Access the administration center
The Business Central administration center provides a portal for administrators to perform administrative tasks for a Business Central tenant. In the administration center, administrators can view and work with production and sandbox environments for the tenant, set up upgrade notifications, and view telemetry for events on the tenant.
Users with the following Microsoft Entra roles are authorized to access the Business Central administration center:
Global Administrator
Dynamics 365 Administrator
Helpdesk Administrator (Delegated users only)
Internal administrators are users who are assigned the Global admin role or the Dynamics 365 Admin role in the Microsoft 365 admin center. These users are typically system administrators, IT professionals, or super users at the customer's company.
The admin agent and helpdesk agent roles are assigned through the Microsoft Partner Center for the partner that is associated with the tenant. These roles can access the Business Central tenant as delegated administrators.
The customers' users with the Dynamics 365 admin role assigned to
them by their administrator in the Microsoft 365 admin center
(https://admin.microsoft.com) or in the Microsoft Entra ID center
(https://aad.portal.azure.com) can access the Business Central
admin center and its features, both using the portal UI and the
Business Central admin center API.
As a partner, you can access the center from the Partner Dashboard in the Microsoft Partner Center:
Sign in to the Partner Dashboard.
Select the Customers link in the navigation pane.
Select the customer tenant that you want to perform administrative tasks for.
Select Service Management.
Under the Administer Services heading, select Dynamics 365 Business Central.
You can also get to the administration center by going directly to the URL of a tenant's instance. This task is completed with the following URL, if you replace [TENANT_ID] with the tenant ID of the tenant.
https://businesscentral.dynamics.com/[TENANT_ID]/admin
To get the tenant ID of your tenant, go to Help & Support, as shown in the following figure.
At the bottom of the window, you can see your tenant ID, as shown in the following image.
Support for granular delegated admin privileges (GDAP)
Granular delegated admin privileges (GDAP) is a security feature of Microsoft Partner Center that provides partners with least-privileged, granular, and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access must be explicitly granted to partners by their customers.
In particular, Business Central customers are no longer required to grant Global Admin privileges to partners in their Microsoft Entra ID. The partner can request access for least-privileged roles, such as Dynamics 365 Administrator or HelpDesk Agent. The level of access that the partners get to their customers' Business Central environments using GDAP is identical to the level of access they used to be getting previously. However, by using one of these two roles, partners get less access to other customers' workloads and within their Microsoft Entra ID.
If you're a Business Central reselling partner, you must set up your employees to work in Partner Center, and you must assign employees to support your customers. When you request a reseller relationship with a customer, you can choose to include delegated administration privileges for Microsoft Entra ID and Microsoft 365 in the request email that you send to the customer.
You can request access to your customer's tenant with granular delegated admin privileges. This way, you set up security groups to specify which users in your own organization must have access to a specific customer as Dynamics 365 administrator or any other role you prefer.
When a customer accepts a partner's request for granular delegated administration privileges, the relevant members of the specified security group in the partner's Microsoft Entra ID tenant get access as indicated in the following list:
The Dynamics 365 Administrator role gives access to manage Dynamics 365 for the customer, including support requests.
The Service Support Administrator role gives access to manage support requests on the customer's behalf.
The Helpdesk Administrator role gives access to the customer's Microsoft Entra ID tenant.
The members of the security group have either the Admin agent or Helpdesk agent role in your own Microsoft Entra ID tenant.
For certain tasks, you can access the Business Central administration center, which is a powerful tool for you to manage your customers' tenants. From the administration center, you can manage upgrades and access the tenants as the delegated administrator.
Always include the domain or the Microsoft Entra ID of the
customer in the URL when you sign in as a delegated admin, such as
in https://businesscentral.dynamics.com/contoso.com/admin. This
way, you always know exactly which customer you're trying to access.
Often, partner users are registered as business-to-business (B2B) guest users in their customer's Microsoft Entra ID, such as to collaborate through Teams. However, when a partner user is added as a guest to their customer's Microsoft Entra ID, they can no longer sign in as a delegated admin into a customer's Business Central. These guest users don't have a valid Business Central license assigned to them. But if the partner user has granular delegated admin privileges, they can access the customer's Business Central administration center and manage the environments there. Partner users that are guest users and have granular delegated admin privileges are no longer blocked from accessing Business Central. It's still considered a best practice that customers don't invite partner users to their tenant as guests but ask them to set up granular delegated admin privileges, using the Dynamics 365 administrator role.
Managing delegated permissions as a partner
Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated admin logs into a Business Central environment on behalf of their customer, they're automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their User ID.
