Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service Principals & PAL
    • CI/CD Pipelines & PAL
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
  3. User IDs & PAL

Table of Contents

  • In brief
  • Creating the Partner Admin Link
  • Why do you have to switch into each customer tenant?

User IDs & PAL

If you are have a user ID in a customer tenant to provide a managed service on their Azure services then follow this page to configure Partner Admin Link.

Table of Contents

  • In brief
  • Creating the Partner Admin Link
  • Why do you have to switch into each customer tenant?

In brief

  1. Authenticate in the customer context:

    • sign on as the user the customer created for you in their tenant, or
    • if invited as a guest into their tenant then a) sign on and b} switch directory to the customer tenant

  2. Link your ID to the PartnerID using the CLI, PowerShell or the Azure Portal screen.

The information here is lifted straight from the main documentation which is found at https://aka.ms/partneradminlink.

Creating the Partner Admin Link

When you have access to the customer’s resources, use the Azure portal, PowerShell, or the Azure CLI to link your Partner ID to your user ID. Link the Partner ID in each customer tenant.

First, ensure you have authenticated as the correct user and you are in the correct customer directory.

  1. Open the Azure Portal.

  2. Click on the Settings icon at the top.

  3. Select the Microsoft partner network link in Useful Links at the bottom left.

    Microsoft partner network link on the Settings page in the Azure Portal

  4. Enter your Partner ID.

    Link to a partner ID

  5. Click on the Link a partner ID button to save.

Use PowerShell to create the link

  1. Install the Az.ManagementPartner PowerShell module.

    Install-Module -Name Az.ManagementPartner -Repository PSGallery -Force

  2. Sign in to the customer’s tenant.

    Connect-AzAccount -TenantId <tenantId>

  3. Create the Partner Admin Link.

    New-AzManagementPartner -PartnerId <partnerId>

  4. Additional commands

    Display the partner ID.

    Get-AzManagementPartner

    Update the partner ID.

    Update-AzManagementPartner -PartnerId <partnerId>

    Delete the Partner Admin Link.

    Remove-AzManagementPartner -PartnerId <partnerId>

Use the Azure CLI to create the link

  1. Install the Azure CLI’s managementpartner extension.

    az extension add --name "managementpartner"

  2. Sign in to the customer’s tenant.

    az login --tenant "<tenantId>"

  3. Create the Partner Admin Link.

    az managementpartner create --partner-id "<partnerId>"

  4. Additional commands

    Display the partner ID.

    az managementpartner show

    Update the partner ID.

    az managementpartner update --partner-id "<partnerId>"

    Delete the Partner Admin Link.

    az managementpartner delete --partner-id "<partnerId>"

Why do you have to switch into each customer tenant?

Your user ID in your home tenant may have been invited as a guest to multiple customer environments. You are signing in with the same MFA each time, so why do you need to switch into each customer tenant and recreate the Partner Admin Link in each one?

When you accept an invitation, Entra creates a new objectId in the customer’s tenant. (The User Principal Name for a guest ID includes #EXT#, e.g. first.last_partner.com#EXT#@customer.com.)

The Partner Admin Link is between the tenantId.objectId and the partnerId as you can see in the JSON output above for the Azure CLI commands.

Source: https://www.azurecitadel.com/pal/users/
Published: 10 Oct 2025
Printed:
Understanding PAL User IDs & PAL Service Principals & PAL