Azure Subscription Permissions

Microsoft’s recommendation is to assign the Contributor role for the providers service principle (as referenced here). However, based on feedback from service providers and resellers, this has been adjusted to default to the Owner role. This has been done to support the various support requests that typically come from resellers or customers, who require additional access.

Additionally, as you can see from the documentation, the Owner and Contributor roles are both PEC eligible. This is also a very important consideration as well. For example, Reader access does not grant PEC and therefore would not be suitable for most service providers. Additionally, many of the other roles and permissions you see on this page are resource specific and will not grant PEC for the whole subscription.

Certainly this is a one-size-fits-all solution. However, there may be some customers with more strict security requirements that may want to change or remove this. If the customer is not happy with it, the following changes could be considered after provisioning:

  • Change to the Contributor role.

  • Consider using custom permissions via Azure Lighthouse.

  • If the customer does not want the service provider to have access, but agrees on giving equivalent access to their reseller, it could also satisfy the PEC requirements.

Note: Permissions changes on the Customer Tenant or Customer Subscription may impact provisioning success for NCE Azure orders. The Connector may fail at some statuses when appropriate access cannot be obtained.

Permissions FAQs

  • What is the Foreign Principal Permission?

    A permission that we and/or the partner can have over the end customers tenant/subscription to earn PEC and provide support/assistance.

  • What data can we see with this Foreign Principal Permission?

    The data you can see will depend on the permission level.

  • What can we do with the Foreign Principal Permission?

    This depends on the permission level. Primarily to earn PEC, however it is also required to provision the subscription and provide support.

  • Is the Foreign Principal Permission mandatory? If so, what happens if this permission is removed?

    This depends on how low the permissions go. If they are removed completely, it could affect the ability to provision Azure subscriptions, if the appropriate access cannot be retrieved.

  • What can I do if I do not want to use the Foreign Principal Permission?

    • Change to the Contributor role.

    • Consider using some kind custom permissions via Azure Lighthouse.

    • If the customer does not want the Service Provider to have access, but agrees on giving equivalent access to their reseller, it could also satisfy the PEC requirements.

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept