![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 54%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
A CSP partner cannot legitimately prevent a customer from having Global Administrator access to their own tenant or from changing partners. The tenant owner always retains the right to control admin privileges and partner relationships.
From the Microsoft guidance:
- Delegated admin privileges (DAP/GDAP) are optional and revocable
- When a CSP relationship is established, the partner can receive delegated admin privileges (DAP) or granular delegated admin privileges (GDAP) to manage the tenant.
- These privileges are granted by the customer and can be reviewed and removed. Microsoft explicitly recommends customers regularly review partner admin access because it includes powerful roles like Global Administrator.
- DAP/GDAP does not transfer ownership of the tenant to the partner; it only grants admin access that the customer can revoke.
- Customer control and security considerations
- Documentation emphasizes that giving a partner Global Administrator permissions presents a security risk and should be limited.
- This implies the customer is expected to be able to control who has Global Administrator, including partners, and to remove or limit those rights when needed.
- If locked out or blocked from admin access
- If the partner has effectively locked the customer out (for example, by being the only Global Administrator or refusing to promote a customer user to Global Administrator), this is treated as a tenant lockout scenario.
- In such cases, the tenant owner or an existing Global Administrator must work directly with Microsoft Support (Data Protection / Tenant Recovery) to restore appropriate admin access.
- For tenant lockout and admin recovery scenarios (for example, no usable Global Administrator, or partner blocking access), Microsoft directs the tenant owner/GA to contact Microsoft 365 for business support by phone so Microsoft can verify ownership and help restore access.
- Practical next steps
- If any customer user still has Global Administrator or sufficient admin rights, that user can:
- Review and remove partner delegated admin privileges (DAP/GDAP) if appropriate.
- Ensure at least one internal user is a Global Administrator.
- If no internal Global Administrator exists or the CSP is refusing to cooperate, the tenant owner should:
- Contact Microsoft 365 for business support by phone and clearly state that:
- This is a tenant lockout / admin access issue.
- The CSP is the only Global Administrator and is refusing to grant customer Global Admin access or blocking changes.
- Work with Microsoft’s Data Protection / Tenant Recovery team to re-establish customer-controlled Global Administrator access.
- Contact Microsoft 365 for business support by phone and clearly state that:
- If any customer user still has Global Administrator or sufficient admin rights, that user can:
Once customer-controlled Global Administrator access is restored and partner DAP/GDAP is adjusted or removed, the customer can proceed with changing CSPs through normal commercial and subscription-migration processes.
References: