Service Principals & PAL
Here is a short guide to creating Partner Admin Links for existing service principals.
Introduction brief
The user of service principals is mentioned in the official documentation, and with respect to Azure Lighthouse - more on that later - it is a recommendation. One benefit of using a service principal is that you don’t face unintended issues with losing PAL recognition if users are removed from a customer’s tenant. This can occur if an employee leaves the organisation or changes roles.
Take the scenario where a team of people providing the managed service are all originally set up with Partner Admin Link and they all have equivalent access in the customer’s account. As people leave and join the team - and assuming those new joiners don’t create PAL links - then the PAL recognition is fine until the very last person from the original cohort leaves and then the recognition falls off a cliff. That does not happen if you also use a service principal.
This page assumes that there is an existing service principal that has existing Azure RBAC role assignments with PEC eligible roles, and that you have access to use the secret or certificate for authentication.
Service principal with secret or cert
Use PowerShell to create the link for a service principal
-
Install the Az.ManagementPartner PowerShell module.
Install-Module -Name Az.ManagementPartner -Repository PSGallery -Force -
Sign in to the customer’s tenant as the service principal.
Using a secret.
$clientSecret = ConvertTo-SecureString "<clientSecret>" -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential("<clientId>", $clientSecret) Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -Credential $credentialOr using a certificate.
Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -CertificateThumbprint <thumbprint> -ApplicationId <clientId> -
Create the Partner Admin Link.
New-AzManagementPartner -PartnerId <partnerId>
The additional AzManagementPartner cmdlets are the same as for managing links for users.
Use the Azure CLI to create the link for a service principal
-
Install the Azure CLI’s managementpartner extension.
az extension add --name "managementpartner" -
Sign in to the customer’s tenant as the service principal.
Using a secret.
az login --service-principal --user "<clientId>" --password "<clientSecret>" --tenant "<tenantId>"Or using a certificate.
az login --service-principal --user "<clientId>" --tenant "<tenantId>" --certificate "<pathToCertificate>" -
Create the Partner Admin Link.
az managementpartner create --partner-id "<partnerId>"
The additional Azure CLI commands are the same as for managing links for users.
Use the REST API to create the link for a system assigned managed identity
The example here is for a system assigned managed identity on an Azure RHEL linux virtual machine, where the token is retrieved via the Instance Metadata Service (IMDS).
⚠️ Note that whilst it is possible to call the REST API directly, the only documentation for the API appears in the azure-rest-api-specs repo. Also, managed identities are not officially supported.
-
Install jq
sudo dnf install jq -yℹ️ You may need to use a different package manager to install jq if on a different linux distribution.
-
Use the Instance Metadata Service to get a token
token=$(curl -sSL -H "Metadata:true" 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' | jq -r .access_token) -
Define the partnerid
partnerId="31415927"⚠️ Set the partnerid variable to your location based Microsoft Partner ID.
-
Create the PAL link
curl --silent \ --header "Authorization: Bearer ${token}" \ --header "Content-Type: application/json" \ --data '{"partnerId": "'${partnerId}'"}' \ --request PUT \ "https://management.azure.com/providers/microsoft.managementpartner/partners/${partnerId}?api-version=2018-02-01"Using the example MPN ID, the JSON payload would be:
{"partnerId": "31415927"}And the uri would be:
"https://management.azure.com/providers/microsoft.managementpartner/partners/31415927?api-version=2018-02-01"
Partner Admin Link should now associate telemetry for all resources under the service principal’s RBAC role assignments, assuming they include a PEC eligible role.
Next
It is increasingly common in locked down environments to only allow CI/CD pipelines to deploy to production environments, and if the workload identities are configured using OpenID Connect as per security recommendations then what are your options? In the next page we’ll look at those CI/CD pipelines and federated credentials with example pipelines to configure the Partner Admin Link.