Obtain granular admin permissions to manage a customer's service
Appropriate roles: Admin agent
Partners can request granular delegated admin privileges (GDAP) for more granular and time-bound access to their customers' workloads. More granular control addresses customers' security concerns.
The following steps must be taken before you can obtain granular admin permissions.
Sign in to the Partner Center as an Admin agent and then into a partner Production account.
Create a new customer.
Purchasing a Microsoft Entra ID P2 license is no longer required.
Request a granular admin relationship with a customer
Sign in to Partner Center and select Customers.
Select a customer, then select Admin relationships, and then Request for new relationship.
On the Create an admin relationship request, enter a name in Admin relationship name and a duration in Duration in days.
- Admin relationship name must be unique and is visible to the customers in the Microsoft 365 Admin Center.
- Duration in days is the duration after which the granular admin relationship automatically expires.
Select Select Microsoft Entra roles, which opens a side panel with a list of granular Microsoft Entra roles.
Select the Microsoft Entra roles to include in the relationship, and then select Save.
- See GDAP least-privileged roles by task for the recommended least-privileged roles for each capability.
- All the Microsoft Entra roles that you select will appear in the Requested Microsoft Entra roles section.
- You can repeat steps four and five as needed to add or delete roles.
Auto extend is set to No by default. Select the radio button Yes to set the admin relationship to not expire and extend by 6 months.
To confirm, select Finalize request.
The permission request email message to be sent to your customer appears in the Request box. You can edit the text of the request email message, but don't change the link under Click to review and accept because the URL is personalized to link the customer directly to your account.
Send the email to your customer.
When the customer accepts your request, it appears in the Granular administration list on your Administer page. Both you and the customer will get a confirmation email notification after approval.
Partners must explicitly grant granular permissions to security groups in the admin relationship to manage customer.