Customers delegate administration privileges to partners

Applies to

  • Partner Center

To manage a customer's service or subscription on their behalf, the customer must grant you administrator permissions for that service. To get administrator permissions from a customer, email them a reseller relationship request. After the customer approves your request, you'll be able to log on to the service's admin portal and manage the service on the customer's behalf.

Invite a customer to establish a reseller relationship with you

  1. Select Customers and then select Request a reseller relationship.

  2. On the next page, review the draft email message. You can open the draft message in your default email application or you can copy the message to your clipboard and paste it into an email.

    Important

    You can edit the text in the email, but be sure to include the link as it is personalized to link the customer directly to your account.

  3. Select Done when you’ve completed this step.

  4. Send the email to your customer.

  5. After the customer accepts your invitation, they'll appear on your Customers page, and you'll be able to provision and manage the service for the customer from there.

  6. To manage the customer’s account, services, users, and licenses, expand the customer’s record by selecting the down arrow near their name and then select the admin portal for the service you want to manage.

Important

Customers can reassign or remove administrator permissions in a service's admin portal. However, unless and until you renegotiate your agreement with the customer, you continue to be responsible for providing customer support and adhering to the terms of the Cloud Reseller Agreement, even after a customer reassigns or removes administrator permissions. In this situation, if the customer requires help, contact Microsoft support to open a service request on behalf of the customer.

Your customers can find out which of their partners have admin privileges to their tenant from within the Office 365 admin portal. To do this:

  1. The customer needs to sign in to the Office 365 admin portal as a Global admin.

  2. Select SettingsPartner relationships.

  3. On the Partner relationships page, the customer will see a list of the partners with whom they work and those that have been granted delegated administration privileges to their tenant.

Customers can manage a partner’s delegated admin privileges

Your customer may decide to remove your delegated admin privileges from their tenant but retain the relationship with you for subscription and license renewal purposes. Customers manage rights and permissions to their Office 365 accounts on the Partner relationships page in the Office 365 admin center. On this page, customers can:

  • See which partners they have a relationship with and which partners have delegated admin privileges

  • Remove a partner’s delegated administration privileges from the tenant

To remove delegated administration privileges from a partner:

  1. Under the Partner relationships page, select the partner of interest.
  2. In the details pane, select Remove delegated admin.
  3. In the confirmation pane, select Remove.

Important

Azure AD role assignments to the partner are implicit. If you try to list the members of the Azure AD roles using Azure AD Portal/PowerShell/Graph, the partner will not be returned. To find out if the partners are assigned to Azure AD roles, you must refer to the Partner relationships page in the Office 365 Admin Portal to find out if delegated administration privilege has been granted to the partner or not.

Delegated admin privileges in Azure AD

There are two security groups, Admin Agents and Helpdesk Agents, in the partner’s Azure AD tenant that are used for delegated administration. When a customer grants delegated administration privilege to a partner:

  • The Admin Agent group is assigned to the Global Administrator role in the customer’s Azure AD tenant.

  • The Helpdesk Agent group is assigned to the Helpdesk Administrator role in the customer’s Azure AD tenant.

Based on the directory roles assigned, members of both groups can sign in to the customer’s Azure AD tenant and O365 services using their partner credentials and administrator on behalf of the customer.

If your customer removes delegated admin privileges, the Azure AD role assignments are removed, and you will no longer be able to manage the customer’s Azure AD tenant.

Azure subscriptions and resource management

Each Azure subscription has its own set of resource management roles. Before a CSP partner can manage a customer’s Azure subscription, the partner must be assigned to one or more roles under the Azure subscription. Specifically:

  • When a customer accepts a reseller invitation and grants delegated administration privilege to a partner, the partner does not automatically get access to existing Azure subscriptions under the customer tenant.

  • When the CSP partner provisions a new Azure subscription for the customer, the Admin Agents group under the CSP partner tenant is automatically assigned Owner role under the subscription. Based on this role assignment, members of group can access and manage resources under the subscription.

  • When a customer removes delegated administration privileges from a partner using Office 365 Portal, the partner can still manage the customer’s Azure subscription as long as the partner is still assigned to one or more roles under the subscription. To stop the partner from managing the Azure subscription, the customer must remove the role assignment.

Windows Autopilot

From Partner Center, CSP partners can manage Autopilot profiles for their customers without delegated admin privileges under these circumstances:

  • If a customer removes delegated administration privileges but retains a reseller relationship with you, you can continue to manage Autopilot profiles for them.

  • You can manage customer devices that you or another partner have added.

  • You can’t manage devices your customer has added through the Microsoft Store for Business, Microsoft Store for Education, or Microsoft Intune Portal.

For more information about Autopilot, see Simplify device setup with Windows Autopilot.

Important

The current Autopilot management experience in Partner Center might continue to change. At the time this article was published, the following changes are being considered:

  • Partner must be granted delegated administration privilege by the customer before the partner can add/update/remove profiles and applying/removing profile from any devices in the customer tenant.

  • Partner must be granted delegated administration privilege by the customer before the partner can remove devices added by other partners or by the customer in the customer tenant. Otherwise, the partner can remove only devices added previously by the same partner.