Why the multiple communities here? Which is the go-forward platform here, Yammer or microsoftpartnercommunity. How to support CSP customers while protecting the security of their tenant? Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent.
This is something I had first started looking at just over a year ago. It doesn't look like anything has improved since, but customers are understandably only becoming increasingly concerned with this.
Here is some feedback we just received earlier today from a current customer looking to move to CSP licensing:. I also have reservations about a vendor having these all-encompassing permissions.
However, even this would be good to have further detailed in a format that we can share with concerned customers. If I were in the customer's place, I would absolutely be asking the exact same questions, and imposing the same requirements - and have so in prior organizations.
I have several other customers I've been working with, who I have not, in good faith, been able to recommend putting into CSP and the required delegated admin for - given the concerns outlined here.
We currently have a few hundred customers enrolled in CSP - and have an opportunity to bring even more into the CSP program, but the concerns outlined here do not help with the effort.
Of these, only "Admin agent", "Helpdesk Agent", and maybe "Sales agent" apply to the customer tenants. As an O admin in my own organization, I can delegate permissions to others through at leastdifferent combinations of the 18 customized administrator roles currently available in my tenant.
This increases to 38 roles available and nearly billion combinations when using the roles available in Azure AD. As a partner with delegated admin to a customer, there are only 2: "Everything", or "Helpdesk Agent" or none. We also have well over engineers in our organization not counting back office staff, etc. To assign either "Admin agent" or "Helpdesk Agent" to one of our staff, means that they have that same permission across a few hundred customers.
There is no way to filter a staff member's access to only one customer, or ideally a group of customers. However, there are many limitations here - including that all logging appears to be held within each individual customer tenant only - and for us to review delegated admin activity from our partner account as a whole, it appears that we'd need to query each and every one of our customer tenants. Can someone from Microsoft please review and respond to this UserVoice entry?
Everyone else - please vote What are other CSP partners doing in terms of security controls to meet customer needs and expectations as it relates to CSP licensing? We do have our own internal security program that I am a part of - which includes even stronger MFA controls across our entire organization than we'd otherwise been able to have approved, partially because of the customer security concerns here.
However: 1 Is this still accurate and working, 3 years later? And 2 we'll need to determine what limitations, if any, may then exist that would prohibit us from providing CSP licensing in this model, even if we then are not able to directly assign new licenses to users, or otherwise provide direct support to the customer as per CSP terms at least not without having other customer-provided access given to us.
This is less than 2 months old, still in preview, and what Privileged Identity Management really should have been all along, in my opinion. We recently learned that with the new CSP portal, engineers need "Admin Agent" to open Office related support cases, which seems like way too much access Helpdesk agent isn't enough.
Also, I very much agree with point 2 about engineers having access to all clients or none. We want granular control of which clients an engineer has access. We have Azure AD team and other teams working on these known aspects in the background and I would advise meanwhile to address such issues during the Office Hours 2 live sessions available!
Finally keep an eye on the Security Guidance Community threads. I share your view around customers not wanting to grant full access to us and we have this issue right now. The problem is that if a customer removes delegate admin or we uncheck the box "Include delegated administration privileges for Azure Active Directory and Office I'm not sure if this is just a fault with Partner Center at the moment but it seems having a transacting only not delegate admin relationship is not possible.To manage a customer's service or subscription on their behalf, the customer must grant you administrator permissions for that service.
To get administrator permissions from a customer, email them a reseller relationship request.
After the customer approves your request, you'll be able to log on to the service's admin portal and manage the service on the customer's behalf. Select Customers and then select Request a reseller relationship.
On the next page, review the draft email message. You can open the draft message in your default email application or you can copy the message to your clipboard and paste it into an email. You can edit the text in the email, but be sure to include the link as it is personalized to link the customer directly to your account.
After the customer accepts your invitation, they'll appear on your Customers page, and you'll be able to provision and manage the service for the customer from there. To manage the customer's account, services, users, and licenses, expand the customer's record by selecting the down arrow near their name and then select the admin portal for the service you want to manage.
Customers can reassign or remove administrator permissions in a service's admin portal. However, unless and until you renegotiate your agreement with the customer, you continue to be responsible for providing customer support and adhering to the terms of the Cloud Reseller Agreement, even after a customer reassigns or removes administrator permissions.
AppRiver Technical Guides
In this situation, if the customer requires help, contact Microsoft support to open a service request on behalf of the customer. Your customers can find out which of their partners have admin privileges to their tenant from within the Office admin portal. To do this:. On the Partner relationships page, the customer will see a list of the partners with whom they work and those that have been granted delegated administration privileges to their tenant.
