Fix subscription financial management features for AAD B2B users
When a subscription is linked to an AAD directory where the subscription Account Admin is not a "native" user, but instead a used added via AAD B2B from another directory, certain financial management features in the Azure Portal display "access denied" or "unauthorized" messages instead of working properly.
These features include:
- payment methods
- invoices
- adding credits to an OPEN subscription
This is a sample setup where the problem appears:
1. An organization has multiple AAD directories:
a) the main, "office" AAD directory, where all user accounts are created,
b) several AAD directories assigned to specific products and/or development teams (a team has full administrative access to its own AAD, but for security reasons cannot have the same access to the main company AAD). User accounts from the main AAD are added to product/team AADs as Members.
2. Several Azure subscriptions are created to fulfill the needs of various teams and products. Each subscription is then linked to the product- or team-specific AAD for resource access control purposes.
3. When an Account Admin of subscription "SomeProduct production" attempts to perform financial management tasks, such as updating payment methods, in the Azure Portal:
a) when she is in the context of the home directory of her user account (the main company AAD), subscription "SomeProduct production" is not visible in the Subscriptions blade,
b) when she switches to the AAD directory the subscription "SomeProduct production" is linked to ("someproductprod.onmicrosoft.com"), subscription "SomeProduct production" is indeed visible, but attempting to access financial features results in errors.
