Grant granular permissions to security groups
Appropriate roles: Global admin | User management admin | Admin agent
You can assign customer-approved, Azure Active Directory (Azure AD) roles to security groups.
You can then grant those security groups granular delegated admin privileges (GDAP).
Partners should first set up the security group.
Grant permissions to security groups
To grant permission to security groups, use the following steps:
Sign in to Partner Center and select Customers.
Select the customer you want to manage, then select Admin relationships, and then select the specific admin relationship you want to change.
Under Security groups, select Add/remove groups.
On the Security groups panel, select the security groups that you want to grant permissions.
The security group now appears in the Security groups section.
Select the newly added security group, which opens the Select Azure AD roles side panel.
Choose the Azure AD roles you want to assign to the security group for that admin relationship.
The Azure AD roles that you assign enable the users in the security group to administer services.
Select Save from side panel.
You can remove or add more security groups and Azure AD roles.
All the users assigned to the security group can now administer services from their Service management page.
Dynamics 365 delegated admins
- Aren't visible in a customer's Azure AD user list
- Can't be managed by a customer's internal admin
However, when a delegated admin logs into a Dynamics 365 environment on behalf of a customer, they're automatically created as a user inside the Dynamics 365 environment. That means that the actions performed by a delegated admin, such as posting documents, are logged in Dynamics 365 and associated with their ID in the partner's Azure AD.
The internal admin can see which changes are made by delegated admin, and which partner a specific user works for, but they can't see the user's name or other customer content.