Unleash your Azure CSP subscription for Cloud Management Gateway deployments
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet ‘without’ additional (on-premise) infrastructure.
Create & deploy cloud services with an associate Azure subscription.
However, there is a limitation when deploying CMG using Azure CSP subscription.
This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.
As CSP model is becoming more and more popular as Azure subscription, this scenario is a potential blocker for many customers having a CSP subscription which wants to deploy a CMG. The Microsoft product teams are aware of this situation and I’m sure they will solve this the sooner or later.
Converting your CSP subscription to an eligible Azure subscription is no option here (managed by CSP Partner). Therefore I would like to take you how to deploy a CMG while you’re on a CSP subscription. Yes it’s possible! In this blog I’ll describe what it takes to achieve this.The Subscription Configuration wizard during a CMG set up using a CSP subscription will fail and results in the following error below.
As CSP does not support classic cloud service deployments we need in addition to our current CSP* subscription, another Azure subscription. This can be a pay-as-you-go or in our example* an Visual Studio MSDN (MS-AZR-0029P) subscription.
*This feature isn’t available for CSP (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P) and Microsoft Imagine (MS-AZR-0144P) subscriptions.
*In this post we used an MSDN subscription as an example, which is not recommended for enabling production workloads.
In essence we need to create resources in the Visual Studio subscription (grey – right) with an account sourced from the Azure default AD tenant (light blue – left) associated to the CSP subscription.
- Add an administrative account (owner) of Azure Visual Studio subscription (B) as guest user to Azure AD tenant (A);
- Accept the invitation received as administrator of the Visual Studio subscription (B) to access the new Azure AD tenant (A);
- Grant the new guest administrative user account (B) permissions (co-administrator) to the new Azure CSP subscription (A);
Now the administrative user account of Visual Studio subscription (B) have been added to Azure AD tenant (A) we can change the default directory of the Visual Studio subscription (B).
- Change associated directory (InSparkLabsoutlook.onmicrosoft.com) of Visual Studio subscription (B) to new Azure AD tenant (A) insparklabs.onmicrosoft.com.
- Next step is to grant Azure AD admin account (A) permissions (owner & co-administrator) to Azure Visual Studio subscription (B).
- Now we changed the directory of Visual Studio subscription (B) to Azure AD tenant (A) and granted access to Visual Studio subscription (B).
As we are able to create & manage resources in Visual Studio subscription (B) with an administrative account sourced from Azure AD tenant (A) we are ready now to deploy cloud services including a CMG.
- When deploying a CMG and signed in with an administrative user account of Azure AD tenant (A), now we have two Azure subscriptions (CSP & Visual Studio) available.
Recap
In this blog post we described how to extend you current Azure CSP subscription using an additional Azure subscription, associate (change directory) it to your default Azure AD tenant and grant permissions to the new Azure subscription. This allows you to create & manage cloud resources – and thus deploy a CMG – with your Azure CSP subscription as staring point.
Sources
Microsoft, Plan for the cloud management gateway in Configuration Manager
Microsoft, How to associate or add an Azure subscription to Azure Active Directory
Modern Workplace 