How to Delegate Admin Roles to Partners in Microsoft 365

Managing a Microsoft 365 environment can be a complex task, especially for small and medium-sized businesses. Many organizations rely on trusted Microsoft partners to help with setup, maintenance, and support. Fortunately, Microsoft 365 provides a secure and streamlined way to delegate admin roles to your partner, giving them just the access they need to assist—without giving away full control.

In this blog, we’ll explore how to delegate admin roles to partners in Microsoft 365, the different types of delegated permissions available, and key security considerations.

🔑 What Is Delegated Administration?

Delegated administration in Microsoft 365 allows a Microsoft partner to perform administrative tasks on behalf of a customer. This includes managing users, resetting passwords, configuring services, and more—depending on the level of access granted.

This setup is ideal for:

IT service providers managing multiple clients.
Organizations without in-house IT staff.
Companies wanting expert help without full-time hires.

🛠️ Types of Partner Admin Roles

There are two main levels of delegated admin privileges a partner can be assigned:

Delegated Admin Privileges (DAP)
- Full admin access to customer’s Microsoft 365 tenant.
- Partner can perform most admin functions (e.g., manage users, licenses, Exchange, SharePoint).
Granular Delegated Admin Privileges (GDAP)
- Introduced to enhance security and reduce over-permission.
- Allows assigning specific roles and limited timeframes.
- Recommended for more secure and customized delegation.

✅ Prerequisites

Before assigning a partner as an admin, ensure the following:

You have a Microsoft 365 global admin account.
The partner is listed as a Microsoft Partner with a valid Microsoft Partner Network (MPN) ID.
You’ve received a DAP or GDAP relationship request from the partner.

📩 Step-by-Step: Accept a Delegated Admin Request (DAP)

Receive the Invitation
- Your Microsoft partner will send you a delegated admin request link.
Log in to Microsoft 365 Admin Center
- Navigate to: https://admin.microsoft.com
Review the Request
- Click the provided link.
- Sign in with your global admin credentials.
- Review the permissions the partner is requesting.
Accept the Delegation
- Click “Yes” or “Authorize” to approve the request.
Confirm the Partner in Admin Center
- Go to Settings > Partner relationships.
- The partner should now be listed as a delegated admin.

🔐 How to Use Granular Delegated Admin Privileges (GDAP)

GDAP is a more secure and recommended approach. Here’s how to configure it:

Partner Sends GDAP Request
- The partner initiates a GDAP request with specific roles and duration.
Approve the GDAP Request
- Admin receives an email or portal notification.
- Go to Partner relationships under the admin center.
- Review and approve the GDAP relationship.
Monitor Access
- Under Azure Active Directory > Roles and Administrators, you can view what roles were assigned.
- You can revoke or modify the access at any time.

💡 Tip: GDAP reduces the risk of over-permissioning and aligns with the Zero Trust security model.

🧹 How to Remove a Partner’s Admin Rights

Go to Microsoft 365 Admin Center.
Navigate to Settings > Partner relationships.
Click on the partner’s name.
Choose Remove delegated admin privileges.

For GDAP relationships, revoke access through Microsoft Partner Center or Azure Active Directory.

🛡️ Security Considerations

Always prefer GDAP over traditional DAP.
Regularly audit partner access.
Ensure partners follow Microsoft’s secure partner standards.
Use conditional access policies to restrict login behaviors (e.g., IP location, MFA enforcement).