Jaa


Obtain granular admin permissions to manage a customer's service

Appropriate roles: Admin agent

Partners can request granular delegated admin privileges (GDAP) for more granular and time-bound access to their customers' workloads. More granular control addresses customers' security concerns.

Prerequisites

You must complete the following steps before you can obtain granular admin permissions.

  • Sign in to the Partner Center as an Admin agent and then into a partner Production account.

  • Create a new customer.

    Note

    Purchasing a Microsoft Entra ID P2 license is no longer required.

Request a granular admin relationship with a customer

  1. Sign in to Partner Center and select Customers.

  2. Select a customer, then select Admin relationships > Request for new relationship. For an existing customer with no Reseller relationship, in the left navigation, select Administer, and then Request admin relationship.

    Screenshot that shows a customer's admin relationships page in Partner Center.

  3. On the Create an admin relationship request, enter a name in Admin relationship name and a duration period in Duration in days.

    • Admin relationship name must be unique and is visible to the customers in the Microsoft 365 Admin Center.
    • Duration in days is the duration after which the granular admin relationship automatically expires.
  4. Choose Select Microsoft Entra roles, which opens a side panel with a list of granular Microsoft Entra roles.

    Screenshot that shows the admin relationship request form.

  5. Select the Microsoft Entra roles to include in the relationship, and then choose Save.

    • See GDAP least-privileged roles by task for the recommended least-privileged roles for each capability.
    • All the Microsoft Entra roles that you select appear in the Requested Microsoft Entra roles section.
    • You can repeat steps four and five as needed to add or delete roles.
  6. Set Auto Extend to Yes so that the admin relationship doesn't expire and extends by six months.

  7. To confirm, select Finalize request.

    The permission request email message to be sent to your customer appears in the Request box. You can edit the text of the request email message, but don't change the link under Click to review and accept because the URL is personalized to link the customer directly to your account.

    Screenshot that shows the admin relationship request.

  8. Select Done.

  9. Send the email to your customer.

When the customer accepts your request, it appears in the Granular administration list on your Administer page. You and the customer receive a confirmation email notification after approval.

Screenshot  that shows the granular administration page.

Note

Partners must explicitly grant granular permissions to security groups in the admin relationship to manage customer.

Note

You can't update an admin relationship to add Microsoft Entra roles after its creation. Create a new admin relationship if needed.