With granular delegated admin privileges (GDAP), the user is shown in the
Users list and can be assigned any permissions. They aren't shown with
name and other personal information but with a unique ID and their company
name. Both internal and external admins can see these users in the Users
list, and they have full transparency into what these users do through
the change log, for example. But they can't see the actual name of these
users. GDAP users are listed with user names such as USER_1A2B3C4D5E6F,
and an email address such as USER_1A2B3C4D5E6F@partnerA.com, which isn't
the person's actual email address. Because they aren't part of their
customer's Microsoft Entra ID, their authentication email address isn't an email
address at all but reflects the company that they work for, such as
Partner A. This way, the GDAP user accounts don't reveal personal
information. If you need to find out who the person behind such a
pseudonym is, you have to reach out to the company that this user
works or worked for.
At the partner company, it's encouraged that you keep track of which user names your technicians and consultants have in your customers' Business Central tenants. For example, you have a consultant who is an admin with GDAP in your partner company's five customers' Business Central. Your consultant can see which customers they have GDAP access to in the Granular administration list in the Administer page in Partner Center. But as an organization, you can also maintain a list of names and IDs.
If a customer removes delegated permissions from you, you can still manage their subscription from the Partner Center, such as adding or removing licenses for their subscription. But you can no longer log into and manage their Business Central environment, Microsoft Entra ID, and other services. You also can't manage their users (add/remove/assign licenses) from the Customer page in the Partner Center.
When you sign in to a customer's Business Central as the delegated administrator from the Business Central administration center, you have access to all areas of their Business Central. However, because you aren't registered as a regular user, there are certain tasks that you can't do.
The following tasks aren't available to the delegated administrator:
Trigger a web hook or any other application action that relies on the job queue functionality, except by using the Run once (foreground) action.
Use the Invite External Accountant assisted setup guide. Instead, you can add the external user in the Azure portal and assign this user the External Accountant license.
Delegated admin’s job queue entries are run by user
Microsoft partners often use the delegated admin role to set up and manage certain aspects of Business Central on behalf of their customers. However, the role is restricted in some ways. In earlier release waves, one of these restrictions was the ability to create job queue entries and set them as ready to run for customers. The job queue is an important tool for setting up and configuring companies in Business Central. Now with recent updates, delegated admins can create job queue entries and request approval from a licensed user to run them.
For Business Central online, people who aren't employed by the customer, typically Microsoft partners, can use the delegated admin role to set up and configure business processes for the customers. However, the delegated admin role isn't a licensed user in Business Central, and often is only assigned temporarily, so there are some limitations to what they can do. For example, delegated admins can't set up tasks that might be run after the delegated admin relationship is revoked, such as job queue entries.
Job queue entries are a useful tool for running setup and configuration processes in Business Central. Delegated admins must be able to create and run them in their customer's tenant. This release wave adds support for the delegated admin to create job queue entries and set them as ready to run. Then, a licensed user from the customer can start the job queue entry to complete the process that the delegated admin created.
You can now use the Job Queue Entry Approval Workflow template to create a workflow that a delegated admin can use to ask for approval to run job queue entries through the credentials of a licensed user.
Selecting Job Queue Entry Approval Workflow on the Workflow Templates page creates a new workflow.
After a workflow is enabled, and delegated admin is set on the Approval User Setup page, and the delegated admin can create a job queue entry. However, they can't start it until a licensed user approves it. The job queue entry is in the On Hold state until a licensed user approves it. When that happens, the job queue entry runs using the licensed user's credentials.
Manage delegated permissions as an internal administrator
As a Microsoft customer organization, you can have multiple partners registered as your resellers. It isn't unusual for a single organization to use one partner as the delegated admin for their Microsoft 365 subscription and another for Business Central, for example. However, as soon as the delegated administration right is granted in the Microsoft 365 admin center, you can't restrict partner access to a specific service only. The delegated admin access applies to all Microsoft services that your organization subscribes to.
If the partner requests access to your tenant using granular delegated admin privileges, you can see the relevant users in the Users list in Business Central, and you can see them in the Sign- in log in your Microsoft 365 admin center. With granular delegated admin privileges, the partner typically doesn't have global admin access to your tenant. They can only access Dynamics 365. You can't see the name of the partner user, but you can see an ID and the name of their company.
Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated admin logs into a Business Central environment on behalf of their customer, they're automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.
Customers can choose to configure conditional access that might restrict delegated admin access further. For example, it's a best practice to set up a conditional access policy to require multifactor authentication for admins, and to set up terms of use policies.
If you don't need delegated admin help continuously, you can restrict access for the partner users in your environment. There are two approaches that you can use to restrict delegated admin access to a Business Center environment:
Disable a specific delegated admin user within the Business Central environment. For more information, see How to remove a user's access.
Revoke delegated administration rights from all partner users at once in the Microsoft 365 admin center, without breaking the reseller relationship with the partner.