Delegated admin privileges are going granular – here’s why it’s so important

As Microsoft rightly points out, IT service providers like us make good targets for cybercriminals – hacking even one partner could give them access to thousands of devices.

This is why it’s crucial that partners have the right level of access to customer workloads. But in the case of delegated admin privileges (DAP), partners are often given too much access.

Delegated admin… what now?

Delegated admin privileges make up a Microsoft Partner Center security feature that lets partners manage customers’ services or subscriptions. But only after the customer accepts an access request from the partner.

These privileges can be very handy for delivering better and faster customer support. Or even carrying out processes that would make you want to bang your head against a wall without remote access.

The snag is that there aren’t enough restrictions in place for partners, which doesn’t bode well for customers with regulatory needs that require least-privileged partner access. And in some cases, customers may feel unsecure – the opposite of what we want.

It’s time to go granular

Well, good news: delegated admin privileges are being made granular. No, that’s not some slang from parodies of 80s culture, like tubular or gnarly. Granular delegated admin privileges (GDAP) have the same function as DAP, but give partners the lowest level of access to customers’ workloads. This means that both nervous customers and customers with heavy security regulations are kept happy.

If you’re concerned that this might become the same DAP issue above in reverse, don’t be. You and your customers can agree on different degrees of access privileges and time-based restrictions, so you won’t be locked out trying to get into the right workloads.

For example, with Just In Time access, you can make sure any access given is strictly for a limited time – whether that’s a short one-off file share or a longer, more collaborative project. Whatever time period you choose, you’ll know that come the end of it, their access rights will be wiped away.

That said, you should be aware that partners won’t have access to all customer tenants. Instead, partners managing Azure become part of the Admin agent group, which provides access to any relevant customers’ Azure subscriptions. These same partners will also have their Global Admin role swapped out for permission to read customer directories.

How do I go from DAP to GDAP?

While requesting permission to access your customers’ workloads isn’t quite as simple as saying please, it’s still a straightforward process:

• When signed into Partner Center, go to Customers, then Administer, followed by Admin relationships, and select Request admin relationship.
• On the Create an admin relationship request form, enter a unique Admin relationship name and duration in days, up to two years. After this duration, the GDAP automatically expires, and you’ll have to make another request if you want to renew.
• On the same page, click on Select Azure AD roles and choose the roles you want to include in the relationship. Don’t forget to hit save, and then Finalize request.
• You’ll be taken to an email template requesting access privileges. You can edit it however you like, but don’t tweak the personalised link. When you’re happy with the email, select Done and send it to your customer.

Make sure that customers remove DAP roles before they approve a GDAP request. If they don’t, DAP could override GDAP.

Oh, and one more thing: you might be wondering what happens to Partner Earned Credit (PEC) when DAP relationships are removed. The short answer is nothing; PEC is only lost if a role-based access control (RBAC) is removed from our foreign principal.

We hope this post has helped to clear up any confusion. Take a look at our previous security blog for more ideas on how you can protect yourself – and your team – from cyberattacks and other threats.

If you still feel like you can’t tell DAP from GDAP, check out Microsoft’s GDAP FAQ page.