Understanding Partner Earned Credit

Learn more about Partner Earned Credit associated with the new commerce experience in CSP for Azure
MICROSOFT CSP DIRECT BILL AND INDIRECT PROVIDER CONFIDENTIAL Updated November 2019

Contents

1. What is Partner Earned Credit for services managed (PEC)? ........................................................... 2

2. The benefits to Customers and Partners .......................................................................................... 2
3. Considerations for Partners .............................................................................................................. 2
4. How is Partner Earned Credit (PEC) calculated and paid? ................................................................ 3
5. Partner’s Access to manage Azure Subscriptions ............................................................................. 4
6. Security and access control practices ............................................................................................... 6
7. How to validate whether the partner is earning PEC for usage?...................................................... 7
8. Azure Cost Management .................................................................................................................. 9
9. Additional resources ....................................................................................................................... 11
a. Appendix A ...................................................................................................................................... 11
 1. What is Partner Earned Credit for services managed (PEC)?
Partner earned credit for services managed (PEC) is a partner reward mechanism for Azure through
Microsoft’s new commerce experience in the Cloud Solution Provider (CSP) program. It is designed to
support a partner ecosystem focused on delivering value-added managed services as well as provide
customers and partners with unified Azure pricing across all of Microsoft Go-To-Market vehicles. By
focusing on specific partner business activities, PEC will help mitigate price-based competition and
better support a value-added services ecosystem.

With thousands of services in Azure and multiple options to buy, pricing can be challenging for many
customers and partners. In the new commerce experience for Azure, we have aligned to single global
pricing principles applicable to all motions we transact. CSP partners can provide greater transparency
to their customers and build trust by offering Azure at published prices.

The digital transformation of our customers requires an expanded set of activities and value from Azure
partners. Many customers look to partners to provide services above and beyond only
billing/transactions to facilitate their cloud journey and consumption of Azure services. Microsoft
partners play a critical role in all stages of the customer lifecycle by helping the customer navigate the
complex Azure journey and enable efficient consumption.

These kinds of partner services are on-going in nature and include Azure estate monitoring, policy and
governance management, set up and configuration fine-tuning, technical support and a variety of other
services. All of these services require a partner to be intimately familiar with the customer’s Azure
environment and have continuous and appropriate governance and control of the underlying resources
they provide management on. Partners providing this 24 X 7 cloud operations management activity will
become eligible for a “Partner earned credit for services managed” on the customer’s Azure estate
governed and controlled by the partner.

2. The benefits to Customers and Partners

• Customers can outsource their Azure Infrastructure management and billing to trustworthy
and qualified partners and focus on their core business activities
• Customers who need assistance in consuming Azure get to work with partners invested in
managed services on Azure that can drive cost and operational efficiencies
• Partners are rewarded for providing a robust managed services portfolio on Azure for their
customers
• Intimate association and management of the customer’s Azure projects will bring new
opportunities to the partner and help drive consumption growth

3. Considerations for Partners

As customers transition to cloud computing platforms, they are faced with managing not just a new set
of technologies, but also a new way of approaching management and operations of their digital estate.
While the cloud can bring greater business value and agility, it can also bring new concerns, including
lack of proper security and cost control.
Azure Partners have an opportunity to help customers understand how to manage, automate, and
optimize their digital estate hosted on Microsoft Azure. With managed services, Azure partners can help
customers on a continuous basis through day-to-day operations and support services which include:

• Cloud Operations & Management Services: Customers look to Microsoft partners to reduce
costs in Azure while reproducing the isolation, security policies, and audit models they have
today. They also expect partners to have mature practices and processes for identifying
workload suitability and ongoing operational costs of Azure. Automation and orchestration,
patching updates, configuration management, backup and disaster recovery, and identity
management are tasks that customers expect partners to operate and manage.

• Cloud Monitoring & Technical Support: In a cloud consumption world, the tools and
requirements have evolved, but the need of finding the right resource for managing IT
infrastructure hasn’t changed. Most organizations simply do not have the time, resources, or
dedicated staff required to monitor every aspect of IT, and this is where Managed Services
Partners (MSPs) can add the most value. While Azure offers many monitoring capabilities built
within the platform itself, partners who (a) provide additional deeper monitoring and tooling (b)
triage the false positives from the real alerts, and, (c) proactively act upon the alerts before any
measurable loss in performance; play an important role on the ongoing management of their
customers’ Azure estates:
• SYSTEM HEALTH MONITORING: Complete monitoring of VMs, CPU utilization, memory
usage, storage IOPs, and OS performance. This includes monitoring of application
performance and operational health as well as dashboards and reports on system health.
• LOG ANALYTICS AND ALERTING: Every client, device, and user accessing a network
produces data that is logged. Analyzing those logs can offer deep insights into performance,
security, resource consumption, and several other meaningful metrics.
• DATABASE MONITORING: A view into the customer’s database that helps MSPs ensure high
availability of database servers. This process involves keeping logs of size, connection time
and users of databases, analyzing use trends, and leveraging data to proactively remediate
issues
• APP PERFORMANCE MONITORING: End-to-end tracking of all aspects of an application (or
webpage). App monitoring involves watching every part — from shopping carts to
registration pages — of a customer’s app(s) for performance issues to provide the best user
experience possible.

