Hey everyone! I'm managing some tenants through the partner portal in 365 and I've got a couple of questions about global admin roles. As a partner, I can't use my partner account as global admin, so I'm often creating accounts for tasks that require admin access. Once I'm done, I delete those accounts. For the tenants I frequently work with, I've set up my own GA accounts, but there are many others that lack any admin role at all. I'm wondering what the best practices are here. Is it unwise to have tenants without any GA or admin roles? If there were an issue with the partner relationship, we'd be left without a way to manage the tenant, right? How do you all handle this situation?
2 Answers
One approach I've seen is using GDAP (Granular Delegated Admin Privileges). You enable global admin access through GDAP only when needed, turn it off after the task, and make sure to reset the password every time you use it. Additionally, having a 'Break Glass' account can be really useful if GDAP access lapses. Some companies assign one global admin per admin or share a single global admin account safely via a password manager with 2FA.
You're definitely right to be cautious about global admin management. It's a complex area, especially with Microsoft shifting focus to GDAP. We used to create temporary GA accounts for tasks, but it's hard to scale and creates risks if the partner relationship ends. Instead, we've moved to using tools that provide role-based access control (RBAC) across our tenants. Platforms like Jamcracker are great for managing user roles centrally and automating permissions based on tasks. This way, we only grant full GA access when it's absolutely necessary. Also, not having any admin access is a big no-no — at least one backup admin account should be in place on the customer's side, or they might face issues if partner access disappears. Microsoft support can help restore access, but that can be a slow and painful process.
Thank you so much! This helps a lot.
Thanks! I will look into GDAP. I've never had to use it before. Does that mean the customer has to approve admin access each time I request it?