Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Level 3 Contributor

CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

Bringing-forward from https://www.yammer.com/office365partners/?show_login=true#/Threads/show?threadId=145300852449280...  (Why the multiple communities here?  Which is the go-forward platform here, Yammer or microsoftpartnercommunity.com ?)


How to support CSP customers while protecting the security of their tenant? Critical for security-conscious customers, and/or those with high-security requirements. Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent.


This is something I had first started looking at just over a year ago. It doesn't look like anything has improved since, but customers are understandably only becoming increasingly concerned with this.


Here is some feedback we just received earlier today from a current customer looking to move to CSP licensing:


> Even with a NDA with <direct CSP provider> I am not at all comfortable making a third party of a third party delegated admins for our environment and granting them the ability to access all our cloud data which is what the terms state we’d be agreeing to. ... I really like the benefits of CSP otherwise so if there’s some other way to make this work we’d probably still do it. I also have reservations about a vendor having these all-encompassing permissions. I understand it can be needed for some admin tasks and troubleshooting but I don’t like how much of a free for all Microsoft makes it.


(I do believe there is some confusion in the above, in that our direct CSP provider / reseller would not have delegated admin - but only access to contact, subscription, and billing details. However, even this would be good to have further detailed in a format that we can share with concerned customers.)


If I were in the customer's place, I would absolutely be asking the exact same questions, and imposing the same requirements - and have so in prior organizations.


I have several other customers I've been working with, who I have not, in good faith, been able to recommend putting into CSP and the required delegated admin for - given the concerns outlined here.


We currently have a few hundred customers enrolled in CSP - and have an opportunity to bring even more into the CSP program, but the concerns outlined here do not help with the effort.


See also: https://docs.microsoft.com/en-us/azure/cloud-solution-provider/customer-management/administration-delegation


A number of specific points and concerns:


1) The list of roles and permissions that can be applied through Partner Center are available at https://docs.microsoft.com/en-us/partner-center/permissions-overview . Of these, only "Admin agent", "Helpdesk Agent", and maybe "Sales agent" apply to the customer tenants. "Admin agent" is basically the equivalent of "Global Administrator" within a customer tenant, and "Helpdesk Agent" is effectively a "Helpdesk Administrator" (Password Administrator). The admin roles from a tenant perspective are documented at https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles . As an O365 admin in my own organization, I can delegate permissions to others through at least 262,144 different combinations of the 18 customized administrator roles currently available in my tenant. (This increases to 38 roles available and nearly 275 billion combinations when using the roles available in Azure AD.) As a partner with delegated admin to a customer, there are only 2: "Everything", or "Helpdesk Agent" (or none). See also: https://www.yammer.com/office365partners/#/Threads/show?threadId=119473804279808 and https://www.yammer.com/office365partners/#/Threads/show?threadId=804328021 .


2) Everything is "all or nothing". We also have well over 100 engineers in our organization (not counting back office staff, etc.). To assign either "Admin agent" or "Helpdesk Agent" to one of our staff, means that they have that same permission across a few hundred customers. There is no way to filter a staff member's access to only one customer, or ideally a group of customers. (While we do have some additional flexibility in granting access through guest accounts in Azure AD, these permissions do not carry over to / are not usable in O365.)


3) We could consider falling-back to the use of extended and manually-reviewed audit logging as a compensating control. However, there are many limitations here - including that all logging appears to be held within each individual customer tenant only - and for us to review delegated admin activity from our partner account as a whole, it appears that we'd need to query each and every one of our customer tenants. Further concerns are raised here at https://www.yammer.com/office365partners/#/Threads/show?threadId=62199238885376 (unanswered).


While I'm on the topic, the "pretty wicked security hole" documented at https://office365.uservoice.com/forums/264636-general/suggestions/33233917-powershell-mfa-for-csp-delegated-admin-privileges also still needs to be addressed, well over a year later now. Can someone from Microsoft please review and respond to this UserVoice entry? Everyone else - please vote...


What are other CSP partners doing in terms of security controls to meet customer needs and expectations as it relates to CSP licensing? (We do have our own internal security program that I am a part of - which includes even stronger MFA controls across our entire organization than we'd otherwise been able to have approved, partially because of the customer security concerns here.)


