Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure Landing Zone
      • Create an initial ALZ config
      • Run through the CI/CD workflow
    • Example Library Configs
      • Azure Landing Zone library
      • Azure Landing Zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service principals & PAL
    • CI/CD pipelines & PAL
    • Creating a dedicated PAL service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign Landing Zone
      • Create an initial SLZ config
      • Run through the CI/CD workflow
      • Sovereign Landing Zone
    • Example Library Configs
      • Sovereign Landing Zone
      • Sovereign Landing Zone library with overrides
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
Partner Admin Link
Partner Admin Link
Partner Admin Link
Understanding PAL
User IDs & PAL
Service principals & PAL
CI/CD pipelines & PAL
Creating a dedicated PAL service principal
Azure Lighthouse & PAL
PAL FAQ
  • Overview

Partner Admin Link

Microsoft-managed partners can configure Partner Admin Link for recognition of their influence in customer accounts.

Overview

Partner Admin Link is an important mechanism for Microsoft to recognise the influence and impact that partners to bring to their customers on Azure.

At one level it is fairly simple. If you have access to a customer environment as part of your managed service delivery then creating a Partner Admin Link associates the usage telemetry - which is always being collected for billing purposes - with the Partner ID. It is based on the RBAC role assignments for that access so that the partner gains recognition for the specific resources. Configuration for a user is quick and simple and doesn’t require any involvement from the customer.

However, there are several scenarios for how partners access customer environments and this set of guidance aims to help you get to those configurations quickly.

  • Need to quickly see how to configure Partner Admin Link as a user with PowerShell commands? Jump to the user page and select the PowerShell tab.
  • Need to do the same for a service principal? There is a service principal page for that too.
  • What if it is a service principal with no client secret, used in a pipeline? We have example GitHub workflows for that on the CI/CD page, and plan to extend that for Azure DevOps and GitLab.
  • Need to understand how to approach it if you are using Azure Lighthouse? That is here too, plus we have a separate area dedicated to covering example service offer definitions that will help you configure Partner Admin Link at scale.

You may also have questions on how it works as a mechanism. The Understanding PAL page should give you that grounding on how it all hangs together, and we will treat the Frequently Asked Questions as a live document based on any questions we get asked and that you post on our discussions page.

Understanding PAL

Learn about Partner Admin Link, why it's important, how it works, and your options.

User IDs & PAL

If you are have a user ID in a customer tenant to provide a managed service on their Azure services then follow this page to configure Partner Admin Link.

Service principals & PAL

Here is a short guide to creating Partner Admin Links for existing service principals.

CI/CD pipelines & PAL

Workload identities securely using OpenID Connect are becoming the prevailing standard. As they don't have client secrets then using a dedicated workflow is another approach to create a Partner Admin Link.

Creating a dedicated PAL service principal

In the final service principal scenario, we'll look at creating a service principal purely for recognition purposes.

Azure Lighthouse & PAL

Combining Partner Admin Link with Azure Lighthouse reduces some of the administrative overhead. How does it differ compared to more traditional PAL configurations?

PAL FAQ

The Understanding PAL page helps to answer most of your questions on Partner Admin Link. Here you'll find a link to the main Microsoft FAQ for PAL, plus an option to ask more questions here.

Previous Partner Admin Link Understanding PAL