Registering your Microsoft Partner Network (MPN) details correctly against your customer’s cloud environments is important for every Microsoft partners. This registration is necessary to ensure that you achieve all of the entitlements and benefits that Microsoft offers. In the case of Azure, this is covered by the Partner Admin Link (PAL) setting in each customer subscription.
PAL also assists Cloud Solution Providers (CSPs) by allowing the partner to earn the Partner Earned Credit (PEC) when their customers are on the new Microsoft Customer Agreement (MCA) and Azure Plan.
In the beginning, Microsoft created Digital Partner of Record (DPOR), and it was good… well, kind of.
DPOR was the original way to link your MPN ID to a customer’s Azure environment, which gave you as the partner recognition for the revenue that Microsoft were receiving from the customer. The problem was that only one partner could be DPOR at any point in time. This left the big players (Large Account Resellers (LARs), typically) as the registered DPOR entity.
Now with PAL, any partner that provides services to a customer can link their MPN ID to the customer’s subscription(s) and receive benefits from Microsoft for doing so.
PAL can be associated to a customer’s subscription by any user or service principal account that has eligible access to the subscription.
The user account could be a guest account, direct account, or an account delegated access via Azure Lighthouse.
The service principal needs to either be registered via Azure Active Directory, or via Azure Lighthouse.
When using Azure Lighthouse for delegated resource management, partners can do a one-time partner ID association that will subsequently connect the ID to every customer onboarded from then on. This is ideally done with a service principal, as a user account link will be removed if the user account is ever decommissioned.
Microsoft have provided instructions for this process here.
Specific PowerShell cmdlets have been created for PAL, which means that the PAL association can be automated for ease of onboarding large amounts of customers. It also means a regular automation runbook can be scheduled to ensure that all new customers are captured for PAL. This can make a good backup to other avenues of association, such as the Lighthouse link above.
This code block shows how to iterate through multiple tenants and subscriptions that the service principal has access to and set PAL for each of them. You will need to input a list of tenant IDs to iterate through as the first variable. This could be parameterized as well.
# Variables $CustomerTenantIds = @("<tenant1>","<tenant2>","<tenant3>") $MpnPartnerId = "<MPN ID>" # Note, it's recommended to keep the following secrets in a secure store such as Key Vault rather than hard-code them into the script $SpClientId = "<AAD App ID for Service Principal" $SpSecret = "<Secret for Service Principal" # Convert to SecureString [securestring]$secSpSecret = ConvertTo-SecureString $SpSecret -AsPlainText -Force # Create credential object [pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($SpClientId, $SpSecret) # Iterate through all tenants foreach ($Tenant in $CustomerTenantIds) { # Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount ` -ServicePrincipal ` -TenantId $Tenant ` -Credential $Creds "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } #Get all subscriptions $AllSubscriptions = Get-AzSubscription | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id | Out-Null $PartnerStatus = Get-AzManagementPartner if ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" continue } else { Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } } }
This code block will iterate through each tenant and subscription that you as a user have access to. Unfortunately, you will need to follow the interactive login process for each customer that has MFA enabled, so you’ll need to watch the script and follow those prompts as necessary. Not recommended for large numbers of customers for which the service principal avenue is more suited.
You don’t need the tenant list for this script as the Get-AzTenant cmdlet will return all Azure tenancies that your account has access to.
$MpnPartnerId = "<MPN ID>" #Login to Azure - Azure Automation try { "Logging in to Azure..." Add-AzAccount "Login complete." } catch { $ErrorMessage = "Error logging into Azure" Write-Output $ErrorMessage throw $_.Exception } $AllTenants = Get-AzTenant foreach ($Tenant in $AllTenants) { Add-AzAccount -Tenant $Tenant.Id #Get all subscriptions $AllSubscriptions = Get-AzSubscription -TenantId $Tenant.Id | Select-Object Name, Id Write-Output "Checking $($AllSubscriptions.Length) subscriptions" #Loop through all subscriptions foreach ($Subscription in $AllSubscriptions) { #Switch to the subscription Set-AzContext -SubscriptionId $Subscription.Id -Tenant $Tenant.Id | Out-Null $PartnerStatus = Get-AzManagementPartner -ErrorAction Ignore if (!$PartnerStatus) { Write-Host "No admin link present." Write-Output "Setting MPN ID on subscription $($Subscription.Name)" New-AzManagementPartner -PartnerId $MpnPartnerId } elseif ($PartnerStatus.PartnerId = $MpnPartnerId) { Write-Output "Subscription $($Subscription.Name) is already configured with MPN ID" } } }
This example is one of many automated processes Crayon has available to automate the security, performance, availability and cost of Azure. Through the Parallo, Crayon can now bring these to our partners. If this is of interest, please contact your Crayon Account Manager for more information.
Disclaimer: While all care has been taken to test the accuracy of these scripts – test them before use and use them at your own risk, Crayon accepts no responsibility for the use, misuse, or accuracy of the scripts provided.
Insights
SMBs across the APAC are not just increasing their technology investments—they are making strategic, forward-thinking moves to position themselves for long-term growth.
Podcast
Crayon's Global Lead for Hosting Partners, Andreas Bergman joins Microsoft's Hybrid Cloud Partners podcast to share cloud trends from around the world.
Insights
Small to medium-sized businesses in the APAC region are gearing up tech investments to drive outcomes for customer experience, revenue, business adaptability and innovation. How will SMBs leverage emerging technologies to achieve their strategic objectives?
Insights
What are the most critical business objectives and solution adoption priorities for SMBs in our region? Download the latest Forrester study to find out!
Case Studies
Working with Crayon, AfterDark scaled its ability to build longer-term cybersecurity engagements with customers.
Vendor Announcements
Microsoft changes to its licensing programs means some customers will not be able to renew EAs. Find out how to transition them to CSP in hours, with no disruption or upfront cost, only with Crayon.
Business
Seven smart strategies to fully leverage Solutions Partner Designation benefit portfolios.
Case Studies
Learn how our Cloud Managed Services team helped this ISV modernise its IT operating environment with Microsoft Azure.
Blogs
When it comes to SPLA compliance, it’s far better to be transparent than to be exposed. Find out why and how Crayon can help.
Blogs
SMBs in Asia Pacific are maintaining or increasing their investments in cloud technologies, despite rocky market conditions. Find out why.
Blogs
Crayon cloud security assessments help partners lock down M365 and Azure environments and build profitable cybersecurity practices. Learn how.
Blogs
Insights on the direction of SMB cloud adoptions across the region, and the capabilities they most value in their technology service providers.
