Traditionally, both distributors (Microsoft Indirect Providers/CSP Tier 1s) and MSPs (Indirect Resellers) have established Delegated Admin Privileges (DAP) with all downstream customers. This allows distributors to license customer tenants and provide support. It allows you, as the MSP, to provide support and perform day to day management tasks via Partner Center.
The large security concern is that Delegated Admin Privileges (DAP) give you the keys to the kingdom (aka Global Admin Access) to all downstream customers. That means if you are compromised (or your distributor is compromised), all of your customers might be compromised as well. These vulnerabilities are exploited in what is known as supply chain attacks. We’ve been experiencing more significant supply chain attacks over the past few years (most notably, Nobelium.)
In order to combat these attacks, Microsoft is introducing some new features to help you monitor these relationships. In 2022 the community as a whole will begin to shift from DAP relationships to GDAP relationships (as I outlined in a previous blog post) which allow for a model of least privilege. The first phase of this transition is providing more granular reporting on DAP relationships you have today in efforts to prepare to transition customers to GDAP. In this article, I will simply be covering where these reports are located within Partner Center and what kind of reporting is provided.
Partner Center Navigation
In Partner Center, you can simply go to
- Settings (Gear icon in top right corner)>Account Settings
- In the left-hand nav, find Security Center>Administrative Relationships
Reporting Highlights
- Single View for all DAP relationships
- Stats to see how many partner center agents are signing in per customer in the past 24 hours
- Stats to see how many times partner center agents leveraged DAP to sign into customer tenants within the past 24hrs.
- Days enabled (really only helpful for newer relationships)
- Days Inactive=>can help you identify stale relationships
- Terminating DAP relationships=>here you can select one or many customers and remove your existing relationship. (Really should only be doing this for customers you do not manage anymore.
Final Thoughts
Check out this reporting in your partner center today and remove DAP relationships from customers no longer under management. Stay tuned for new announcements around GDAP as we begin to transition later in 2022.