Your customer may decide to remove your delegated admin privileges from their tenant but retain the relationship with you for subscription and license renewal purposes. Customers manage rights and permissions to their Office accounts on the Partner relationships page in the Office admin center.
On this page, customers can:. See which partners they have a relationship with and which partners have delegated admin privileges. Azure AD role assignments to the partner are implicit. To find out if the partners are assigned to Azure AD roles, you must refer to the Partner relationships page in the Office Admin Portal to find out if delegated administration privilege has been granted to the partner or not.
There are two security groups, Admin Agents and Helpdesk Agents, in the partner's Azure AD tenant that are used for delegated administration. When a customer grants delegated administration privilege to a partner:. Based on the directory roles assigned, members of both groups can sign in to the customer's Azure AD tenant and O services using their partner credentials and administrator on behalf of the customer. If your customer removes delegated admin privileges, the Azure AD role assignments are removed, and you will no longer be able to manage the customer's Azure AD tenant.
Each Azure subscription has its own set of resource management roles. Before a CSP partner can manage a customer's Azure subscription, the partner must be assigned to one or more roles under the Azure subscription.
When a customer accepts a reseller invitation and grants delegated administration privilege to a partner, the partner does not automatically get access to existing Azure subscriptions under the customer tenant. When the CSP partner provisions a new Azure subscription for the customer, the Admin Agents group under the CSP partner tenant is automatically assigned Owner role under the subscription.In Office you have the option to add a partner to your Office tenant.
In this article I explain what the partner sees and what can they do. The Microsoft partner can ask for delegated access to your tenant, you cannot invite the partner yourself. Your partner can create an invite email to request delegated administration from there partner portal.
They can also do this with the creation of a purchase offer. The invite looks like the image below. When you click on the link in the email you are sent to the Office portal and asked to sign-in if you are not already.
You must sign-in with an account that has portal admin rights. After that you are asked if you want to accept your partner for delegated administration like the image below. After you accepted this invitation the partner has access to your tenant. When you have accepted the invite your partner has access to your tenant with their own corporate accounts. They can give users the right to administer their clients by assigning this to them. As a tenant admin you can only see who you gave delegated administration and their contact details.
You also have the option to remove your partner. With the above steps you gave your partner access to your tenant and help you solve any problems on your tenant. This site uses Akismet to reduce spam. Learn how your comment data is processed. Skip to content. What can your partner do on your Office Tenant? May 23, 1 Comment. What is this option about? This option gives your partner the ability to assist you with the administration of your tenant.
The invite Your partner can create an invite email to request delegated administration from there partner portal. What can your partner do? Your partner now has almost the same rights as the tenant administrator, but not Delete other partners Buy licenses Add and configure domains Configure users I hope this gave you an overview what it means to give your partner delegated administration.
Like this: Like Loading Office Previous Post Managing Office with Azure automation. Client rendering CSR October 26, Office Connect November 15, Leave a Reply Cancel reply. Sorry, your blog cannot share posts by email.Enter your password in the Enter password window then click Sign in. If a "Stay signed in? Click Close to close the Remove Delegate Admin window. In the Partner relationships window you'll notice that AppRiver is still listed even though the delegated admin permissions have been removed.
This is expected behavior and the entry simply indicates that AppRiver has been a cloud solution provider for your O tenant in the past. Note: The remaining partner relationship entry can only be removed by the cloud solution provider.
If you would like the AppRiver entry completely removed from your tenant please contact us for assistance. View in admin portal Edit content on web Edit in desktop. AppRiver Technical Guides. Search term. Removing Delegated Admin Permissions for Office O allows tenants to work with multiple CSP providers so it may be necessary to remove Delegated Admin permissions from your tenant at some point.
The steps in this article will walk you through removing Delegated Admin permissions in your O Admin Center. NOTE: a CSP provider won't be able to access your tenant at all once their Delegated Admin permissions are removed so please use caution before proceeding with these steps.
On the O landing page click the Admin button. Last Updated Dec 16, Subscribe to our feed.Keep in touch and stay productive with Teams and Officeeven when you're working remotely. You can now request a cloud solution provider CSP relationship with Office customers who have already purchased their subscriptions directly from Microsoft. Check out Help for partners. As a reseller you can reach potential customers regardless of how the customers were first created.
Cloud solution provider CSP partners and customers can now interact in the following ways:. Partners can establish a CSP relationship with customers that already have existing tenants or subscriptions and can then sell them CSP subscriptions. A CSP customer can also purchase subscriptions from directly from Microsoft and is no longer limited to buying subscriptions through their CSP reseller. With this, partners can establish a CSP relationship with a customer that already has an existing tenant and existing subscriptions and can then sell CSP subscriptions to that customer.
