Partner Admin Restrictions
We have now enforced all our techs to use the partner admin to restrict and log access but some of the restrictive features are really causing us issues particularly some of the things that are done on a daily basis like converting user mailboxes to shared.
I logged a ticket with MS who provided the following details on what is restricted to techs using the delegated partner admin portal.
delegated admin will have no access to
1. Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
2. Will not be able to export eDiscovery results.
3. Cannot delete the mail contacts and Mail Users.
4. Cannot Export search results of Content Search.
5. Cannot create guest user.
6. Cannot Enable MFA.
7. Several security and compliance features are not visible to the partner's from Security and Compliance portal
8. Cannot download the EMT Results.
I believe that all of these features should be available on the portal.
And even without these features, at least documentation on all these gaps so we aren't left blind.
It seems that A Delegated Partner Admin also cannot Create a Team. He can create a User or any kind of Group, and a Shared Mailbox, but apparently not a Team!
Great news for us Support Partners trying to help out our clients with remote working during the COVID-19 Lockdown... I'm having to tell them all that they need to add me as a User to their Tenant (and they don't always have spare licenses), leaving me with about 20-25 different Office accounts and Logins, just so that I can set up their Microsoft Teams correctly. Some of my Customers have simply said "This is too rediculous, I'm not buying our supposed I.T. Support partner another license just to use Teams - we'll just use WhatsApp and Zoom." - I'm at serious risk of losing customers to this oversight from Microsoft
MICHAEL GIBSON commented
Worth noting the OneDrive admin centre and others are also not available via CSP. Microsoft thus far cannot quantify why this is or even if this is a permissions issue. The CSP at this stage is not worth relying on if Microsoft can not provide valid details on what is granted or restricted.
There are currently 51 Roles within AAD. And there are 2 for partners.
Furthermore, with RBAC I should be able to limit which of my employees should access certain clients, which others have commented about wanting also. Microsoft - PLEASE make this more security minded, cause it isn't right now.
also unable to set specific password on user login as a partner
Dave Webster commented
Just adding to this.
I did have an interesting conversation with someone at MS today as the new protection center sent me over the edge so in my really polite way I gave it to the support tech full bore with regards to this and they told me decisions in relation to uservoice items are decided on based on the number of votes they receive to which I explained admins and especially partners are only going to be a really small % of the user base but yet we are the guys and girls who have to use this stuff.
So I'm now left wondering if we need to start abusing our power and sending out requests to our customers to start voting on these items so they can get enough votes to actually get some action on otherwise it's just going to be more of the same crud rolled out from the MS teams.
The other preferred option would be if MS had a different portal for partners to use and report items back to so our voice don't get lost in the crowd.
Seriously 135 votes currently.
If all 135 votes sent a mailer out asking nicely if all users could just click this link and throw us a few votes on to make our job easier I wonder how long before this was the top item.
Back to the main item though one issue with these global admin under the tenants is with them being unlicensed you can't use 2FA so they are actually less secure than just using you own logins what are well monitored and have 2FA.
Being an MS Partner is rapidly just becoming a joke.
Jeff AvecNom commented
As a CSP , this is a massive pain too.. limited regarding assigning licenses too
Even assigning mailbox permission via partner admins cannot be performed as well. It would be great if there will be an announcement or feedback about this partner admin restrictions.
Daniel Hayward commented
As a Director of an MSP/CSP with over 150 tenants, this is a massive pain... The thought of my technician's having to use Global Admin logins, and all those MFA configurations is a massive waste of time and resources at present. The thought of sharing the global admin password/account really concerns me too, and that's the "easiest" (though least secure) alternative to partner rights.
If needs be, enforce ALL partners In Azure AD to use MFA on their accounts with "Admin on Behalf Of" rights... it'd be a lot more secure than it is at the moment!
Give Partners the access they need in order to support their customers, especially partners like us, who deal with SMB's that don't have an IT Admin - that's what we're here for!