Problem: Trading Partner as Global Administrator for Tenant in Microsoft 365 Portal

[German]I'm picking up on a topic that was brought to my attention by a blog reader. It's been on my mind for a while, but I can't check anything due to a lack of accounts. It is about the management of tenants in the Microsoft 365 portal – Microsoft is pushing the march to the cloud – and the customers should get the licenses from trading partners (only large customers get the licenses directly from Microsoft). In this case, however, the trading partner is stored as the global administrator in the tenant. This is a security risk.


Administration of MS 365 licenses

If you want to have a license for a Microsoft cloud product, you usually have to obtain this via a trading partner. Microsoft describes this license requirement as of 11/29/2022 in the article Manage Microsoft-certified solution provider partner relationships – and I experienced the spiel once when allocating an ESU license for Windows 7. Microsoft describes the different roles in the article and says:

Depending on the request made by the partner, when you accept the invitation, you agree to give them Global and Helpdesk admin roles. When you give these admin roles to a partner, you automatically grant them delegated admin privileges in Azure AD.

The administrator roles are also described in the article About admin roles in the Microsoft 365 admin center (as of 12/16/2022). The trading partner who supplies the license manages my tenant. Microsoft does state that customers can remove admin roles from a partner at any time. Removing the admin roles does not end the partner relationship, they say. The partner can continue to work with the customer in another capacity, such as reseller, Microsoft says.

A reader's note on a problem

It was a short personal message that Daniel S. sent me privately via Facebook with "Hi Mr. Born, I may have an issue here that you can mention in an article sometime if you get a chance." sent to me.

As an IT service provider, I have often noticed this. But what is often concealed.

There is in the Microsoft 365 portal under partner relationships the trading partner, where usually the IT service provider obtains the licenses. These are "always" stored as Global Administrator in the tenant.

Daniel now noted that there are usually about five trading partners in Switzerland. These five trading partners share the access to the entire MS Tenants among themselves. For Germany and Austria or other countries the number of trading partners is unknown, it might be a few more, but somewhere limited. Daniel now points out the following sticking point, which arises for IT service providers and possibly customers:

The main problem now is actually: Most end customers, and even certain IT security experts, are not aware that data access by the trading partner in its role as Global Administrator can take place here.

There is no real solution, or I am not sure if the global admin role can be removed from the trading partner, since the license delivery is then disrupted.

As a hacker, I would only have to compromise the account of a trading partner and would thus have access to x thousands if not millions of end customer data.

Thanks by the way for the many informative articles in your blog.

Daniel S.

The question that immediately comes to mind: How is this viewed by the readership? Daniel is right in my eyes, and no one from the IT service providers or end customers knows who from the trading partner (authorized or unauthorized) has access to the customer accounts and thus to the data. Can the Global Administrator role be removed without consequence? I interpret the above article from Microsoft in this way – but Daniel's statement is that there would then be problems with the license delivery. Daniel writes specifically about this:

You can remove the administrator roles from the trading partner at any time. As long as the licenses are obtained from the respective trading partner, however, this is unwise, because then the billing and licensing is endangered or no longer works.

Question: Do you remove the Global Administrator? Are there other solutions, or are millions of Microsoft Cloud subscriptions managed by trading partners as Global Administrator?


Addendum: Microsoft has begun to switch to "delegated admin privileges" (GDAP) (see). The blog post here has reached it's mission – we have a huge discussion in Facebook admin groups. And I've learned now, that Microsoft has delayed the transition to "delegated admin privileges" to March 2023 (see New timelines: Securing the partner ecosystem by transitioning to GDAP):

We're providing partners with more time to make the transition from delegated admin privileges (DAP) to granular delegated admin privileges (GDAP).

Starting January 17, 2023

  1. Microsoft will stop creating DAP relationships when a new customer or reseller relationship is created.
  2. Microsoft will start removing inactive DAP relationships that haven't been used in 90 days.

Starting March 1, 2023

  1. The Bulk Migration Tool to upgrade existing DAP connections that were granted by customers to GDAP will no longer be available.
  2. Microsoft will begin to transition remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles to perform least-privilege customer management activities. Partners will be required to perform more steps to continue to have access to Azure subscriptions after the limited roles are granted, as documented.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *