Removing the CSP as Delegated Admin in Office 365 Customer Tenants
With Partners gravitating to the Cloud Solution Provider program (CSP) as a sales model over the last year we have seen tremendous growth not only in sales, but also in questions related to the CSP program and its nuances. I would like to answer a question we have had repeatedly of late regarding Indirect CSP (2 Tier through a distributor or similar entity) and HIPAA compliance.
The question centers on the compliance concerns around HIPAA and having a secondary entity apart from the reseller/partner with delegated administration rights to the customer Office 365 tenant. To many this seems to be a deal breaker. The assumption is having an unknown entity with administrative access would be in violation of HIPAA. Although this is not necessarily the case as our Indirect CSPs have strict policies and procedures in place, it would be very difficult to not only document or prove, but also to assure customers that was the case.
Of course any observing customer (whether bound by HIPAA or not) might have similar concerns in today’s world. Many customers and partners ask if the administrative access granted to the Indirect CSP can be disabled or removed. The answer is yes.
The “delegated administration” granted to CSPs is enabled by default as they are required by contract with Microsoft to provide support for the end customer and have help desks staffed 24/7 generally speaking. ..so there are advantages to keeping the delegated administration in tact.
How to remove Delegated Administration of a CSP
Removing delegated administration of a CSP is done from within the Office 365 Admin Center of the customer tenant. Logon to your customer’s tenant through your Partner Center dashboard (if you have delegated admin rights to your customer’s tenant) or by using Global Admin credentials and logging in at http://portal.microsoftonline.com
1.) Expand the Users node on the left hand side of the Office 365 Admin Center
2.) Click the Partner Relationships sub menu item
You will likely notice two line items on this page. One for you the partner and one for the CSP.
3.) Check the box next to the CSP you wish to remove from delegated administration. Then click the trash Can icon just above the list of companies. The pop text below appears when hovering over the trash can icon and confirms this action will remove Delegated Admin permissions for CSPs.
If there is any question on who you are removing please notice the relationship column calls out whether the entity is a CSP and/or delegated administrator.
4.) A confirmation dialogue appears where one confirms the deletion of the partner administrator.
Once the Yes button has been clicked the CSP no longer has delegated administration privileges to the customer’s Office 365 tenant. Note that a CSP or partner cannot remove one’s self from the delegated admin partner relationship. Another party with global admin credentials must do this.
If at a later time the customer and/or you decide you need the assistance of the CSP, reach out to them and have them send a request for delegated administration which can be accepted by the customer. This will reestablish the relationship immediately.
A few points to understand in order to provide absolute clarity around CSP transactions and how they differ. Even though the delegated admin permissions have been revoked, a CSP can still see subscription and license related information. This is so the CSP can add/renew/remove licenses and subscriptions should the customer require it in the future. Also, the CSP can suspend a subscription, just like Microsoft can suspend a subscription for non payment. FYI, suspended subscriptions are held a year before deletion, so no risk of a CSP deleting a subscription unilaterally and irrevocably.
I hope this clarifies for you any questions or concerns around the topic of CSP and delegated administration permissions.
PTS, US SMB Technical Services (TS2)