Since a few months companies who are a CSP Direct and an Azure Expert MSP have the ability to transfer the billing ownership of an Azure subscription from an Enterprise Agreement to a CSP. A feature that has been long-awaited but it's finally here.
I am fortunate enough to work for a company which fits those requirements. But, unfortunately not many companies are both a CSP Direct and an Azure Expert MSP which means it's hard to find people to share experiences with. Thought I'd give it a try and share my experiences as even tho the process is pretty straight forward, it does take some planning and preparation to successfully transfer the billing ownership.
The process is pretty well documented (here). Whether the transfer is going to be a success depends completely on how well you read the documentation and do exactly as it tells you.
It's all about the preparation. A billing transfer is one of those things where you need to do everything exactly right. If you're like me and your first attempt consists of just trying the transfer and hope for the best, bookmark this page and come back when the transfer fails :)
First things first, this is a customer engagement. Your customer needs to participate in the process. The customer will eventually review your transfer request and perform the actual transfer.
To get started make sure you have met the following prerequisites:
- Have signed the Microsoft Partner Agreement as a CSP
- Are able to provision Azure Plans and have provisioned one for at least one customer
- Have Global Admin (or Admin Agent) access on the CSP Tenant
- Establish a reseller relationship with the customer tenant
- Set up an Azure Plan for that customer (this will provision a subscription in the customer tenant)
If you have all that sorted, it is time for some information gathering. and this is probably the most important step and having the right information will help you successfully run through the transfer process. The billing request needs to be sent to whoever is the account owner of the Enterprise Agreement. However, this user also needs to exist within the same directory as the subscription(s) to be transferred. If the transfer fails, this is probably where it went wrong. If you've never worked with Enterprise Agreement before, read up on roles for Enterprise Agreements. Before you transfer make sure you have the following figured out and prepared:
- You or the customer has access to the EA Portal and is or can create an account owner
- The subscription(s) to be transferred are under the same directory as the customer user performing the transfer (if they're not, either change the directory of the subscription or create a user)
Note that if your customer needs multiple subscriptions from multiple tenants to be transferred you need to repeat the process (including the reseller request) for each tenant.
Once you've got that all figured out and meet the prerequisites you can perform the transfer as documented here. If everything checks out, this will be a matter of minutes and the transfer will complete almost instantly.
Note that the transfer request can be only used once. If the customer only transfer one of the subscriptions (let's say to test if it works), you will need to send a new transfer request.
Once the transfer completes, the billing stops on the EA side and starts on the CSP side. It can take up to a few hours for consumption to show up in the Azure Portal and Partner Center.
If the customer purchased Azure Reservations, these won't be transferred along with the billing ownership transfer. You will need to create a support request with Microsoft to have the reservations migrated.
Market place items
As it goes with all subscription transfers, market place items are still a challenge. The transfer process will validate the contents of the subscription but be aware that all market place items deployed in the source environment within the EA, need to be available in the Azure Marketplace through CSP as well.
Role based access Control and Partner Earned Credits
All the roles currently configured on the subscription will remain as is. Note that if this is a new customer, by default you won't have "Admin on Behalf Of " access. Meaning, the Foreign Principal for your CSP tenant won't be provisioned with the "Owner" role on the customer Subscription. This has two consequences:
- You won't be able to access the customer environment by leveraging the Admin Agent role through Partner Center.
- If you have no access on the customer subscription and have not deployed Azure Lighthouse through the Azure Marketplace, you're not receiving Partner Earned Credits
There are multiple ways you can resolve this (or leave it as is). You either need help from the customer or in the case of a managed services contract and where the customer wants you to do everything (this happens more often that you'd expect), you can configure the access yourself.
If the customer wants to remain in control, the best play would be to onboard them onto your managing services using a market place offering with Azure Lighthouse.
If you're opting to configure this by yourself, you need to make sure the customer delegates you admin privileges when accepting the reseller request. This will provide you with Global Admin access on the customer tenant. To achieve this make sure the "DAP" setting is set to "true" in the reseller request URL.
Once you have the access you require, you can create a temporary user, login and elevate access by obtaining the User Access Administrator role. This will provide you with the ability to manage Role Based Access Control on all subscription under that directory.
Once you have that access you can configure the foreign principal by performing the steps as described here: https://heyazureguy.com/add-foreign-principal-group-to-azure-subscription/
This will simply guide you through the steps required to configure the foreign principal with "Owner" permissions on the subscription. Once you complete these steps you will be able to access the customer subscriptions as you normally would through Partner Center.
Please clean up after performing these steps. Remove the temporary user you created. This is not a configuration you want to run in production or accidentally provide the wrong people with this level of access.
This completes the transfer process. If everything checks out from the start, you can probably run through the documentation without any issues. However, if a transfer fails and you need to figure out why, having done the right preparation will help you identify the issue which probably means you or the customer don't have the right permissions or the directories don't match.
If you have any experiences performing these transfers and have feedback on the above content. Let me know and I'll update the post. There are not many companies that are able to perform these transfers and gathering experiences and sharing them will be much appreciated :)