Azure CSP Access
Microsoft

Grant Azure Access to Your CSP Using PowerShell

0

As organizations partner with Cloud Solution Providers (CSPs) to manage their Azure environments, it’s essential to establish secure and controlled access. While Azure Lighthouse offers a scalable delegation model, many customers prefer a direct PowerShell-based approach for simplicity and flexibility.

This guide walks you through how to use Azure PowerShell to grant your CSP access to your Azure subscription or resource groups using Role-Based Access Control (RBAC).

Why Use PowerShell for CSP Access?

Using PowerShell to assign RBAC roles provides:

  • Direct control over user and service principal access.
  • Ideal for small environments or temporary access needs.
  • Avoids the complexity of deploying ARM templates or managing Lighthouse delegation.

Tip: If you want scalable CSP management, explore Azure Lighthouse.

️ Prerequisites

Before proceeding, ensure:

  1. You’ve accepted the CSP’s reseller relationship.
  2. You have the Object ID of the CSP’s user or service principal.
  3. The latest Azure PowerShell module is installed:
Install-Module -Name Az -AllowClobber -Scope CurrentUser

✅ Step-by-Step Guide to Grant CSP Access

Step 1: Connect to Azure

Connect-AzAccount

Log in with an account that has Owner or User Access Administrator rights on the target subscription.

Step 2: Set Variables

$subscriptionId = "<your-subscription-id>"
$principalId = "<CSP-user-or-service-principal-object-id>"
$roleName = "Contributor"  # Options: Reader, Owner, etc.

Step 3: Assign Role at Subscription Level

New-AzRoleAssignment `
  -ObjectId $principalId `
  -RoleDefinitionName $roleName `
  -Scope "/subscriptions/$subscriptionId"

Optional: Assign Role at Resource Group Level

$resourceGroupName = "ProductionRG"

New-AzRoleAssignment `
  -ObjectId $principalId `
  -RoleDefinitionName $roleName `
  -Scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"

Remove CSP access:

Remove-AzRoleAssignment `
  -ObjectId $principalId `
  -RoleDefinitionName $roleName `
  -Scope "/subscriptions/$subscriptionId"

Best Practices

  • Use least privilege: Assign only the roles necessary for the CSP.
  • Avoid using Owner role unless absolutely required.
  • Document all access grants for compliance and auditing.
  • Review access periodically using Azure AD and Activity Logs.

Using PowerShell to grant CSP access is a fast, flexible method for managing Azure subscriptions and resource groups. While it lacks the scalability and advanced audit features of Azure Lighthouse, it’s perfect for straightforward scenarios and temporary access needs.

Pro Tip: Automate access provisioning with a reusable PowerShell script to save time across multiple subscriptions.

You might also like More from author

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More