If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription by default. Lets say the customer also has an existing subscription (maybe a non-profit donation?).<\/p>\n
When you add your accounts as Owner to the existing tenant’s (non-csp) subscription, your users are added as Guest accounts in the customer’s Azure AD. This\u00a0removes<\/strong> the delegated CSP rights on the CSP subscription because the references to foreign accounts break due to the new guest accounts having the same UPN.<\/p>\n So, alternatively, use<\/p>\n on the CSP<\/strong> subscription to get the Foreign Principal ID for your own tenant. Then use<\/p>\n to add the foreign principal ID to the existing customer subscription to get delegated access \ud83d\ude42<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription by default. Lets say the customer also has an existing subscription (maybe a non-profit donation?). When you add your accounts as Owner to the existing tenant’s (non-csp) subscription, your users … Continue reading CSP delegation on non CSP azure subscriptions<\/span> Get-AzureRmRoleAssignment -Scope "\/subscriptions\/<CSP SUBSCRIPTION ID><\/pre>\n
New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "\/subscriptions\/ \n<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner<\/pre>\n