Azure-docs: Why does deployment to customer tenant have to be done with a member of the customer tenant? How about AOBO?

Created on 15 Apr 2020 · 4Comments · Source: MicrosoftDocs/azure-docs

https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#deploy-the-azure-resource-manager-templates

So far when testing this out, we've been using AOBO from our CSP Partner tenant to a customer tenant, and it seems to work.

Why does documentation say that it has to be done by a member of the customer tenant?
What limitations do I have with a AOBO admin in this regard, it will be owner on the subscription, isn't that enough?
A B2B user with Global Admin (Azure AD) and Owner (Subscription) will not work either? Why?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 85dc331a-0f34-f9a2-43d9-8ab7e0e635c6
Version Independent ID: 96c07c81-f84c-f47b-659c-b3d055aefb03
Content: Onboard a customer to Azure delegated resource management - Azure Lighthouse
Content Source: articles/lighthouse/how-to/onboard-customer.md
Service: lighthouse
GitHub Login: @JnHs
Microsoft Alias: jenhayes

Pri2 assigned-to-author lighthoussvc product-question triaged

Source

o-l-a-v

All 4 comments

@o-l-a-v, thank you for reaching out. We are looking into this and would get back to you soon on this thread.

souravmishra-msft on 15 Apr 2020

@o-l-a-v As per document, user of the customer tenant can deploy ARM template. As per my understanding user can be AOBO or any user who has Owner role.

@JnHs Can you please provide your insights on the same?

SwathiDhanwada-MSFT on 20 Apr 2020

Hi @o-l-a-v - sorry for the delayed response. Yes, any user with AOBO access can onboard a subscription. This is mentioned on our CSP topic https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cloud-solution-provider#azure-delegated-resource-management but I'll clarify this in the onboarding topic as well.