Review Microsoft-certified cloud solution provider partner administrative privileges

If you have a Microsoft-certified cloud solution provider (reseller partner), we recommend you conduct a quarterly review of the delegated administrative privileges (DAP) assigned to them. Make sure your organization wants this partner to have access to your organization's data and make purchases on your behalf.

Important

Giving DAP, which include Global admin permissions, to any partner might present a security risk. Having too many Global admins is also a security risk. Learn more about recent activity targeting delegated privileges.

After you accept a DAP agreement from a reseller partner, they can assign the Global admin role for your organization to their employees. The Global admin role gives the partner's employees access to your employees' personal data and other sensitive information. It also gives them permission to take tenant-wide actions, such as the following actions:

  • Changing user passwords
  • Adding users with email accounts
  • Adding and managing web domains associated with your organization

When DAP is enabled, you have no control over the number of Global admins your partner can add. You can only grant or deny the partner DAP (Global admin) access to your account.

Review and remove roles from partners

  1. In the Microsoft 365 admin center, go to the Settings > Partner relationships page. Partners with DAP have Global Administrator listed in the Roles column.
  2. To remove the Global admin role from a partner, find the name of the partner that you want to remove.
  3. Select the row that has Reseller as the Relationship Type.
  4. On the partner details page, select Remove roles, then select Yes.

Note

  • If you remove DAP (Global admin role) from a partner, we recommend that you contact them to discuss future service delivery. For example, you can create a user account with lower privileges and share that account information with your partner. Learn more about adding users and assigning admin roles.
  • Even with the Global admin role removed, the partner can still make purchases on your behalf. We recommend that you contact the partner to ask them to remove that ability in the Partner Center.

Manage partner relationships (article)
About admin roles (article)
Delegated admin privileges in Azure AD (article)