Monday, December 26, 2016

Managing your Azure Subscriptions created through CSP portal

Let me start off with a disclaimer, as Microsoft may change the behavior, which would render this post obsolete. In which case I'll try to come back and make the necessary amendments. 

If you have worked with managing your Azure resources through PowerShell, you will notice that Azure Subscriptions created through the Cloud Solution Partner (CSP) portal behaves slightly different. This post from august 2016 goes into details on how to migrate from "traditional" Azure Subscriptions to "CSP" Subscriptions.

In my post, I want to just quickly show you some key points.

Azure Portal navigation

One thing you will quickly notice is that if you access the CSP portal and open the Azure Portal from there, all of the classic resource types in Azure are completely hidden. You can only create and operate on Azure Resource Manager (ARM) types of resources. So basically, this prevents you from using Azure Service Management API and any interface that assumes ASM, or "Classic Azure" as it is also named.

Another thing you'll notice is that if you try to navigate the Azure Portal directly (portal.azure.com) you do not necessarily see the Azure Subscriptions from your tenants in the list of Directories. I say "necessarily" because if your user has been explicitly granted "owner" role on the tenant, that is a different story. One of the core features of the CSP program, is that the partner already is "owner" through the Foreign Principal role, more specifically all users who have the AdminRights permissions within the CSP portal. You can read more about that here.

So on order to navigate to the customers Azure resources you need to explicitly go the the tenant through the URL. That will open the tenants context and off you go. The URL will typically be something like this: https://portal.azure.com/TENANTNAME.onmicrosoft.com (or the customers own domain, if it is fully setup.

Azure PowerShell management

What about PowerShell? Is that any different? YES!

If you run Login-AzureRmAccount without setting a context, you'll end up only seeing Azure Subscriptions you have access to explicitly. And even for Azure Subscriptions created through CSP will behave differently.

The solution is rather easy, even if you could argue it's a bit cumbersome.
You need to explicitly set the context.

Here are some options available:

  • You either explicit login to the tenant and subscription:
    Login-AzureRmAccount -TenantId TENANT-GUID -SubscriptionId SUBSCRIPTION-GUID
  • Or login "normally" and then run select with tenant and subscription:
    Select-AzureRmSubscription -TenantId TENANT-GUID -SubscriptionId SUBSCRIPTION-GUID
  • Or you could login and set context using the following command:
    Get-AzureRmSubscription -TenantId TENANT_GUID -SubscriptionId SUBSCRIPTION-GUID | Set-AzureRmContext

 If you do not set the context explicitly, you will not be able to operate over the Azure resources.

Now, some readers may have noticed Azure Subscriptions created through CSP is inaccessible in the old Classic Azure Portal, which in turn disconnects such the Subscription from being available on Lice Cycle Services (LCS). LCS does support ARM by now, so I believe the solution should be just around the corner. We're just missing one minor piece for all of this to work together properly.

Have a nice Christmas holiday, everyone!