Click here to learn more about how to expand your managed services portfolio with Azure

All of these services require appropriate access for partners into their customer’s Azure environment
and our commerce system will measure this access detail to calculate the applicable Partner Earned
Credit.

4. How is Partner Earned Credit (PEC) calculated and paid?

Partner Earned Credit recognizes and rewards partners that own the 24x7 IT operational control and
management of parts or the entire Azure environment of their customers in CSP. By default, in CSP,
partners are granted the necessary access rights to the customer’s subscription which allows them to
perform 24x7 operational management and control of the resources on the subscription. Additional
ways in which a customer can provision access for a transacting partner is described in section 5. The
monthly invoice amount is net of PEC and the partner will be able to see the details on their monthly
recon file.

Important eligibility and calculation information

• Partner should have an active MPN agreement and valid RBAC role to get earned credit for the
azure assets they manage (Refer to appendix (A) for valid roles).
• In the case of indirect providers and their indirect resellers, the indirect provider will be eligible
for PEC if either the indirect provider, or the indirect reseller or both (indirect provider and
indirect reseller) have 24x7 operational control and management of the customer’s Azure
resources in CSP.
• PEC is associated to billed (chargeable) consumption of a customer’s Azure estate purchased
through CSP and managed by the partner. PEC is made available only to CSP partners billed
directly by Microsoft (indirect provider, direct bill partner).
• Eligible Services: PEC is applicable to Azure services notated on the price list. When you are in
Partner Center click on “Export Azure plan price list”. Please note there are exceptions
including, but not limited to, third-party offers, Azure Reservations and Marketplace items.
• PEC is calculated daily and can be viewed in the daily recon file and monthly invoice recon file. A
partner (indirect provider or reseller in the case of Tier 2) must have access for the entire day
(24x7) to ensure they earn PEC.
• PEC details are shown in the invoice recon file.
• PEC is earned down to the Azure resource level. If the partner has valid access at the
subscription or resource group level, each resource that roles up to the higher entity will earn
PEC.
• Partners can view PEC details for their customers’ Azure consumption leveraging Azure Cost
Management. Learn more about Azure Cost Management.

5. Partner’s Access to manage Azure Subscriptions

Partners can earn PEC by providing value added services which require 24x7 operational control and
management of a customer’s Azure resources. In CSP there are different options available for
provisioning the required access to perform value added services. The various role-based access control
(RBAC) methods are:

• Admin on Behalf Of (AOBO): Partners who have a direct billing relationship with Microsoft and
provision a new subscription for a customer are granted 24x7 operational control and
management by default. With AOBO, any user with the Admin Agent role within the partner
tenant will have RBAC owner access to Azure subscriptions created within the CSP program. The
customer can manage access by navigating to the Access Control section in the Azure Portal.
Within the Role Assignments tab, they can choose to change the partner’s AOBO Access. If this is
desired by the customer, you can explore the following two options with the customer (Azure
Lighthouse and Directory or Guest Users or Service Principals).

• Azure Lighthouse: AOBO doesn’t provide the flexibility to create distinct groups that work with
different customers nor enable different roles for groups or users. Using Azure Lighthouse,
partners can assign different groups to different customers or roles. Because users will have the
 appropriate level of access through Azure delegated resource management, partners can reduce
the number of users who have the Admin Agent role (and thus have full AOBO access). This
helps improve security by limiting unnecessary access to the customers’ resources. It also gives
partners more flexibility to manage multiple customers at scale. For more information, please
refer to Azure Lighthouse and the Cloud Solution Provider program.

• Directory or Guest Users or Service Principals: Customers can delegate granular access to Azure
resources in CSP subscriptions by adding users in the customer directory or adding guest users
and assigning any RBAC roles. More details can be found here

Microsoft recommends partners leverage RBAC roles diligently using the best security practices with
least access principle (users have only the minimum permissions they need to perform their work).

Customers have the option to remove any access given to their partners. Partners should not coerce
customers to assign them appropriate access for the sole purpose of earning PEC from Microsoft -
failure to adhere with this requirement could make the partner ineligible to earn PEC.

