Hero Banner

Feedback & Support Discussions

Reply
Level 1 Contributor

Supporting your delegated Clients through Partner Centre and/or other ways? - Help / Best practice / How to ?

Hello

 

I hope someone can help as we're trying to manage supporting our clients (with O365 and Azure) but it's really a struggle and high mantenance task to keep it running smooth.

 

  • We are a UK MSP with a 15+ Support Desk - Managing our clients O365 Tenants and Azure Tenants
  • 16+ Project and Network Engineers deploying Microsoft Services (EMS/O365/Azure/M365 etc.)
  • We are an indirect reseller - Selling via Tech Data (Tech Data get delegated admin through this process to the client environment)
  • We then add delegated administration to the clients tenant so that we can access the tenant through Delegated Admin i.e. Via the Partner Portal
  • We assign all our Help Desk users the "Limited Administratorion" over the client portal so they can see and access clients

ISSUES / OPINIONS & QUESTIONS WE HAVE

  1. The first thing is that when we sell through Tech Data - Our client sees them as their 1st port of call for support. They even ask us why they see this in their tenant and not us. 
  2. The "Limited Administration" we assign from our Tenant to one of our Staff Member on the Help Desk only gives them very basic controls of a clinets O365 Tenant
    (i.e. They cannot create a user or delete a user on our clients tenants, they need to log into the clients tenant as the Global Admin - But this removes tracibility of who is doing what. This is a realy big problem for us)
    1. We don't want to give Full Administration over the clients tenant to our helpdesk staff as they will then be able to use/see IUR licenses and MPN Benefits etc. 

  3. With Azure, it seems the only way to support a clients subscrioption (that we sell through Tech Data too) is to manually add Each Helpdesk User from our helpdesk to the subscription using the IAM Controls in Azure and adding the user as an external guest user with the relevant admin privilidges in order to have tracability - as with them using the Single Globabl Admin (or a user account with less priviliges) we don't know which helpdesk user is doing what in a client environment.

Is there a best practice or are we doing something wrong that is limiting how we can support the clients we have?  We don't want them to go to TechData for support, we have a whole team of Engineers trained in O365 etc to support our clients.

Any info / help / tips etc.  is greatly appreciated

Bestm

Adam

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Microsoft

Re: Supporting your delegated Clients through Partner Centre and/or other ways? - Help / Best practice / How to ?

Hi Adam,

 

For the first item - afaik it is by design that the support contact information the customer sees is that of the selling partner (TechData as indirect provider). Currently there is no  other solution then educating customer to contact you first - or you become a Direct CSP and then your information is displayed. This also reflects that only TechData would be able to raise a case at Microsoft.

 

Reg. 2 - this is more complicated. Even when you would give those engineer admin agent permission in Partner Center and do not let them work with admin credentials from within the customer tenant, the insight in their action would be limited. E.g. if an admin agent does user management for a customer in Partner Center this is logged in Partner Center activities. But if this user accessing the customers AzureAD management portal directly and does the same user management tasks, you will not see any activity in Partner Center logs - only in customer tenant logs. 

 

However - if a user has admin agent role, he should not be able to see MPN benefits (your own benefits). This would be the role "MPN Administrator" which is a distinct role then admin agent. See here for reference. 

 

For 3 - the only other option would be to add permissions using the foreign principal. So you do not add individual users as B2B guest accounts, but add all admin agents (or even helpdesk agents) as owner to the customers permission. There is a great blog post explaining how the roles are visible.

Bascially you would need to review the object ID of the group AdminAgents in your Partner AzureAD tenant, and then add permission in the customer subscription with this Powershell command:

New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/ 
<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner

Where Foreign Principal ID is the the ObjectID of the Admin Agents group.

 

However, also here activities would only be logged in the customer tenant (Azure activity logs), not in Partner Center. 

