Discover indirect CSP customers' Azure subscriptions

If your MSP organization purchases Microsoft cloud services through a reseller, you may not have direct access to your customer's Azure subscriptions. In those cases, the customer has access to their subscriptions instead of you, and we refer to their subscriptions as indirect CSP customers’ Azure subscriptions.

In Cloud Commander, you can overcome the limitations that keep you from managing your customer's Azure subscriptions by extending your permissions in these customers' tenants beyond the GDAP relationship. We enable you to gain admin consent over a customer's Azure subscriptions and the ability to view their Azure subscriptions and resources.

The workflow to extend your customer GDAP relationship includes the following:

• You request admin consent to additional permissions from the indirect CSP customer using a consent link generated by Cloud Commander.
• An administrator for the indirect CSP customer uses the consent link to sign into their Microsoft admin account, reviews the consent form with the list of additional permissions required by Cloud Commander, and accepts.
• When consent is accepted, the Azure subscriptions owned by that customer admin account now, and in the future, display automatically in Cloud Commander. See View Azure subscriptions.

This workflow to access indirect CSP customers' Azure subscriptions uses one customer admin account and obtains access to all current, and future, Azure subscriptions owned by that admin account. However, if the customer has other admin accounts that own Azure subscriptions, Cloud Commander cannot gain access to those subscriptions. This workflow is an incremental enhancement as we work towards a complete solution.

Requirements

• You must be assigned the Administrators role scoped to the tenant you want to manage.
• To view the discovered Azure subscriptions, you must be assigned the Azure Management Resource Reader, Writer or Admin role scoped to the tenant.
• The initial GDAP relationship setup for the tenant must be complete in Cloud Commander.

Discover indirect CSP customers' Azure subscriptions

1. In the left navigation, select Settings > Microsoft Cloud Access.
2. Filter or search to find the tenant where you want to get the indirect CSP's Azure subscriptions.
3. Select the checkbox for the tenant and select Request additional permissions.

   The Request Additional Permissions dialog displays an approval template that includes the link to authorize the additional permissions.

4. Send the link or message to an administrator for the customer so they can review and accept the request. When the customer clicks the link, they:
   1. Sign into Microsoft using Admin account credentials for their organization for an admin account that owns Azure subscriptions.
   2. Review the permissions requested and select Accept.

      To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

      The following example shows additional permissions for Microsoft Teams and Azure resources.

      

When the customer accepts the additional permissions, the Azure subscriptions owned by that customer account now, and in the future, display automatically in Cloud Commander. See View Azure subscriptions.

Related articles

• View Azure subscriptions
• What is a CSP?

Updated: Sep 30, 2024