Those subscriptions remain active and unchanged, and any Partner-of-record POR associated with those subscriptions remains in place. Additionally, customer can continue to purchase subscriptions via these other channels alongside their CSP subscriptions, for example, directly from Microsoft. For instructions on how to request this relationship, see Partners: Request a reseller relationship. What CSP role do I need to have to send the reseller invitation mail? Can CSP partners view subscriptions the customers purchased directly from Microsoft?
Yes, the CSP partner can view all the subscriptions, but any subscriptions that were purchased directly from Microsoft are read-only. Can customers view subscriptions that were purchased by a CSP reseller for them? Learn more. Why request a cloud solution provider relationship with an existing Office customer? Office Admin Microsoft Business More Expand your Office skills. Get new features first. Was this information helpful? Yes No. Any other feedback? How can we improve?
Send No thanks.
Office 365 Admin Delegation
Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents. Contact Support.Note This article applies to Office operated by 21Vianet in China. It is for organizations who want to allow a 21Vianet Partner to administer their Office subscription for them. An authorized partner of Microsoft who serves as your subscription advisor provides the sales, support, and technical expertise you need to help you set up and maintain your subscription.
You can add a subscription advisor partner as a partner of record when you purchase Office or at another time.
AppRiver Technical Guides
If you're not currently working with a partner, you can also find one on the Microsoft Pinpoint website. The partner you choose depends on the Office services you use and the country or region where you'll use those services. If you are adding a partner, or changing the partner for your subscription, first you need to get the partner's Microsoft Partner ID by asking the partner for it.
As an admin for Officeyou can create or edit users, reset user passwords, manage user licenses, manage domains, and assign admin permissions to other users in your organization, among other things.
However, if you want someone else to do these administrative tasks, you can delegate this role to an authorized partner of 21Vianet by creating a partner relationship. If you're not using the new Microsoft admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page.
To add a new partner, expand Need help with your order? Follow the steps on the providers page to either search for, or to get matched with a partner. If you already have a partner, in the second step of the checkout wizard, in the right pane, under Partner information, select Add. Type the Microsoft Partner ID for the partner you're adding. You can get the partner's Microsoft Partner ID by asking the partner for it.
On the subscription page, select the Partner tab, and then type the Partner Network ID for the partner you're adding You can get the partner's Microsoft Partner ID by asking the partner for it. This process is initiated by your authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a partner of record. Under Partner Relationshipsselect Yes to authorize the partner to be your delegated admin, and then select Next.
Customers delegate administration privileges to partners
If the offer for partner relationship came with a trial subscription or a purchase offer, create your trial or subscription account. Your partners are listed on this page. On the Partner information page, clear the partner ID box, and then select Submit.
If you are removing a reseller relationship the Delete option is grayed out, and you will have to ask your reseller partner to follow these instructions: Remove a reseller relationship with partner. Find your Office partner or reseller. You may also leave feedback directly on GitHub.
Skip to main content. Exit focus mode. Add a partner at the time of purchase Note If you're not using the new Microsoft admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page. Select the product you want to purchase, and then select Buy.
Complete the rest of the wizard to finish buying your subscriptions. Note If you're not using the new Microsoft admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page.
If you have more than one subscription, select the subscription you want to edit.
The partner ID displays on the Subscriptions page. To accept this offer Read the partner's terms in the email. To authorize the agreement, select the link, which goes to an authorization page in Office Check out the latest Business Central updates!
Learn about the key capabilities and features of Dynamics Business Central and experience some of the new features. Ace your Dynamics deployment with packaged services delivered by expert consultants.
Explore service offerings. The FastTrack program is designed to help you accelerate your Dynamics deployment with confidence. You need to access to your CSP O Portal and from there you can set delegated admin for your customer. Is that possible through the CSP O portal or another way? From that portal you can create a delegated admin to your customer tenant exactly like activating a new user for your customer.
It can also be done from the Partner Center. It will not count against the customer's user licenses. The customer will start seeing the user in the Users list in Dynamics Business Central after the first log in, and they can disable this account if they want to. I hope this helps. If my response has answered your question, please verify by clicking Yes next to "Did this answer your question?
Replies 4 All Responses Only Answers. Stefano Demiliani responded on 13 Jul PM. How to set delegated admin to a client tenant Unanswered. Stefano Demiliani responded on 16 Jul AM.Microsoft CSP - Enabling the Partner Admin Center
Business Applications communities.