As per https://blogs.technet.microsoft.com/uspartner_ts2team/2016/04/30/removing-the-csp-as-delegated-admin-in-office-365-customer-tenants/ , it looks like the simplest answer may to just be to have needing customers remove the delegated admin permissions. However: 1) Is this still accurate and working, 3 years later? And 2) we'll need to determine what limitations, if any, may then exist that would prohibit us from providing CSP licensing in this model, even if we then are not able to directly assign new licenses to users, or otherwise provide direct support to the customer as per CSP terms (at least not without having other customer-provided access given to us).


Just looking at this again now, it looks like we *might* be able to put the "Admin agent" and "Helpdesk Agent" roles behind the new "Azure AD entitlement management". This is less than 2 months old, still in preview, and what Privileged Identity Management really should have been all along, in my opinion. It does require Azure AD Premium P2 (or its parent EMS E5 offfering).

Level 5 Contributor

Re: CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

I'd like to echo the points made by @ziesemer.  We've brought this up with our Microsoft account manager, but MSFT hasn't changed anything yet.  We recently learned that with the new CSP portal, engineers need "Admin Agent" to open Office 365 related support cases, which seems like way too much access (Helpdesk agent isn't enough).  Also, I very much agree with point 2 about engineers having access to all clients or none.  We want granular control of which clients an engineer has access.

Community Manager

Re: CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

Good day @ziesemer & @Jinseng ,


Thank you for raising these concerns with the Community!

We have Azure AD team and other teams working on these known aspects in the background and I would advise meanwhile to address such issues during the Office Hours (2 live sessions available!) by registering here.

This allows you to stay on top of the latest updates.

Also you can consult this resource : https://docs.microsoft.com/en-us/partner-center/partner-security-requirements.

Finally keep an eye on the Security Guidance Community threads.


Wish you a great day!

Visitor 1

Re: CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

Hi Mark,


did you get any answers regarding the delegated admin issue. I share your view around customers not wanting to grant full access to us and we have this issue right now. The problem is that if a customer removes delegate admin (or we uncheck the box "Include delegated administration privileges for Azure Active Directory and Office 365." in Partner Center on the 'Request a reseller relationship' page when we set them up) then we cannot provision them any licences or see what they have. This seems to contradict what Woody Walton says in the blog (link in your post). I'm not sure if this is just a fault with Partner Center at the moment but it seems having a transacting only (not delegate admin) relationship is not possible.


Re: CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

Provisioning licenses or checking on licenses you have already provisioned for a customer is possible without having delegated admin permissions (also changing license count and suspending licenses is possible). So, if you experience issues with this this seems to be a technical issue where you can contact support (Just checked again in my test setup and I can manage licenses without having delegated admin - as expected).


Opening support tickets on behalf of the customer is not possible without delegated admin - so this might require that delegated admin is re-established once the customer asks for support and it is determined a ticket has to be raised at Microsoft support.

Visitor 1

Re: CSP and Delegated Admin security concerns: MFA is great, but what about the several outstanding Microsoft limitations?

Sorry, but's that not just an acceptable solution or workaround. I'm surprised that the whole CSP ecosystem is not designed with security in mind. What's even worse, is that several of the activities an Admin Agent performs in the customers tenant, doesn't get logged and customer cannot see who/when an admin agent jumps to the tenant. 

There is also 2 twists about this problem:

1. Customers sometimes do remove DAP themself, either by mistake or by intention. Then the customer cannot create support tickets in Azure at all. In M365 it's still technical possible (there's a "New Microsoft service request" button in the bottom of the wizard). If a customer do that, the customer is technically using the ASfP/PremierSupportForPartners agreement for the partner, which is a violation of the CSP itself. 


2. Some customers implement Conditional Access rules, to block all access from non-corporate devices (AzureAD/HybridAD joined devices) - which makes sens . In that case, even if DAP is still in place, an Admin Agent cannot access the customer tenant and thereby cannot create support tickets. 

Customers who requires a zero-trust approach, cannot use the CSP model as it is now as there is no built-in functionality that allows access to the tenant without allowing any device. I'm quite surprised that the architecture design behind the CSP got approval from a security & compliance perspective, as it contradicts Microsoft's own security guidelines and recommendations.