Get delegated administration privileges from a customer
Appropriate roles: Admin agent | Sales agent
To manage a customer's service or subscription on their behalf, the customer must grant you GDAP (Granular Delegated Admin Privileges) for that service. To get administrator permissions from a customer, invite a customer to establish an admin relationship (GDAP) with you. After the customer approves your request, you must can grant granular permissions to security groups. Sign in to the service's admin portal and manage the service on their behalf.
Provision and manage the service for the customer
After the customer accepts your request, they'll appear on your Customers page in Partner Center. You can provision and manage the service for the customer from there.
To manage the customer's account, services, users, and licenses, use the following steps:
- Sign in to Partner Center and select Customers.
- Select Administer, then expand the customer's record by selecting the down arrow near their name.
- Select the admin portal for the service that you want to manage.
Important
Customers can reassign or remove administrator permissions in a service's admin portal. You should be aware (and inform your customers) that when a customer removes your administrator permissions, you can't open a service request at Microsoft on their behalf until you reestablish your relationship.
Azure subscriptions and resource management
Each Azure subscription has its own set of resource management roles. Before a Cloud Solution Provider (CSP) partner can manage a customer's Azure subscription, that partner must be assigned one or more roles under the Azure subscription. Specifically:
- When the CSP partner provisions a new Azure subscription for the customer, the Admin Agents group under the CSP partner tenant is automatically assigned the Owner role under the subscription. Based on this role assignment, members of group can access and manage resources under the subscription.
- When a customer removes delegated administration privileges from a partner using the Office 365 Portal, the partner can still manage the customer's Azure subscription, as long as the partner is still assigned to one or more roles under the subscription. To stop the partner from managing the Azure subscription, the customer must remove the role assignment.
Customers can find which partners have delegated admin privileges
To find out which partners have admin privileges to their tenant from within the Office 365 admin portal, customers can use the following steps:
- Sign in to the Office 365 admin portal as a Global admin.
- Selects Settings > Partner relationships.
- On the Partner relationships page, view the list of the partners with whom they work and those partners that have been granted delegated administration privileges to their tenant.
Customers can manage a partner's delegated admin privileges
Customers can manage rights and permissions to their Office 365 accounts on the Partner relationships page in the Microsoft Office 365 admin center. On this page, customers can:
- See which partners they have a relationship with and which partners have delegated admin privileges
- Remove a partner's delegated administration privileges from the tenant
Your customer might decide to remove your delegated admin privileges from their tenant but retain the relationship with you for subscription and license renewal purposes.
To remove delegated administration privileges from a partner, customers can use the following steps:
- Sign in to the Microsoft 365 admin center.
- Select the row of the partner to remove.
- Select Remove roles.
- When prompted to confirm, select Yes.
Important
Customers can't find the partners who are assigned a Microsoft Entra role using Microsoft Entra admin center/PowerShell/Graph. Instead, they should use the Partner relationships page in the Office 365 Admin Portal to find out whether a delegated administration privilege has been assigned to a partner.
Delegated admin privileges in Microsoft Entra ID
There are two security groups in the partner's Microsoft Entra tenant that are used for delegated administration: Admin Agents and Helpdesk Agents.
When a customer grants a delegated administration privilege to a partner:
- The Admin Agent group is assigned to the Global administrator role in the customer's Microsoft Entra tenant.
- The Helpdesk Agent group is assigned to the Helpdesk administrator role in the customer's Microsoft Entra tenant.
Based on the directory roles assigned, members of both groups can sign in to the customer's Microsoft Entra tenant and Office 365 services using their partner credentials and administer on behalf of the customer.
If your customer removes delegated admin privileges, the Microsoft Entra role assignments are removed, and you won't be able to manage the customer's Microsoft Entra tenant.
Windows Autopilot
From Partner Center, CSP partners can manage Autopilot profiles for their customers without delegated admin privileges under these circumstances:
- If a customer removes delegated administration privileges but retains a reseller relationship with you, you can continue to manage Autopilot profiles for them.
- You can manage customer devices that you or another partner have added.
- You can't manage devices your customer has added through the Microsoft Store for Business, Microsoft Store for Education, or Microsoft Intune Portal.
For more information about Autopilot, see Simplify device setup with Windows Autopilot.
Important
The current Autopilot management experience in Partner Center might continue to change. At the time this article was published, the following changes are being considered:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for