Services & Support
Expert Support
Foreign Principal Role for Azure Support
2 min
this document is intended to apply the "foreign principal role", which is required to pass microsoft's validation tool this tool is used as an extra security checkpoint to ensure the case was created from the associated tenant id and foreign principal role the azure cli script, provided below, will need to be run against all azure subs that will be supported under this contract there are two steps to complete this process the first step is adding a reseller relationship and the second is running the foreign principle role through azure cli click the following link to accept this invitation and authorize shi international corp to be your microsoft cloud solution provider and accept the microsoft customer agreement https //admin microsoft com/adminportal/home?invtype=resellerrelationship\&partnerid=7584ba9c dd91 4745 9b7e b4de9da3be7b\&msppid=0#/partners/invitation note user with global admin permission is required to accept the relationship the azure cli will be applied to shi's "adminagent" security group, which possesses the least privileged role required to submit a microsoft support case this will need to be run by the client with both global admin and owner roles over the azure sub this is shi's "adminagents" ad security group id f628f068 9a43 4bcc 9cd9 fcf6c6582d04 that has already been added to the script below you may place more than one azure sub id at a time by using a comma to separate them here is the azure cli to use az role assignment create role "support request contributor" assignee object id f628f068 9a43 4bcc 9cd9 fcf6c6582d04 scope "/subscriptions/ add subscription id(s) here add subscription id(s) here " assignee principal type "foreigngroup" access to all subscriptions use this azure cli script in the scenario customer wants to give us access to all subscriptions across all management groups \#!/bin/bash \# get all accessible subscriptions subscriptions=$(az account list query "\[] id" o tsv) \# loop through each subscription for subscription in $subscriptions; do echo "processing subscription $subscription" \# set the current subscription context az account set subscription "$subscription" \# assign role for tenantadmins az role assignment create \\ \ assignee "f628f068 9a43 4bcc 9cd9 fcf6c6582d04" \\ \ role "support request contributor" \\ \ scope "/subscriptions/$subscription" done