
Write-Output "Found $($reservations.Count) reservations."

foreach ($res in $reservations) {
    az role assignment create `
        --assignee-object-id $partnerId `
        --assignee-principal-type ForeignGroup `
        --role "Owner" `
        --scope $res.id | Out-Null
    Write-Output "Access granted on reservation: $($res.name)"
}

Write-Output "`nDelegated permissions successfully added to all available subscriptions and reservations."
Pause