Azure tenant governance policy  

Permission guidelines for your Azure Subscriptions with Sherweb.

•  The purpose of this document is to share Sherweb’s Azure tenant governance policy which aligns with Microsoft’s Azure security best practices, including least privilege access and Zero Trust principles.  

• As the owner of your Azure Subscriptions, it’s important to understand what permissions are set automatically and what options you have when assigning permissions to Sherweb. 

• For additional information on how this impacts your relationship with Sherweb, please refer to the Azure Service Schedule.  

Default permissions for all New Azure Subscriptions 

When a new Azure Subscription is created under the Sherweb tenant, the following will occur:  

• The Sherweb Admin Agent (or Foreign Principal or Service Principal) will automatically be created on the Azure Subscription. 

• Owner permissions will automatically be assigned to this role. 

For transfers only:  

• To ensure we can support you through the transfer process, Owner permissions will need to be granted on the Azure Subscription for 10 days (or until the transfer is complete). After the transfer is complete, you can adjust access for Sherweb’s Foreign Principal on the Azure Subscription.  

• To grant permissions on transferred subscriptions, please see power shell commands in the Procedure section. 
    

What least privilege access Azure RBAC roles should be assigned so Sherweb can support you? 

Below are the Azure role-based access control (RBAC) roles that we recommend so you can receive: 

• Your Sherweb Azure discount (for Partners only). 

• Support from Sherweb for CSP Indirect Provider-only actions, including: 

  • Requesting quota increases via the Azure Portal.

  • Cancelling existing Azure Reservations.
      

Note on your Sherweb Azure discount and support scope 

If at least one partner earned credit (PEC) eligible role is not assigned to the Sherweb Foreign Principal, you will not receive your Sherweb Azure discount. Sherweb will also have limited to no ability to support you on your Azure Subscription. 

Learn more about the available built-in Azure RBAC roles that you can assign to your Azure Subscription  

Procedures - How to assign least privilege access, Owner permissions with Azure RBAC roles to maintain support and your Azure discount.

Here’s a step-by-step look at what’s required to assign the minimum level of permissions for Sherweb to support your Azure Subscription and for you to retain your Azure discount with Sherweb. 

Requirements

• Have credentials in hands for a user with the Global Administrator role for the tenant to update.

• We strongly recommend to Elevate access for Azure manipulations.

https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs

• Know the data location for the tenant (Canada, USA, Europe): You can get the data location of the tenant using your account management portal Cumulus if needed.

• Know the tenant ID: Each tenant (*.onmicrosoft.com) has a unique tenant ID. You can get your tenant ID using the Azure portal.

1.

2.
 

• Know the Azure CSP subscription(s) ID: Each Azure subscription has a unique subscription ID. You can get your subscriptions ID using the Azure portal.
  1.
  
  2.
    

Step 1: Log in to your Azure Subscription and open PowerShell 

• Go to the Azure Portal.

• Follow the instructions under Start Cloud Shell.

   

Step 2: Connect to your Azure account via PowerShell 

• In the Azure Cloud Shell interface, add the following command and hit Enter.

  Connect-AzAccount-UseDeviceAuthentication 

   

Step 3: Remove any existing privileged roles assigned to Sherweb on your Azure Subscription 

• Follow instructions here to remove Azure role assignments.

   

Step 4: Assign new permissions 

Below are the scripts to assign specific permissions to a user (i.e., Foreign Principal) on each individual Azure subscriptions.

Note: For <ADMIN_AGENTS_ID>, choose one of the following IDs: 

• If the data location is USA: 065b0bfc-1277-41bc-bbb7-9b221db190c0 

• If the data location is Canada: c3e7caf0-c590-4086-9467-abbcd2d62e58 

• If the data location is Europe (main): e0ba3fef-0a31-4139-a9d4-4711b4324da4 

• If the data location is Europe (secondary): 999d911a-e48f-4ed9-8a6b-6b3a07cdf6b0 

• If the data location is in UK: 7cc94c08-5bdf-4615-b501-49167881e880 

Owner permissions (PEC Eligible) 

New-AzRoleAssignment -ObjectID "Admin Agent ID" -RoleDefinitionName "Owner" -Scope "/subscriptions/Sub ID" -ObjectType "ForeignGroup" 

Quota Request Operator 

New-AzRoleAssignment -ObjectID "Admin Agent ID" -RoleDefinitionName "Quota Request Operator" -Scope "/subscriptions/Sub ID" -ObjectType "ForeignGroup" 

Support Request Contributor (PEC Eligible) 

New-AzRoleAssignment -ObjectID "Admin Agent ID" -RoleDefinitionName "Support Request Contributor" -Scope "/subscriptions/Sub ID" -ObjectType "ForeignGroup" 

Reservations Administrator 

New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <Admin Agent ID> -RoleDefinitionName "Reservations Administrator" 

If you prefer Azure CLI to Powershell, here’s more information.

Run the following command lines using Azure CLI.

az login --tenant [Customer_Tenant_ID]

az account set --subscription [Azure_CSP_Subscription_ID]

az role assignment create --role "Owner" --assignee-object-id [AdminAgents_ID] --scope "/subscriptions/Azure_CSP_Subscription_ID" --assignee-principal-type “ForeignGroup”

Additional resources 

• Azure built-in roles: Details on the various built-in roles one can assign to a user on an Azure Subscription. 

• Roles and permissions required to receive partner earned credit: Additional information on which built-in Azure roles are eligible for partner earned credit (PEC). 

• Best practices for Azure RBAC: A set of best practices around assigning Azure roles to users on an Azure Subscription.