For our Microsoft partners, it’s important to ensure that your Microsoft Partner Network (MPN) details are registered correctly against your customer’s cloud environments. This registration is necessary to ensure that you achieve all of the entitlements and benefits that Microsoft offers. In the case of Azure, this is covered by the Partner Admin Link (PAL) setting in each customer subscription.
PAL also assists Cloud Solution Providers (CSPs) by allowing the partner to earn the Partner Earned Credit (PEC) when their customers are on the new Microsoft Customer Agreement (MCA) and Azure Plan.
What is PAL?
In the beginning, Microsoft created Digital Partner of Record (DPOR), and it was good… well, kind of.
DPOR was the original way to link your MPN ID to a customer’s Azure environment, which gave you as the partner recognition for the revenue that Microsoft were receiving from the customer. The problem was that only one partner could be DPOR at any point in time. This left the big players (Large Account Resellers (LARs), typically) as the registered DPOR entity.
Now with PAL, any partner that provides services to a customer can link their MPN ID to the customer’s subscription(s) and receive benefits from Microsoft for doing so.
How is PAL configured?
PAL can be associated to a customer’s subscription by any user or service principal account that has eligible access to the subscription.
The user account could be a guest account, direct account, or an account delegated access via Azure Lighthouse.
The service principal needs to either be registered via Azure Active Directory, or via Azure Lighthouse.
Easy PAL configuration via Azure Lighthouse
When using Azure Lighthouse for delegated resource management, partners can do a one-time partner ID association that will subsequently connect the ID to every customer onboarded from then on. This is ideally done with a service principal, as a user account link will be removed if the user account is ever decommissioned.
Microsoft have provided instructions for this process here.
Automating PAL
Specific PowerShell cmdlets have been created for PAL, which means that the PAL association can be automated for ease of onboarding large amounts of customers. It also means a regular automation runbook can be scheduled to ensure that all new customers are captured for PAL. This can make a good backup to other avenues of association, such as the Lighthouse link above.
Automating PAL via service principal
This code block shows how to iterate through multiple tenants and subscriptions that the service principal has access to and set PAL for each of them. You will need to input a list of tenant IDs to iterate through as the first variable. This could be parameterized as well.
# Variables $CustomerTenantIds = @("<tenant1>","<tenant2>","<tenant3>") $MpnPartnerId = "<MPN ID>" # Note, it's recommended to keep the following secrets in a secure store such as Key Vault rather than hard-code them into the script $SpClientId = "<AAD App ID for Service Principal" $SpSecret = "<Secret for Service Principal" # Convert to SecureString [securestring]$secSpSecret = ConvertTo-SecureString $SpSecret -AsPlainText -Force # Create credential object [pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($SpClientId, $SpSecret) # Iterate through all tenants foreach ($Tenant in $CustomerTenantIds) { # Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount ` -ServicePrincipal ` -TenantId $Tenant ` -Credential $Creds "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } #Get all subscriptions $AllSubscriptions = Get-AzSubscription | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id | Out-Null $PartnerStatus = Get-AzManagementPartner if ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" continue } else { Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } } }
Automating PAL via an interactive user
This code block will iterate through each tenant and subscription that you as a user have access to. Unfortunately, you will need to follow the interactive login process for each customer that has MFA enabled, so you’ll need to watch the script and follow those prompts as necessary. Not recommended for large numbers of customers for which the service principal avenue is more suited.
You don’t need the tenant list for this script as the Get-AzTenant cmdlet will return all Azure tenancies that your account has access to.
$MpnPartnerId = "<MPN ID>" #Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } $AllTenants = Get-AzTenant foreach ($Tenant in $AllTenants) { Add-AzAccount -Tenant $Tenant.Id #Get all subscriptions $AllSubscriptions = Get-AzSubscription -TenantId $Tenant.Id | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id -Tenant $Tenant.Id | Out-Null $PartnerStatus = Get-AzManagementPartner -ErrorAction Ignore if (!$PartnerStatus) { Write-Host "No admin link present." Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } elseif ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" } } }
This example is one of many automated processes rhipe has available to automate the security, performance, availability and cost of Azure. Through the Parallo acquisition, rhipe can now bring these to our partners. If this is of interest, please contact your rhipe Account Manager for more information.
Disclaimer: While all care has been taken to test the accuracy of these scripts – test them before use and use them at your own risk, rhipe accepts no responsibility for the use, misuse, or accuracy of the scripts provided.
