Obtain permissions to manage a customer’s service or subscription

هل هذه الصفحة مفيدة؟

هل لديك ملاحظات إضافية؟

سيتم إرسال الملاحظات إلى Microsoft: بالضغط على الزر «إرسال»، سيتم استخدام ملاحظاتك لتحسين منتجات Microsoft وخدماتها. نهج الخصوصية.

Appropriate roles: Admin agent | Sales agent

To manage a customer's service or subscription on their behalf, the customer must grant you administrator permissions for that service. To get administrator permissions from a customer, email them a reseller relationship request. After the customer approves your request, you can sign in to the service's admin portal and manage the service on the customer's behalf.

Invite a customer to establish a reseller relationship with you

To invite a customer to establish a reseller relationship with you:

1. Sign in to the Partner Center dashboard and select the Customers tile.

2. Select Request a reseller relationship.

3. To request administrator permissions from this customer, select Include delegated administration privileges for Azure Active Directory and Office 365. To establish the relationship without requesting administrator permissions, clear this option.

4. On the next page, review the draft email message. You can open the draft message in your default email application, or you can copy the message to your clipboard and paste it into email.

   Important

   You can edit the text in the email, but be sure to include the link generated in Partner Center because it is personalized to link the customer directly to your account.

5. Select Done.

6. Send the email from step 4 above to your customer.

7. Your customer can select the link they received in the email. Doing so takes them to Microsoft Admin Center where they can accept your request.

   Note

   The person in your Customer’s organization should be the global admin of your customer’s tenant in order to accept the request.

8. After the customer accepts your invitation, they'll appear on your Customers page in Partner Center, and you'll be able to provision and manage the service for the customer from there.

9. To manage the customer's account, services, users, and licenses, expand the customer's record by selecting the down arrow near their name. Then select the admin portal for the service you want to manage.

Important

Customers can reassign or remove administrator permissions in a service's admin portal. However, you need to inform the customer that removing your administrator permissions means you will no longer be able to open a service request to Microsoft on their behalf. You will not be able to open these types of service requests on the customer's behalf until you renegotiate your agreement with the customer.

To find out which partners have admin privileges to their tenant from within the Office 365 admin portal, a customer can:

1. Sign in to the Office 365 admin portal as a Global admin.

2. Selects Settings > Partner relationships.

3. On the Partner relationships page, view the list of the partners with whom they work and those partners that have been granted delegated administration privileges to their tenant.

Customers can manage a partner's delegated admin privileges

Your customer may decide to remove your delegated admin privileges from their tenant but retain the relationship with you for subscription and license renewal purposes. Customers manage rights and permissions to their Office 365 accounts on the Partner relationships page in the Office 365 admin center. On this page, customers can:

• See which partners they have a relationship with and which partners have delegated admin privileges

• Remove a partner's delegated administration privileges from the tenant

To remove delegated administration privileges from a partner:

1. Sign in to the Microsoft 365 admin center.

2. Select the row of the partner to remove.

3. Select Remove roles.

4. When prompted to confirm, select Yes.

Important

Microsoft Azure Active Directory (Azure AD) role assignments to the partner are implicit. If you try to list the members of the Azure AD roles using Azure AD Portal/PowerShell/Graph, the partner will not be returned. To find out if the partners are assigned to Azure AD roles, you must refer to the Partner relationships page in the Office 365 Admin Portal to find out if delegated administration privilege has been granted to the partner or not.

Delegated admin privileges in Azure AD

There are two security groups in the partner's Azure AD tenant—Admin Agents and Helpdesk Agents—that are used for delegated administration.

When a customer grants delegated administration privilege to a partner:

• The Admin Agent group is assigned to the Global Administrator role in the customer's Azure AD tenant.

• The Helpdesk Agent group is assigned to the Helpdesk Administrator role in the customer's Azure AD tenant.

Based on the directory roles assigned, members of both groups can sign in to the customer's Azure AD tenant and Office 365 services using their partner credentials and administrator on behalf of the customer.

If your customer removes delegated admin privileges, the Azure AD role assignments are removed, and you'll no longer be able to manage the customer's Azure AD tenant.

Azure subscriptions and resource management

Each Azure subscription has its own set of resource management roles. Before a CSP partner can manage a customer's Azure subscription, the partner must be assigned to one or more roles under the Azure subscription. Specifically:

• When a customer accepts a reseller invitation and grants delegated administration privilege to a partner, the partner doesn't automatically get access to existing Azure subscriptions under the customer tenant.

• When the Cloud Solution Provider (CSP) partner provisions a new Azure subscription for the customer, the Admin Agents group under the CSP partner tenant is automatically assigned Owner role under the subscription. Based on this role assignment, members of group can access and manage resources under the subscription.

• When a customer removes delegated administration privileges from a partner using Office 365 Portal, the partner can still manage the customer's Azure subscription as long as the partner is still assigned to one or more roles under the subscription. To stop the partner from managing the Azure subscription, the customer must remove the role assignment.

Windows Autopilot

From Partner Center, CSP partners can manage Autopilot profiles for their customers without delegated admin privileges under these circumstances:

• If a customer removes delegated administration privileges but retains a reseller relationship with you, you can continue to manage Autopilot profiles for them.

• You can manage customer devices that you or another partner have added.

• You can't manage devices your customer has added through the Microsoft Store for Business, Microsoft Store for Education, or Microsoft Intune Portal.

For more information about Autopilot, see Simplify device setup with Windows Autopilot.

Important

The current Autopilot management experience in Partner Center might continue to change. At the time this article was published, the following changes are being considered:

• Partner must be granted delegated administration privilege by the customer before the partner can add/update/remove profiles and applying/removing profile from any devices in the customer tenant.

• Partner must be granted delegated administration privilege by the customer before the partner can remove devices added by other partners or by the customer in the customer tenant. Otherwise, the partner can remove only devices added previously by the same partner.