Skip to main content

Partner Admin Link (PAL) runbook

Daniel Martinez
  • Updated

Microsoft has several methods to identify and track the solutions and services from their Microsoft Partners. 

One such method is the Partner Admin Link (PAL), which enables Microsoft to identify and recognize those partners who are helping customers achieve business objectives and realize value in the cloud.

This association helps Microsoft understand the ecosystem of IT service providers and to refine the tools and programs needed to best support its customers.

What data does PAL collect?

The PAL association provides no new customer data to Microsoft. It simply informs Microsoft where a Microsoft Partner is actively involved in a customer’s Azure environment. The PAL sends this information based on both permissions (Azure role) and scope (Subscription, Resource Group, Resource).

How to set the PAL?

Microsoft offers several ways set the PAL, but the solution that we found works best is to create a Service Principal with Contributor role in the same Resource Group where Atlas is deployed, set the PAL with ClearPeople's MPN ID (596855) on it.

The advantages of this method are many: Service Principals don't incur any costs, they can be easily administered, and we can remove any login credentials for them once we're finished setting the PAL link, so they don't represent any security concern for Azure administrators. 

We automate this process with a PowerShell script which creates a Service Principal, Atlas ClearPeople Partner Admin Link with a 'Contributor' role in the Resource Group where Atlas is deployed:

ClearPeople PowerShell Script for setting PAL

The script* only requires three parameters, that is, the Azure Resource Group where Atlas' resources are deployed, its Subscription Id, and the Tenant Id where that subscription is sitting.

The usage is like in the example below:

PS C:\> cd ./deployment/scripts # or any other path to the script
PS C:\deployment\scripts> ./Link-CPPALToCustomer.ps1 `
    -TenantId "abcd1234-1234-1234-1234-1234abcd1234" `
    -SubscriptionId "abcd1234-1234-1234-1234-1234abcd1234" `
    -ResourceGroupName "rg-atlas-contoso-production1"

The script is idempotent, which means that you can run the script repeatedly, and the resulting configuration will always be the same (e.g. it creates our Service Principal if there's none found, it applies 'Contributor' role to the Service Principal in the Resource Group if it doesn't have it yet, etc., but leave all settings untouched if they're already satisfied).

This script will be part of the Atlas deployment package so PAL will be set-up as part of the deployment process, however there may be occasions where it will need to be run as a standalone script.

*Please reach out to your Atlas representative or CSA to receive the script or further instructions.

What to do afterwards

You don't need to do anything afterwards. Once the script has run you will see a message informing you if it was successful, and you can view the Entra ID application from the App registrations blade in Azure portal. 

 

Learn more:

- Microsoft Learn - Link a partner ID to your account that's used to manage customers

Related to

Was this article helpful?
0 out of 0 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.