Generally it should be possible though to get audit logs from customer subscriptions - e.g. use Azure Automation to gather log data (Use app registrations in each customer tenant to then query logs via API from an automation account in your account) - but this would need to be build yourself, there is no ready-to-use solution.

 

 

 

 

 

 

 

3 REPLIES 3
Highlighted
Microsoft

Re: Supporting your delegated Clients through Partner Centre and/or other ways? - Help / Best practice / How to ?

Hi Adam,

 

For the first item - afaik it is by design that the support contact information the customer sees is that of the selling partner (TechData as indirect provider). Currently there is no  other solution then educating customer to contact you first - or you become a Direct CSP and then your information is displayed. This also reflects that only TechData would be able to raise a case at Microsoft.

 

Reg. 2 - this is more complicated. Even when you would give those engineer admin agent permission in Partner Center and do not let them work with admin credentials from within the customer tenant, the insight in their action would be limited. E.g. if an admin agent does user management for a customer in Partner Center this is logged in Partner Center activities. But if this user accessing the customers AzureAD management portal directly and does the same user management tasks, you will not see any activity in Partner Center logs - only in customer tenant logs. 

 

However - if a user has admin agent role, he should not be able to see MPN benefits (your own benefits). This would be the role "MPN Administrator" which is a distinct role then admin agent. See here for reference. 

 

For 3 - the only other option would be to add permissions using the foreign principal. So you do not add individual users as B2B guest accounts, but add all admin agents (or even helpdesk agents) as owner to the customers permission. There is a great blog post explaining how the roles are visible.

Bascially you would need to review the object ID of the group AdminAgents in your Partner AzureAD tenant, and then add permission in the customer subscription with this Powershell command:

New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/ 
<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner

Where Foreign Principal ID is the the ObjectID of the Admin Agents group.

 

However, also here activities would only be logged in the customer tenant (Azure activity logs), not in Partner Center. 

Generally it should be possible though to get audit logs from customer subscriptions - e.g. use Azure Automation to gather log data (Use app registrations in each customer tenant to then query logs via API from an automation account in your account) - but this would need to be build yourself, there is no ready-to-use solution.

 

 

 

 

 

 

 

Level 1 Contributor

Re: Supporting your delegated Clients through Partner Centre and/or other ways? - Help / Best practice / How to ?

Many thanks, @JanoschUlmer - this really helped.

Last question if that is OK, regarding our helpdesk users.

 

I trialed giving a user in our tenant (Who is not a Global Admin of our tenant, but just a simple Helpdesk staff member) - I gave him full Admin of Client tenants we manage through delegation.

 

He was able to log in and carry out more elevated taks which is exactly what we wanted and cannot access MPN Benefits.

 

However, the he was able to view and log Presales Advisory and Technical Deployment tickets of which we only get 50 Hours Advisory and 20 major support tickets.

 

Is there a way to control this through any additional permissions we can assign the user? As we're worried that our helpdesk staff members may abuse this (They may not im just preempting).

Again thanks for your prompt response and support.

Microsoft

Re: Supporting your delegated Clients through Partner Centre and/or other ways? - Help / Best practice / How to ?

Glad if it helped Smiley Happy

Reg. limiting access to support - unfortunately there is no real solution.

Opening PreSales & Advsiory cases was never really controlled with specific permissions - user could have also wrote an email to askpts@microsoft.com directly or access the web form in old PMC - authorization was only done based on the user account/email adress is from a Partner tenant.

 

PreSales & Advisory is using the 50 hours (Incidents are only used for tech. support - and here the AccessID/ContractID is used for authorization) - but PreSales requests hours are not deducted if the customer name is mentioned. Also, if there is an dispute reg. usage of Advisory hours the team is flexible  - so I'm sure we find a solution (I am from the PreSales & Advsory team :-) - and in all the years I'm working here we always found a solution). Also, in our team it is best practice that any Partner contact has to explicitely confirm that hours are deducted, so this should somehow stop employees from misusing this benefit.