Obtain granular admin permissions to manage a customer's service

Appropriate roles: Admin agent

Partners can request granular delegated admin privileges (GDAP) for more granular and time-bound access to their customers’ workloads. More granular control better addresses customers' security concerns.

Prerequisites

The following steps must be taken before you can obtain granular admin permissions.

  • Sign in to the Partner Center as an Admin agent and then into a partner Production account.

  • Create a new customer.

    Note

    Purchasing an Azure Active Directory Premium P2 license is no longer required.

Request a granular admin relationship with a customer

  1. From the Partner Center menu, select Customers. Then on the Customers page, select a customer.

  2. On the left navigation bar for that customer, select Admin relationships, and then select Request admin relationship.

    Screenshot depicting customer’s admin relationships page in Partner Center.

  3. On the Create an admin relationship request, enter a name in Admin relationship name and a duration in Duration in days.

    • Admin relationship name must be unique and is visible to the customers in the Microsoft 365 Admin Center.
    • Duration in days is the duration after which the granular admin relationship automatically expires.
  4. Select Select Azure AD roles, which opens a side panel with a list of granular Azure Active Directory (Azure AD) roles.

    Screenshot depicting admin relationship request form.

  5. Select the Azure AD roles to include in the relationship, and then select Save.

    • See GDAP least-privileged roles by task for the recommended least-privileged roles for each capability.

    • All the Azure AD roles that you select will appear in the Requested Azure AD roles section.

    • You can repeat steps 1 to six as needed to add or delete roles.

  6. To confirm, select Finalize request.

    The permission request email message to be sent to your customer appears in the Request box. You can edit the text of the request email message, but don't change the link under Click to review and accept because the URL is personalized to link the customer directly to your account.

    Screenshot showing the admin relationship request.

  7. Select Done.

  8. Send the email to your customer.

When the customer accepts your request, they'll appear in the Granular administration list on your Administer page. Both you and the customer will get a confirmation email notification after approval.

Screenshot depicting granular administration page.

Next steps