Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure landing zone
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Example Library Configs
      • Azure landing zone library
      • Azure landing zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • Service principals with credentials
    • PAL tagging with a service principal
    • CI/CD pipelines & OpenID Connect
    • Using AzAPI in Terraform
    • User and guest IDs
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign landing zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference Library Configs
      • Sovereign landing zone
      • Sovereign landing zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
Partner Admin Link
Partner Admin Link
Partner Admin Link
Understanding PAL
Service principals with credentials
PAL tagging with a service principal
CI/CD pipelines & OpenID Connect
Using AzAPI in Terraform
User and guest IDs
Azure Lighthouse & PAL
PAL FAQ
  • Overview

Partner Admin Link

Microsoft-managed partners can configure Partner Admin Link for recognition of their influence in customer accounts.

Overview

Partner Admin Link is an important mechanism for Microsoft to recognise the influence and impact that partners to bring to their customers on Azure.

At a surface level it is a simple mechanism. If you have a) have access to a customer environment, b) create a Partner Admin Link for your identity, and c) that identity has eligible RBAC role assignments, then the usage telemetry - which is always being collected for billing purposes - is also associated to your Partner ID. Here we cover the theory in more detail, and cover multiple scenarios that I have seen in my time working with - and for - Azure partners.

Understanding PAL

Learn about Partner Admin Link, why it's important, how it works, and your options.

Service principals with credentials

Do you need to create a Partner Admin Link for a service principal? And it has eligible RBAC role assignments? Can you authenticate using its secret or certificate? If so, follow this guide.

PAL tagging with a service principal

There are a number of scenarios where you may not have eligible permanent access, and your recognition is being understated. We'll look at creating a new service principal purely for recognition purposes.

CI/CD pipelines & OpenID Connect

Pipelines or workflows commonly use service principals. Authenticating these securely using OpenID Connect is recommended to avoid the use of secrets or certificates. Here we show how to use a dedicated workflow to create the Partner Admin Link.

Using AzAPI in Terraform

Here is an example Terraform config to create the Partner Admin Link using azapi_resource_action, useful in CI/CD and subscription vending machine situations.

User and guest IDs

If you are have a user ID in a customer tenant then follow this page to configure Partner Admin Link. This is the primary use case covered in the Microsoft Learn docs but included here for completeness.

Azure Lighthouse & PAL

Combining Partner Admin Link with Azure Lighthouse reduces some of the administrative overhead. How does it differ compared to more traditional PAL configurations?

PAL FAQ

The Understanding PAL page helps to answer most of your questions on Partner Admin Link. Here you'll find a link to the main Microsoft FAQ for PAL, plus an option to ask more questions here.

The pages above give you advice on multiple scenarios for how partners are given access to customer environments and how you can configure Partner Admin Link to get the right recognition.

  • Need to quickly see how to configure Partner Admin Link as a user with PowerShell commands? Jump to the user page and select the PowerShell tab.
  • Need to do the same for a service principal? There is a service principal page for that too.
  • What if it is a service principal with no client secret, used in a pipeline? We have example GitHub workflows for that on the CI/CD page, and plan to extend that for Azure DevOps and GitLab.
  • Need to understand how to approach it if you are using Azure Lighthouse? That is here too, plus we have a separate area dedicated to covering example service offer definitions that will help you configure Partner Admin Link at scale.

You may also have questions on how it works as a mechanism. The Understanding PAL page should give you that grounding on how it all hangs together, and we will treat the Frequently Asked Questions as a live document based on any questions we get asked and that you post on our discussions page.

Previous Partner Admin Link Understanding PAL