How to Link Partner ID (MPN ID) for various RBAC Options

To reward partners for services they provide to customers, the existing model, utilizing margin for the
sale ofAzure in CSP is evolving to partner earned credit for services managed (PEC). To receive PEC, you
need to link the partner ID with the credentials used for managing the customer’s Azure resources. The
following tables show methods to associate the partner ID with various RBAC access options:

Category Scenario MPN ID Association

AOBO CSP Direct Bill partner or Indirect Provider creates Automatic

the subscription for the customer, CSP Direct or
(No Partner work required)
Indirect Provider is default owner of the
subscription using AOBO

CSP Direct Bill partner or Indirect Provider gives

access of the subscription to Indirect Reseller using
AOBO

Azure Lighthouse Partner creates a new Managed Services offer in Automatic

Marketplace, this offer is accepted on the CSP
(No Partner work required)
subscription and partner gets access to the CSP
subscription

Partner deploys ARM template in Azure Partner needs to associate

subscription MPN ID to the user or service
principal in the partner tenant.
More Information – Link
Partner ID
 Directory or Partner creates a new user or service principal in Partner needs to associate
Guest User the customer directory and give access of the CSP MPN ID to the user or service
subscription to the user principal in the customer
tenant. More Information –
Partner creates a new user or service principal in
Link Partner ID
the customer directory, adds the user to group and
gives access of the CSP Subscription to the group

6. Security and access control practices

Partner Security Requirements

Greater privacy safeguards and security are among our top priorities. We know that the best defense is
prevention and that we are only as strong as our weakest link. That is why we need everyone within the
customer – Partner – Microsoft ecosystem to act and ensure they have appropriate security protections
in place. To help safeguard partners and customers, we’re introducing a set of mandatory security
requirements for Advisors, Control Panel Vendors, and partners participating in the Cloud Solution
Provider program.

Partners who do not implement the mandatory security requirements will not be able to transact in the
CSP program or manage customer tenants leveraging delegate admin rights once these requirements
are activated. We are in the process of establishing the date for the activation of security safeguards for
the requirements and will notify partners with detailed information.

What actions do partners need to take?

Given the highly privileged nature of being a partner, we need to ensure that each user has an Multi
Factor Authentication (MFA) challenge for every single authentication. This can be accomplished
through one of the following ways:

• Implementing Azure AD Premium and ensuring that MFA is enforced for each user
• Implementing the baseline protection policies
• Implementing a third-party solution and ensuring MFA is enforced for each user

Starting August 1, 2019, all partners are required to enforce multi-factor authentication in their partner
tenant. Detailed information on these security requirements can be found at
https://docs.microsoft.com/partner-center/partner-security-requirements.

Partners can gain 24x7 operational control and management of a customer’s Azure resources in CSP by
leveraging different options provided through the role-based access control feature (RBAC). Microsoft
recommends partners to leverage RBAC diligently, following best practices enabled through Azure
Active Directory Privileged Identity Management resources.
 7. How to validate whether the partner is earning PEC for usage?
There are several ways a partner can confirm they are earning PEC on their customer’s managed Azure
resources:

• Review the daily usage file here. The unit price and effective unit price within the daily usage
file will be different if PEC has been applied. (Note there are other pricing factors that could
cause the unit price and effective price to be different other than when PEC is earned)
• View PEC details for the customer’s Azure consumption on Azure Cost management experience.
Learn more

You can create an Azure Monitor activity log alerts to receive the notification when your RBAC access is
removed from the CSP subscription.

1) Create Alert
2) Configure the action that you will like to take on the alert (Example – Email, Webhook etc. )

If you have specified the action as an email, you will receive an email notification if any role assignment
deletion occurs
 8. Azure Cost Management
View the charges for resources that have PEC applied in Azure Cost Management (ACM)

In ACM, Cost Analysis enables you as a partner to view the costs that have received the benefit of PEC.

1. In the Azure Portal, log in to the partner tenant and click on Cost Management + Billing
2. Click on Cost Management
3. Click on Cost Analysis
The Cost Analysis view will display the costs for the partner billing account for all of the services
purchased and consumed at the prices that the partner pays Microsoft .
4. Select PartnerEarnedCreditApplied in the drop down on a pivot chart to slice and dice costs that
have PEC applied. When PartnerEarnedCreditApplied property is True, the associated cost has
the benefit of the partner earned admin access.
When the PartnerEarnedCreditApplied property is False, the associated cost has not met the
required eligibility for the credit or the service purchased is not eligible for partner earned credit
Note:. Typically, usage for services takes 8-24 hours to appear in Cost Management and the PEC
credits will appear within 48 hours from time of access in Azure Cost Management.
5. You can also group by and filter by the PartnerEarnedCreditApplied property using the Group
by and Add Filter features to slice, dice and drill into costs that have PEC and the costs that have
no PEC applied.
 9. Additional resources
a. Appendix A
View the full list of roles and permissions required to earn partner earned credit here.

© 2021 Microsoft Corporation. All rights reserved. Microsoft provides this material solely for informational purposes. Details
are subject to change and may vary by geography. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.