Monitoring administrative relationships and self-service DAP removal
Appropriate roles: Admin agent | Helpdesk agent
Delegated administration privileges (DAP) provide the capability to manage a customer's service or subscription on their behalf. The customer must grant the partner administrative permissions for that service.
To get delegated administrator permissions from a customer, the partner emails them a Request a reseller relationship with a customer. After the customer approves the request, the partner's admin agent or Helpdesk agent can sign in to the service's admin portal and manage the service on the customer's behalf. For example, using Helpdesk agent privileges, the partner can deliver support for the customer, and using Admin agent privileges, the partner can perform work on behalf of the customer.
Partners' admin agents can audit DAP with their customers. The DAP monitoring tool captures how partner agents are accessing customer tenants across all their customer tenants through DAP. Partners can then review and remove DAP connections that aren't in use. This self-serve removal capability provides partners an ability to mitigate the risk.
Direct-bill partners, indirect providers, and indirect resellers are affected by this change.
DAP enables a partner to access customer tenant in the following way:
- The Admin Agent group is assigned to the Global Administrator role in the customer's Azure AD tenant.
- The Helpdesk Agent group is assigned to the Helpdesk administrator role in the customer's Azure AD tenant.
DAP monitoring data is captured from December 7, 2021. Monitoring administrative relationships only shows cross-tenant sign-in activities (acting on behalf of, AOBO) into the customer tenant from December 7. Sign-in actions before December 7 are not be shown on the administrative relationships dashboard.
DAP guidance for customer security
To improve security, Microsoft recommends that you remove delegated administrative privileges that are no longer in use or that have been inactive for more than 60 days.
Impacts of removing DAP
Disabling DAP access for a customer turns off both the Admin agent feature and Helpdesk agent privileges.
- Disabling DAP access won't stop partner earned credit (PEC) from accruing because accrual is based on role-based access control (RBAC) roles on the subscription. Disabling DAP won't allow partners to manage their customer tenant from Partner Center.
- Disabling DAP access will stop partners from creating service requests on behalf of their customers. If partners need to create service requests, they'll need to request DAP access again from their customer.
For more information on the consequences of removing DAP, see the DAP frequently asked questions.
Integration sandbox tenants can disable DAP but they cannot request a reseller relationship with the test customer to re-enable DAP.
DAP monitoring and self-service removal
A sign-in activity is any partner agent accessing a customer tenant via cross-tenant sign-ins to any workload. Partner accessing Partner Center Portal and AOBO into the customer tenant OR Partners accessing API and exchanging tokens to access customer tenant are considered Active DAP.
An active relationship is measured by any cross-tenant sign-in activity to any workload by any partner agent accessing the specific customer tenant in the last 60 days.
A customer relationship is classified as inactive when there are no cross-tenant sign-in activities to any workload by any partner agent accessing that customer tenant in over 60 days. Partners see a recommendation on the dashboard to remove DAP if a customer relationship is inactive for more than 60 days.
In the Security Center on the Partner Center portal, you can monitor cross-tenant sign-in activities for administrative privileges, and remove DAP if inactive. The Security Center also provides other functions, which are primary to ensuring a more secure partner-customer ecosystem, including the following:
- Partner Admin Agents can access Security Center for administrative relationships.
- Partners can sign in to the Security Center for administrative relationships to view sign-in activities.
- Partners can see sign-in activities across all their customers.
- Partners can see sign-in activities by the last 30-60 days, 60-90 days, and 90+ days across all of their customers who have active DAP relationships.
- If any customer DAP relationship is inactive for more than 90 days, the number of inactive days is represented as 90+.
- Partners can select multiple customers at a time to disable DAP.
- Customers can be notified by email when a partner disables DAP.
- Customers see the DAP relationship updated on the Microsoft Admin Center.
- When DAP is disabled, it may take a few minutes to see the change in Partner Center.
|Inactive for more than 90 days||Displays the number of customers whose DAP relationship is inactive for more than 90 days. Partners are recommended to remove DAP if inactive for more than 90 days.|
|Inactive for 60-90 days||Displays the number of customers whose DAP relationship is inactive between 60-90 days. Partners are recommended to remove DAP if inactive for more than 60 days.|
|Inactive for 30-60 days||Displays the number of customers whose DAP relationship is inactive between 30-60 days.|
|Established in last seven days||Displays the number of customers whose DAP relationship was established in the last seven days.|
DAP management attributes
|No. of partner agents signed in||Number of unique partner agents signed in to the customer tenant in last one day.|
|No. of times partner agents signed in||Number of times the partner agents signed in to the customer tenant in last one day.|
|Days Enabled||Number of the days since the DAP relationship has been established between the partner and the customer. If it is over 60 days, it will be displayed as 60+ or else you'll see an absolute number.|
|Days Inactive||Number of the days since the DAP relationship has been Inactive between the partner and the customer. If that is more than 60 days, the value displayed is 60+ or an exact number. Because data is only available for cross-tenant activity since December 7, 2021, this attribute might be blank if there's no activity.|
|Recommendation||A recommendation to disable DAP is made if the partner agent hasn't signed in to any of the customers' workloads in the last 60 days.|