krnese/Step-by-Step

## Step-by-Step
# Demo script

# Login to the MSP tenant

Connect-AzAccount
# Select InspireProd (customer subscription for demo)

if ((Get-AzContext).Subscription.Name -ne "InspireProd")
{
    Select-AzSubscription -SubscriptionName "InspireProd"
}

# Query Az Resource Graph

$MSPTenantId = "d6ad82f3-42af-4a15-ac1e-49e6c08f624e"

$subs = Get-AzSubscription

Search-AzGraph -Query "ResourceContainers | where type == 'microsoft.resources/subscriptions' | where tenantId != '$($mspTenantid)' | project name, subscriptionId, tenantId" -subscription $subs.subscriptionId

# Examine the subscription() function

New-AzDeployment -Name demo01 -Location eastus -TemplateUri "https://raw.githubusercontent.com/krnese/AzureDeploy/master/ARM/deployments/offsite/outputs.json" -Verbose

# Deploy policy using subscription() function, conditions and logical operators

New-AzDeployment -Name tagPolicy -Location eastus -TemplateUri "https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/policy-add-or-replace-tag/addOrReplaceTag.json"

# New built-in policy for customers to audit delegation of scope(s)

(Get-AzPolicyDefinition -Id /providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818).Properties | convertto-json

# MSP opt-out from a delegation

Get-AzRoleDefinition -Name "Managed Services Registration assignment Delete Role"

Get-AzRoleAssignment | select displayname, roledefinitionname

Get-AzManagedServicesAssignment

Get-AzManagedServicesAssignment | Remove-AzManagedServicesAssignment

Get-AzSubscription -SubscriptionName "InspireProd"
	# Demo script

	# Login to the MSP tenant

	Connect-AzAccount
	# Select InspireProd (customer subscription for demo)

	if ((Get-AzContext).Subscription.Name -ne "InspireProd")
	{
	Select-AzSubscription -SubscriptionName "InspireProd"
	}

	# Query Az Resource Graph

	$MSPTenantId = "d6ad82f3-42af-4a15-ac1e-49e6c08f624e"

	$subs = Get-AzSubscription

	Search-AzGraph -Query "ResourceContainers \| where type == 'microsoft.resources/subscriptions' \| where tenantId != '$($mspTenantid)' \| project name, subscriptionId, tenantId" -subscription $subs.subscriptionId

	# Examine the subscription() function

	New-AzDeployment -Name demo01 -Location eastus -TemplateUri "https://raw.githubusercontent.com/krnese/AzureDeploy/master/ARM/deployments/offsite/outputs.json" -Verbose

	# Deploy policy using subscription() function, conditions and logical operators

	New-AzDeployment -Name tagPolicy -Location eastus -TemplateUri "https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/policy-add-or-replace-tag/addOrReplaceTag.json"

	# New built-in policy for customers to audit delegation of scope(s)

	(Get-AzPolicyDefinition -Id /providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818).Properties \| convertto-json

	# MSP opt-out from a delegation

	Get-AzRoleDefinition -Name "Managed Services Registration assignment Delete Role"

	Get-AzRoleAssignment \| select displayname, roledefinitionname

	Get-AzManagedServicesAssignment

	Get-AzManagedServicesAssignment \| Remove-AzManagedServicesAssignment

	Get-AzSubscription -SubscriptionName "InspireProd"