Foreign Principal Role for Azure Support

This document is intended to apply the "Foreign Principal Role", which is required to pass Microsoft's validation tool. This tool is used as an extra security checkpoint to ensure the case was created from the associated Tenant ID and Foreign Principal Role. The Azure CLI script, provided below, will need to be run against all Azure Subs that will be supported under this contract.

There are two steps to complete this process. First will be adding a reseller relationship and secondly running the Foreign Principle Role through Azure CLI.

Step 1: Click the following link to accept this invitation and authorize Shi International Corp. to be your Microsoft Cloud Solution Provider and accept the Microsoft Customer Agreement. https://admin.microsoft.com/Adminportal/Home?invType=ResellerRelationship&partnerId=7584ba9c-dd91-4745-9b7e-b4de9da3be7b&msppId=0#/partners/invitation Note: User with Global Admin permission is required to accept relationship.

Step 2: The Azure CLI will be applied to SHI's "AdminAgent" security group, which possesses the least privileged role required to submit a Microsoft support case. This will need to be ran by the client with both Global Admin and Owner roles over the Azure Sub.

This is SHI's "AdminAgents" AD security group ID: f628f068-9a43-4bcc-9cd9-fcf6c6582d04 that has already been added to the script below.

You may place more than one Azure Sub ID at a time by using a comma to separate them. Here is the Azure CLI to use:

az role assignment create --role “Support Request Contributor” --assignee-object-id f628f068-9a43-4bcc-9cd9-fcf6c6582d04 --scope "/subscriptions/add Subscription ID(s) here” --assignee-principal-type "ForeignGroup"