Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure landing zone
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Example Library Configs
      • Azure landing zone library
      • Azure landing zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • Service principals with credentials
    • PAL tagging with a service principal
    • CI/CD pipelines & OpenID Connect
    • Using AzAPI in Terraform
    • User and guest IDs
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign landing zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference Library Configs
      • Sovereign landing zone
      • Sovereign landing zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
  3. User and guest IDs
User and guest IDs
User and guest IDs
Partner Admin Link
Understanding PAL
Service principals with credentials
PAL tagging with a service principal
CI/CD pipelines & OpenID Connect
Using AzAPI in Terraform
User and guest IDs
Azure Lighthouse & PAL
PAL FAQ
  • In brief
  • Creating the Partner Admin Link
  • Why do you have to switch into each customer tenant for guest IDs?
  • Attestation

User and guest IDs

If you are have a user ID in a customer tenant then follow this page to configure Partner Admin Link. This is the primary use case covered in the Microsoft Learn docs but included here for completeness.

Table of Contents

  • In brief
  • Creating the Partner Admin Link
  • Why do you have to switch into each customer tenant for guest IDs?
  • Attestation

In brief

  1. Authenticate in the customer context:

    • sign on as the user the customer created for you in their tenant, or
    • if invited as a guest into their tenant then a) sign on and b) switch directory to the customer tenant

  2. Link your ID to the PartnerID using the CLI, PowerShell or the Azure Portal screen.

The information here is lifted straight from the main documentation which is found at https://aka.ms/partneradminlink.

Creating the Partner Admin Link

When you have access to the customer’s resources, use the Azure portal, PowerShell, or the Azure CLI to link your Partner ID to your user ID. Link the Partner ID in each customer tenant.

Important: Ensure you have authenticated as the correct user and are in the correct customer directory before proceeding.

  1. Open the Azure Portal.

  2. Click on the Settings icon at the top.

  3. Select the Microsoft partner network link in Useful Links at the bottom left.

    Microsoft partner network link on the Settings page in the Azure

  4. Enter your Partner ID.

    Link to a partner ID

  5. Click on the Link a partner ID button to save.

Use PowerShell to create the link

  1. Install the Az.ManagementPartner PowerShell module.

    Install-Module -Name Az.ManagementPartner -Repository PSGallery -Force

  2. Sign in to the customer’s tenant.

    Connect-AzAccount -TenantId <tenantId>

  3. Create the Partner Admin Link.

    New-AzManagementPartner -PartnerId <partnerId>

  4. Additional commands

    Display the partner ID.

    Get-AzManagementPartner

    Update the partner ID.

    Update-AzManagementPartner -PartnerId <partnerId>

    Delete the Partner Admin Link.

    Remove-AzManagementPartner -PartnerId <partnerId>

Use the Azure CLI to create the link

  1. Install the Azure CLI’s managementpartner extension.

    az extension add --name "managementpartner"

  2. Sign in to the customer’s tenant.

    az login --tenant "<tenantId>"

  3. Create the Partner Admin Link.

    az managementpartner create --partner-id "<partnerId>"
Example output:
{
  "createdTime": "2026-02-16T14:44:35.818407Z",
  "etag": 9,
  "id": "/providers/microsoft.managementpartner/partners/314159",
  "name": "314159",
  "objectId": "84964f8f-22ce-4a1e-ba9d-1e45a53ca1c4",
  "partnerId": "314159",
  "partnerName": "Azure Citadel",
  "state": "Active",
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "type": "Microsoft.ManagementPartner/partners",
  "updatedTime": "2026-02-17T13:48:41.4676825Z",
  "version": 9
}

Additional commands

  • Display the partner ID.

    az managementpartner show

  • Update the partner ID.

    az managementpartner update --partner-id "<partnerId>"

  • Delete the Partner Admin Link.

    az managementpartner delete --partner-id "<partnerId>"

Why do you have to switch into each customer tenant for guest IDs?

Your user ID in your home tenant may have been invited as a guest to multiple customer environments. You are signing in with the same MFA each time, so why do you need to switch into each customer tenant and recreate the Partner Admin Link in each one?

When you accept an invitation, Entra creates a new objectId in the customer’s tenant. (The User Principal Name for a guest ID includes #EXT#, e.g. first.last_partner.com#EXT#@customer.com.)

The Partner Admin Link is between the tenantId.objectId and the partnerId as you can see in the JSON output above for the Azure CLI commands.

Attestation

This command can be used to display information about the tenant, the security principal, and the Partner Admin Link. You first need to authenticate and ensure that you are in the correct customer context. This Bash command will work in the Cloud Shell, even in the PowerShell experience.

curl -sSL https://aka.ms/pal/attestation | bash
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": "Contoso",
  "tenantDefaultDomain": "contoso.com",
  "type": "user",
  "displayName": "Richard Cheney",
  "userPrincipalName": "richard.cheney@azurecitadel.com",
  "appId": null,
  "objectId": "74afa9e2-d243-414b-bab2-db8dd242827f",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159"
}
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": null,
  "tenantDefaultDomain": null,
  "type": "servicePrincipal",
  "displayName": "PAL (Partner Admin Link) for Azure Citadel",
  "userPrincipalName": null,
  "appId": "7b7fe81e-da85-4271-a065-b0a00634ae75",
  "objectId": "a52475b0-d310-41ac-a4b1-d1e3161e0127",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159"
}

This is useful if you need to copy and paste the output to prove that a link is in place for that customer context.

Source: https://www.azurecitadel.com/pal/users/
Published: 10 Oct 2025
Printed:
Using AzAPI in Terraform User and guest IDs Azure Lighthouse & PAL