Share via

Grant granular permissions to security groups

  • Article

Appropriate roles: Admin agent

You can assign customer-approved, Microsoft Entra roles to security groups. You can then grant those security groups granular delegated admin privileges (GDAP).

Prerequisites

Partners must first set up the security group.

View the zero or no access assignments

A yellow warning icon appears next to an admin relationship if there are no access assignments associated with it.

Screenshot of the Admin Relationships page displaying a yellow warning icon, with a red box callout.

Grant permissions to security groups

Use these steps to grant permission to security groups.

  1. Sign in to Partner Center and select Customers.

  2. Select the customer you want to manage, then select Admin relationships, and then select the specific admin relationship you want.

    Screenshot depicting admin relationship details page.

  3. Under Security groups, select Add security groups.

  4. On the Security groups panel, select the security groups that you want to grant permissions.

    Screenshot depicting admin relationship details page with side panel displaying Security groups with AdminAgents and HelpdeskAgents selected.

  5. Select Next, which displays the Select Microsoft Entra roles side panel.

  6. Choose the Microsoft Entra roles you want to assign to the security group for that admin relationship.

    The Microsoft Entra roles that you assign enable the users in the security group to administer services.

    Screenshot depicting admin relationship details security group page with selected Microsoft Entra roles.

  7. Select Save from the side panel. The status changes to Pending against the added Security groups.

  8. Refresh the page after 30 seconds or so. The status changes to Active.

  9. You can remove or add more security groups and Microsoft Entra roles.

    All the users you assigned to the security group can now administer services from their Service management page.

    Screenshot depicting a customer service management page.

Understand Dynamics 365 delegated admins

Delegated administrators:

  • Aren't visible in a customer's Microsoft Entra user list
  • Can't be managed by a customer's internal admin

But when a delegated admin logs into a Dynamics 365 environment on behalf of a customer, they're automatically created as a user inside the Dynamics 365 environment. So the actions a delegated admin performs, such as posting documents, register in Dynamics 365 and then associate with their ID in the partner's Microsoft Entra.

The internal admin can see the changes made by a delegated admin. They can also see which partner a specific user works for, but they can't see the user's name or other customer data.

Related content