Grant granular permissions to security groups

Appropriate roles: Admin agent

You can assign customer-approved, Microsoft Entra roles to security groups.

You can then grant those security groups granular delegated admin privileges (GDAP).

Prerequisites

Partners should first set up the security group.

Depict zero or no access assignments

A yellow warning icon is displayed next to an admin relationship if there are no access assignments associated with it.

Screenshot of the Admin Relationships page displaying a yellow warning icon, with a red box callout.

Grant permissions to security groups

To grant permission to security groups, use the following steps:

  1. Sign in to Partner Center and select Customers.

  2. Select the customer you want to manage, then select Admin relationships, and then select the specific admin relationship you want.

    Screenshot depicting admin relationship details page.

  3. Under Security groups, select Add security groups.

  4. On the Security groups panel, select the security groups that you want to grant permissions.

    Screenshot depicting admin relationship details page with side panel displaying Security groups with AdminAgents and HelpdeskAgents selected.

  5. Select Next, which displays the Select Microsoft Entra roles side panel.

  6. Choose the Microsoft Entra roles you want to assign to the security group for that admin relationship.

    The Microsoft Entra roles that you assign enable the users in the security group to administer services.

    Screenshot depicting admin relationship details security group page with selected Microsoft Entra roles.

  7. Select Save from side panel.

  8. Status would display "Pending" against the added Security groups. Refresh the page after 30 seconds or so.

  9. Status would display "Active".

    You can remove or add more security groups and Microsoft Entra roles.

    All the users assigned to the security group can now administer services from their Service management page.

    Screenshot depicting a customer service management page.

Dynamics 365 delegated admins

Delegated administrators:

  • Aren't visible in a customer's Microsoft Entra user list
  • Can't be managed by a customer's internal admin

However, when a delegated admin logs into a Dynamics 365 environment on behalf of a customer, they're automatically created as a user inside the Dynamics 365 environment. That means that the actions performed by a delegated admin, such as posting documents, are logged in Dynamics 365 and associated with their ID in the partner's Microsoft Entra.

The internal admin can see which changes are made by delegated admin, and which partner a specific user works for, but they can't see the user's name or other customer content.