Why Azure AD matters for CSP partners & customers

During the past year I’ve worked a lot with Cloud Solution Providers (CSP). A lot of them understand the concepts, but 1 thing seems to confuse people a lot: Azure AD Tenants

What is a tenant? And why is it important for me as a CSP? Well, to understand things, let’s start from the beginning: A customer signs up to an Azure subscription. At that moment, they also get an Azure Active Directory (Azure AD) tenant, named <tenantname>.onmicrosoft.com. If the customer already has Office 365, they will also have an Azure AD tenant. The same goes for other Microsoft bloud services, so be aware of this.

After creating their tenant, the customer will most likely start synchronizing users from their on-premises Active Directory to Azure AD. That way they get a single username, and they can login to Microsoft cloud services with their email address.

Take me for example. I have cloudpuzzles.onmicrosoft.com as my Azure AD tenant. In this tenant, I have added cloudpuzzles.net as my domain, and synced user accounts from my Active Directory. That way I can login to Azure, Office 365 etc. using jesper@cloudpuzzles.net, which is my on-premises login too. I’ve also configured password hash synchronization, so I can use the same password. To get single sign-on, I could also configure ADFS, but that’s another topic.

I have my tenant configured, with users and groups:

Azure AD

Many people think, that an Azure subscription is the top-level of Azure resources. That’s not the case though. If I sign up for a subscription, this is linked to my Azure AD, thus making my Azure AD tenant the top-level. The same goes for Office 365 etc. Let’s have a look:

azuread-subscriptions-admins
I’ve now added Office 365 and Azure susbcriptions – both using my credit card on a Pay-As-You-Go model. The subscriptions are managed by the users I have in my Azure AD tenant. I can control access to those subscriptions on a user or group level, but only from the users & groups within my tenant.

When we use CSP, it’s very similar, but still different. Let’s say I wanted an Azure subscription from a CSP. This CSP needs to add me as a customer in their system. If I do not have any Azure AD tenant yet, it’s straight forward for them to do:

csp-new-customer

Notice the “Primary domain name” field, with .onmicrosoft.com after it. That’s where CSPs create a new tenant. But in this case I already have a tenant, so what if I enter that:

csp-new-customer-existing-tenant

Nope, no cookie. And this is where some CSPs just enter “cloudpuzzles2” or something like that, because they don’t understand the importance of this. If they create a new tenant for my subscription, I as the customer, will not be able to manage this subscription, using my existing tenant. That’s a mess! Instead, the CSP needs to go and get a link, to establish a reseller relationship with you as the tenant. Unfortunately I can’t show this, as my demo CSP environment don’t have that option. Anyways, when you get the link, you sign in as an admin, and accept the relationship with this particular CSP. Now they can create subscriptions for you, and sell you whatever service you need.

What happens after you have approved the reseller relationship, is the CSP get Admin-on-Behalf-of (AOBO) access to the subscriptions they provision in your tenant. This means only they have access, you can’t even access the resources, until given permission to do so. And how would you do that, if the CSP created a new tenant for you? Correct, a management nightmare. What AOBO does not give the CSP, is access to you existing resources. Nor will they have access to resources provisioned from other CSPs.

The way AOBO in an Azure subscription is: In the CSP’s environment, they have a role, Admin Agent. That role, or group of users, is assigned ownership permissions on the subscriptions they provision. From the CSP portal, they can then access the subscription, using their own credential – not credentials from your tenant. This is because of our reseller relationship we just created:

csp-aobo-sub

In the same way, when CSPs sell O365, Intune etc., they’re added to your Azure AD Tenant Admin Role, and can manage the licenses for you. You can of course manage those licenses too, but by default, only the CSP has access. If you were to buy Azure from multiple CSPs – which is a very likely scenario, given the change in the market where a lot of companies just offer a service built on Azure – this is supported too. In this case, each CSP will request a reseller relationship with you, and they will provision their own subscriptions for you too:

csp-aobo-multichannel

TL;DR: Make sure you don’t have multiple Azure AD tenants within your organization (unless you have very good reason to do so, for example regional control etc). And make sure your CSP partner knows what they’re doing – if they don’t send them this link ;-)

4 Responses to Why Azure AD matters for CSP partners & customers

  1.  

    Great article I am setting up a CSP Azure subscription and want to make sure I get it right, what is the suggestion to use in the primary domain name if the client already has an existing O365 setup as well as some existing EA Azure subscriptions>

  2.  

    Good article to gain insights on CSP, want to ask what will be the process to transfer subscription ids which have marketplace items on them from customer EA to CSP. Currently the process is posing as a big challenge for migration subscription with market place items

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.