Hey everyone! I'm looking for some insights regarding Microsoft partners and their involvement with Azure reservations. My customer is interested in obtaining reservations to reduce their VM costs, but the partner they've chosen created separate subscriptions for this purpose. They told us that they need to have Owner-level access to set up these reservations for us. This feels a bit sketchy to me since the customer is concerned about potential security risks of giving them such ownership, which would give them control over all resources created under those subscriptions. How should we handle this situation? Is there a way to restrict their access and disable inheritance?
3 Answers
This all seems quite puzzling! If you're indeed under CSP, remember that the partner’s role is to manage billing and they are responsible for granting appropriate permissions. If they’re not giving you the ability to self-serve, they might just end up adding the reservations for you. Make sure about your CSP status, because if you are, it could affect how they manage the reservations.
It sounds like you're dealing with CSP subscriptions. I suggest you have a chat with your partner about which RBAC roles are needed for Partner Earned Credit (PEC). Just so you know, being an Owner isn't necessary to purchase reservations. There's actually a specific Reservation Purchaser role that can do that, and it doesn't require Owner access. Also, remember that only certain roles qualify for PEC, so it’s good to ask about that!
And the lowest RBAC level for PEC is actually Support Request Contributor. This role is safe to use since it only lets the CSP raise support tickets, which is a pretty minimal requirement.
The Reservation Purchaser role is what you need for making those reservations happen.
Just a heads up, reservations don’t earn PEC, even if the partner makes the purchase.