Registering your Microsoft Partner Network (MPN) details correctly against your customer’s cloud environments is important for every Microsoft partners. This registration is necessary to ensure that you achieve all of the entitlements and benefits that Microsoft offers. In the case of Azure, this is covered by the Partner Admin Link (PAL) setting in each customer subscription.
PAL also assists Cloud Solution Providers (CSPs) by allowing the partner to earn the Partner Earned Credit (PEC) when their customers are on the new Microsoft Customer Agreement (MCA) and Azure Plan.
What is PAL?
In the beginning, Microsoft created Digital Partner of Record (DPOR), and it was good… well, kind of.
DPOR was the original way to link your MPN ID to a customer’s Azure environment, which gave you as the partner recognition for the revenue that Microsoft were receiving from the customer. The problem was that only one partner could be DPOR at any point in time. This left the big players (Large Account Resellers (LARs), typically) as the registered DPOR entity.
Now with PAL, any partner that provides services to a customer can link their MPN ID to the customer’s subscription(s) and receive benefits from Microsoft for doing so.
How is PAL configured?
PAL can be associated to a customer’s subscription by any user or service principal account that has eligible access to the subscription.
The user account could be a guest account, direct account, or an account delegated access via Azure Lighthouse.
The service principal needs to either be registered via Azure Active Directory, or via Azure Lighthouse.
Easy PAL configuration via Azure Lighthouse
When using Azure Lighthouse for delegated resource management, partners can do a one-time partner ID association that will subsequently connect the ID to every customer onboarded from then on. This is ideally done with a service principal, as a user account link will be removed if the user account is ever decommissioned.
Microsoft have provided instructions for this process here.
Automating PAL
Specific PowerShell cmdlets have been created for PAL, which means that the PAL association can be automated for ease of onboarding large amounts of customers. It also means a regular automation runbook can be scheduled to ensure that all new customers are captured for PAL. This can make a good backup to other avenues of association, such as the Lighthouse link above.
Automating PAL via service principal
This code block shows how to iterate through multiple tenants and subscriptions that the service principal has access to and set PAL for each of them. You will need to input a list of tenant IDs to iterate through as the first variable. This could be parameterized as well.
# Variables $CustomerTenantIds = @("<tenant1>","<tenant2>","<tenant3>") $MpnPartnerId = "<MPN ID>" # Note, it's recommended to keep the following secrets in a secure store such as Key Vault rather than hard-code them into the script $SpClientId = "<AAD App ID for Service Principal" $SpSecret = "<Secret for Service Principal" # Convert to SecureString [securestring]$secSpSecret = ConvertTo-SecureString $SpSecret -AsPlainText -Force # Create credential object [pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($SpClientId, $SpSecret) # Iterate through all tenants foreach ($Tenant in $CustomerTenantIds) { # Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount ` -ServicePrincipal ` -TenantId $Tenant ` -Credential $Creds "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } #Get all subscriptions $AllSubscriptions = Get-AzSubscription | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id | Out-Null $PartnerStatus = Get-AzManagementPartner if ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" continue } else { Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } } }
Automating PAL via an interactive user
This code block will iterate through each tenant and subscription that you as a user have access to. Unfortunately, you will need to follow the interactive login process for each customer that has MFA enabled, so you’ll need to watch the script and follow those prompts as necessary. Not recommended for large numbers of customers for which the service principal avenue is more suited.
You don’t need the tenant list for this script as the Get-AzTenant cmdlet will return all Azure tenancies that your account has access to.
$MpnPartnerId = "<MPN ID>" #Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } $AllTenants = Get-AzTenant foreach ($Tenant in $AllTenants) { Add-AzAccount -Tenant $Tenant.Id #Get all subscriptions $AllSubscriptions = Get-AzSubscription -TenantId $Tenant.Id | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id -Tenant $Tenant.Id | Out-Null $PartnerStatus = Get-AzManagementPartner -ErrorAction Ignore if (!$PartnerStatus) { Write-Host "No admin link present." Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } elseif ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" } } }
This example is one of many automated processes Crayon has available to automate the security, performance, availability and cost of Azure. Through the Parallo, Crayon can now bring these to our partners. If this is of interest, please contact your Crayon Account Manager for more information.
Disclaimer: While all care has been taken to test the accuracy of these scripts – test them before use and use them at your own risk, Crayon accepts no responsibility for the use, misuse, or accuracy of the scripts provided.
Insights
Microsoft has announced price increases for the SPLA licensing program. Find out which products are affected and how Crayon can help you adapt before new prices take effect in January, 2025.
Vendor Announcements
Microsoft has announced price increases for the SPLA licensing program. Find out which products are affected and how Crayon can help you adapt before new prices take effect in January, 2025.
Webinars Series
Walk through the features of VMware Cloud Foundation and why it is a key tool for Crayon’s cloud partners.
Webinars Series
Tune into our latest CSP Updates session for important changes to pricing, promotion and discount offers and a focus on Secure Productivity with MDR ContraForce.
Training
Find out how our in-house Azure expertise helps you to leverage the full potential of the Azure Migrate and Modernise program.
Training
Which Wasabi consumption model is the right fit for various scenarios? We explore the options.
Case Studies
Cytrack Intelligence Systems founder, Nick Milan talks through why the Crayon ISV Innovation Hub program is the right fit for his business objectives.
Guides and eBooks
Dive into the detail of planned cloud adoptions for SMBs across the APAC region and where they need help from their tech service partners.
Podcast
Dr. Joe and his guests discuss how high-performance culture helps partners to position on value, earn trust and build stronger customer relationships.
Sales and Marketing
Pricing models, service definitions and competitive accelerators. Our latest webinar breaks down how to build a successful MSSP business.
Engage
Running builds, support and pre-sales for Microsoft? The CSP Masters Program is for you! get the details for the Sydney enablement workshop in October.
Blogs
From scrappy start-up to part of a global cloud powerhouse, disruption is in our DNA.
Case Studies
Learn how our Cloud Managed Services team helped this ISV modernise its IT operating environment with Microsoft Azure.
Blogs
When it comes to SPLA compliance, it’s far better to be transparent than to be exposed. Find out why and how Crayon can help.
Blogs
SMBs in Asia Pacific are maintaining or increasing their investments in cloud technologies, despite rocky market conditions. Find out why.
Blogs
Insights on the direction of SMB cloud adoptions across the region, and the capabilities they most value in their technology service providers.
