Delegated administration privileges (DAP) FAQ

Appropriate roles: Admin agent | Helpdesk agent

Delegated administration privileges (DAP) provide the capability to manage a customer's service or subscription on their behalf. The customer must grant the partner administrative permissions for that service. To get delegated administrator permissions from a customer, the partner emails them a Request a reseller relationship with a customer. After the customer approves the request, a partner's admin agent or helpdesk agent can sign in to the service's admin portal and manage the service on the customer's behalf. For example, using Helpdesk Agent privileges, the partner can deliver support for the customer. Using Admin Agent privileges, the partner can perform work on behalf of the customer.

Partners’ admin agents can audit DAP with their customers. The DAP monitoring tool will capture how partner agents are accessing customer tenants across all their customer tenants through DAP. Partners can then review and remove DAP connections that aren't in use. This self serve removal capability will provide partners an ability to mitigate the blast radius.

What is DAP monitoring (Administrative Relationship dashboard)?

In Partner Center, partners now have access to a reporting tool that identifies and displays all active delegated administrative privilege connections and helps organizations discover inactive DAP connections. The reporting captures how partner agents are accessing customer tenants through those privileges and allows partners to remove connections that aren't in use. To improve security, Microsoft recommends that partners remove DAP connections that are no longer in use.

To learn more, see Monitoring administrative relationships and self-service DAP removal.

Who can see DAP activity reporting (Administrative Relationships dashboard)?

Partners can now see DAP activity reporting/administrative relationships dashboard in the Account Setting → Defender for Cloud → Administrative Relationships.

DAP activity reporting is available in Partner Center to partners in the Cloud Solution Provider program – direct bill partners, indirect providers, and indirect resellers. These Partner Center roles have access to the DAP activity report: Admin Agents.

How frequently is the data refreshed?

DAP monitoring data is captured from December 7, 2021. Monitoring administrative relationships will only show cross tenant sign-in activities (AOBO) into the customer tenant from December 7. Sign-in actions before December 7 won't be shown on the administrative relationships dashboard.

Data is refreshed for cross tenant sign-in (AOBO) into the customer tenants on a daily basis.

How many days of sign-in activities can partners see in DAP reporting?

Partners will see data from December 7, 2021 across all their customers. If there's DAP activity by a partner user in a customer tenant after Dec 7, Days Inactive will show the value or it will be blank. However, if Days Inactive is beyond 60 days, it will display "60+" (which means that the partner hasn't logged into the customer tenant for more than 60 days).

Partners can also Sign-in logs in Azure Active Directory to see Sign-in logs for up to 30 days if partners have Azure Active Directory Premium Plan 2 subscription.

The following attributes will have the counts for the last one day.

  • “Number of agents sign-in”
  • “Number of times the Partner agent signed in”

We are offering CSPs free two year subscription of Azure Active Directory Premium Plan 2 to further help them manage and get reports on access privileges. Registered partners can sign in to Partner Center to take advantage of this offer. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features, such as Azure AD Privileged Identity Management (PIM) and risk-based Conditional Access capabilities, to strengthen security controls.

What should partners do with DAP relationships that are no longer used or inactive for more than 60 days?

To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use or that have been inactive for 60 days or more. Guidance for using the DAP report and self-service removal is here.

What capabilities will a partner lose if DAP is removed?

Here are the following impacts and mitigations.

  • Disabling DAP access for a customer turns off a partner’s administrator privileges to manage capabilities on the customer tenant. If needed, partners will need to reinstate DAP permissions.

  • Disabling DAP access for a customer turns off the ability to create support tickets for customers. Partners must reinstate DAP permissions to create support tickets on behalf of customers.

  • Disabling DAP impacts the following scenarios for Microsoft 365 Subscriptions. Partners will need to reinstate the DAP permissions on the customer tenant to unlock these scenarios:

    • Upgrade Subscription – part of the prerequisite for Subscription upgrade is to have DAP.

    • Get Subscription Provisioning status requires DAP.

