Delegated Administrator Access to Business Central Online
As a Business Central reselling partner, you must set up your employees to work in Partner Center, and you must assign employees to support your customers. When you request a reseller relationship with a customer, you can choose to include delegated administration privileges for Azure Active Directory (Azure AD) and Office 365 in the request email that you send to the customer.
You must already have set up users in your own tenant in Partner Center so that the Assists your customers as field specifies the relevant role for this user to be able to login in to your customers' Business Central environments as either Admin agent or Helpdesk agent. These roles are used when the customer accepts the relationship, so you can assign the right people to the customer's Azure AD tenant.
When a customer grants the delegated administration privilege to a partner:
- The Admin Agent group is assigned to the Global Administrator role in the customer's Azure AD tenant.
- The Helpdesk Agent group is assigned to the Helpdesk Administrator role in the customer's Azure AD tenant.
Based on the roles assigned, members of both groups can sign in to the customer's Azure AD tenant, Microsoft 365 services, Business Central administration center, and Business Central tenants by using their partner credentials. For more information, see Delegated admin privileges in Azure AD in the Partner Center documentation.
For certain tasks, you can access the Business Central administration center, which is a powerful tool for you to manage your customers' tenants. From the administration center, you can manage upgrades and access the tenants as the delegated administrator. For more information, see The Business Central Administration Center.
Always include the domain or the Azure Active Directory ID of the customer in the URL when you log in as a delegated admin, such as in
https://businesscentral.dynamics.com/contoso.com/admin. This way, you always know exactly which customer you are trying to access.
In the Microsoft 365 admin center and Microsoft Azure Management portal, both customers and partners can invite external users (guests) into their Active Directory. When a partner user is added as a guest to the customer's Azure AD, they can no longer log in as a delegated admin into the customer's Business Central. In order to log in, the local user (guests or native) must have a valid Business Central license assigned to them.
Restricted access to Business Central as delegated administrator
When you sign in to your customers' Business Central as the delegated administrator from the Business Central administration center, you have access to all areas of their Business Central. However, because you are not registered as a regular user, there are certain tasks that you cannot do.
The following tasks are not available to the delegated administrator:
Run scheduled tasks in the job queue.
However, starting with 2021 release wave 1 (version 18), delegated administrators can test that the job queue can run without issues, before asking the customer to start it, by using Run once (forground) action on the Job Queue Entry card. This will create a temporary non-recurrent copy of this job and will run it once in the foreground. You can then call it as many times as you need before you hand it over to your customer so that they can start it as a recurrent job. After the job queue completes, it will be put in the on-hold status and can't be rescheduled.
Use the Edit in Excel action or interact with Business Central data in Excel using the Business Central add-in for Excel.
You can still use the Open in Excel action to view data in Excel.
Use the Invite External Accountant assisted setup guide
Instead, you can add the external user in the Azure portal and assign this user the External Accountant license.
Use the Cloud Migration Setup assisted setup guide to migrate data from Business Central on-premises to Business Central online
Instead, a licensed user who is assigned the SUPER permission set in Business Central can run the assisted setup guide.
Access a web service by using a Web Service Access key.
Usage of Web Service Access key is being deprecated. Find out more here.
Managing delegated permissions as a partner
Delegated administrators are not visible in the customer's Azure AD user list and cannot be managed by the customer's internal admin. However, when a delegated admin logs into a Business Center environment on behalf of a customer, they are automatically created as a user inside the Business Central environment. This means that the actions performed by a delegated admin are logged in Business Central, such as posting documents and, associated with their user ID.
If a customer removes delegated permissions from you, you can still manage their subscription from the Partner Center, such as adding or removing licenses for their subscription, but you will no longer be able to log into and manage their Business Central environment, Azure AD, and other services. You will also not be able to manage their users (add/remove/assign licenses) from the Customer page in the Partner Center.
Managing delegated permissions as an internal administrator
As a Microsoft customer organization, you can have multiple partners registered as your resellers. It is not unusual for a single organization to use one partner as the delegated admin for their Microsoft 365 subscription and another for Business Central, for example. However, as soon as the delegated administration right is granted in the Microsoft 365 admin center, you cannot restrict partner access to a specific service only. The delegated admin access applies to all Microsoft services that your organization subscribes to.
If you do not need delegated admin help continuously, you can restrict access for the partner users into your environment. There are two approaches that you can use to restrict delegated admin access to a Business Center environment:
- Disable a specific delegated admin user within the Business Central environment. For more information, see How to remove a user's access.
- Revoke delegated administration rights from all partner users at once in the Microsoft 365 admin center, without breaking the reseller relationship with the partner.
In the Microsoft 365 admin center, internal administrators can find information about their partner relationships in the Settings/Partner Relationship menu. On the same page, you can remove delegated permissions from the partner, to restrict their access to Business Central and other services, while still keeping the reseller relationship with them.
If you then want to allow access to your environment again, you can ask the partner to share the "Request a reseller relationship" invitation link with you again.
For more information, see Customers delegate administration privileges to partners.