This post will show you how to delegate administrative access of an Azure subscription to users in an external Azure Active Directory (AD) Domain. The method I will share can be used in Cloud Solution Provider (CSP) and other subscriptions, and will be of great relevance to Microsoft Partners that want their engineers to be able to manage many customer subscriptions with a single account, easily able to move between customers in the Azure Portal with a single sign-on.
Benefits of Delegation
Every Azure subscription (Microsoft cloud customer) is deployed with an Azure AD directory (you can think of this as an Active Directory forest). You may want to allow users from another Azure AD directory to sign into and use/manage services in an Azure subscription. The benefits of this approach are:
- You don’t need to create/manage those user accounts
- Azure AD still authenticates the users
Here are a few examples:
- Microsoft Partner: A Microsoft Partner is reselling an Azure in CSP subscription to a customer. The partner wants to give their engineers admin rights in the subscription so that they can deploy and manage resources in multiple customer subscriptions. The benefit for the partner is that there is a single-account approach, which simplifies user/password management and lends itself to better security, and an engineer can quickly move between customer subscriptions in a single browser window without needing to re-authenticate.
- Application developer/vendor: It is not unusual for a company to hire a developer to create/manage an application within the customer’s infrastructure. You can grant members of that development company’s Azure AD directory controlled access to a resource group, limiting their access to just the contents of that group.
Before you ask; yes, you can trust Microsoft Accounts (e.g., Hotmail, Live ID) but that’s amateur hour and really not a secure approach, so I’m pretending that option does not exist. Any company can create an Azure AD for free by using Microsoft Partner internal usage rights or even a free Azure trial beyond the time limit at no cost, and you already have Azure AD accounts if you are using Office 365.
Add a Group
How you navigate around the Azure AD admin experience will change over time, so use these instructions more as a loose guide.
The first step is to sign into the customer’s subscription in the Azure Portal with administrative rights over their directory (global admin or owner rights). Click More Services and start Azure Active Directory, the preview (at the time of writing) experience for managing Azure AD in the Azure Portal. Here we will create a group to contain all of the users that will be delegated rights from the external directory. Remember that classic rule: we should always add users to groups and assign rights to groups.
Go to Users And Groups > All Groups and click the Add button. I am creating a group for members of staff from a company called Joe Elway Inc. that will have owner rights over a subscription, so I’ve used a pretty descriptive name (Joe Elway – Subscription Owners). The membership is set to Assigned, but I haven’t added any members yet because I haven’t imported any users to the customer’s directory yet.
You can take two approaches to adding users. The better option is that each person that will be able to sign into the customer’s subscription will have their own Azure AD account. Non-sharing of passwords improves security. Another benefit is that we will have per-person traceability of actions in the Azure audit logs if each person uses their own single Azure AD user account.
The lazier and easier option is where a Microsoft partner has a single user account for all of their engineers; this option might be easy to set up, but it is insecure. Shared passwords are usually weak, leak, and are rarely changed — even when staff members leave on bad terms! There is also no traceability of who did what, which will prevent investigations after human error. I’ll be blunt — if I was a customer then I would refuse this option.
In this demo, my Microsoft Partner has deployed an Azure AD (maybe via Office 365), and all of their engineers have their own user accounts, provisioned by Azure AD Connect from their on-premises domain controller (one username and one password for everywhere). I will grant access to my Azure subscription to each of their engineers.
In Azure AD, go to Users And Groups > All Users. Do the following for each user:
- Click Add
- Enter the name of the staff member and their username in the UPN format (their Azure AD/Office 365 email address)
- Optionally, enter their profile information (i.e., name, role)
- Click Groups and add the group that you previously created
- Leave Directory Role as it is
- Click Create
Grant Admin Rights
There are two ways you can grant admin rights. The first method is to limit rights to a resource group. You can browse to the resource group, and manage access in Access Control (IAM). Click Add, select a role (contributor or less), and select the group that you previously created.
You can grant rights to the entire subscription. In this scenario, the Microsoft partner will be managing the subscription for the customer, so they will be granted owner rights.
- Browse to More Services > Subscriptions
- Select the subscription and go into Users
- Click Add
- Select the Owner role
- Select the group that you created earlier and added the external users to
- Click OK
The result is that the group, and therefore the members of the group from the external Azure AD directory, are granted full admin rights over the subscription.
A Microsoft Partner can repeat this task in every new subscription that they set up for a customer. Each engineer will sign in once to the Azure Portal and be able to select any customer’s subscription without having to re-enter any credentials.
Tip: Make sure that the Azure subscription is provisioned with a name that is unique to the customer, making this navigation process easier to use. It is not easy to rename Azure in CSP subscriptions.