  • Disabling DAP impacts these scenarios for Azure subscriptions. Partners will need to reinstate DAP permissions on the customer tenant to unlock these scenarios.

    • Partners will lose the ability to manage Azure subscriptions through Partner Center but can manage the Azure subscription from Microsoft Azure.

    • Partner Admin won't be able to see owners or reinstate any other owners for Azure Subscriptions provisioned post DAP removal.

      However, customer Global Admins can reinstate owner access on all the Azure subscriptions and assign roles to other agents in the customer tenants.

  • Disabling DAP will affect the response received from Get Customer By ID API Call.

    • The Get Customer ID API call won't return the following attributes back in the response if the Partner doesn't have DAP access on the customer tenant. Otherwise, it should return all the attributes as mentioned in the response sample.

    • CompanyProfileAddress

    • CompanyProfileEmail

    • CustomDomains

  • Partners will continue to earn partner earned credit (PEC) when DAP is removed on existing new commerce Azure subscriptions.

  • Partners will stop earning PEC when RBAC is removed on existing new commerce Azure subscriptions.

After removing DAP, can partners purchase new Modern Azure plans?

Yes, partner can still transact modern Azure plans. DAP isn't required to transact.

If the customer already has an Azure plan that the partner has purchased before removing DAP, can the partner purchase and add new Azure subscriptions to the Azure plan?

Yes, partners can add Azure subscriptions for customers from the Azure portal without DAP and provision resources for the customer.

Will partners continue to earn PEC on the new Azure subscriptions that were added after the DAP was removed?

Yes, partners will continue to earn PEC on the new Azure subscriptions after DAP is removed.

When DAP is removed how will the partner reinstate the owner rights on a customer's legacy Azure subscriptions?

Partners will need to request a new DAP relationship to reinstate the owner rights. However, a customer's Global Admin can reinstate owner access on the Azure subscriptions and assign roles to other agents in their customer tenants. To learn more, see Reinstate admin privileges for Azure CSP.

When DAP is removed how will the partner reinstate the owner rights on new commerce Azure plan and subscriptions?

Partners will need to request for a DAP relationship to be able to reinstate the owner rights. However, a customer Global Admin can reinstate owner access on all the Azure subscriptions and assign roles to other agents in the customer tenants. To learn more, see Reinstate admin privileges for Azure CSP.

When DAP is removed, how can partners reinstate ownership access on Azure subscriptions?

Information about reinstating admin privileges for customer’s Azure CSP subscriptions is at Reinstate admin privileges for a customer's Azure CSP subscriptions.

Does the DAP monitoring UX include all the customers of an indirect provider along with customers through indirect resellers?

Yes, they'll get all their customers and their indirect resellers' customers.

Are a partner’s competencies affected when DAP is removed?

Some competencies have requirements where delegated administrative privileges are an accepted partner-customer association type. Removing DAP may affect a partner's ability to meet some competency requirements.

Will disabling DAP or transitioning to GDAP impact competencies I've attained?

Your competency may be impacted with the disabling of DAP. On Partner Center, you can see what other partner association types are eligible for customer monthly active usage (MAU) for the performance threshold calculation. You can also see your currently active competencies.

Is PEC impacted when DAP/GDAP is removed?

  • If the partner customer has DAP only and DAP is removed, PEC not lost
  • If the partner customer has DAP, and they move to GDAP for Office and Azure simultaneously, and DAP is removed, PEC not lost
  • If the partner customer has DAP, and they move to GDAP for Office but keep Azure as-is (they don't move to GDAP) and DAP is removed, PEC won't be lost, but Azure subscription access will be lost
  • If RBAC role is removed, PEC is lost; note that removing GDAP won't remove RBAC

Can indirect providers filter customers by indirect resellers in the DAP reporting?

This kind of filtering isn't currently available in DAP reporting. We're evaluating adding this capability in a future release.

When will the API for DAP monitoring and self-serve removal be available?

The API is expected to be available during Q1 of 2022.