Least Privilege Access to M365 Products for Resellers
This is an account of my voyage through the murky waters of M365 Partner Relationships, and why nobody seems to have any clue how to allow a Reseller to add Products (as opposed to Licenses) to your M365 portal while maintaining the principle of least privilege.
The problem: a number of Products have just been purchased from a Reseller, and people are eager to get their shiny new software installed. In order to add these Products to your portal so you can retrieve the keys, the Reseller sends a Reseller Relationship link. On opening this, you are unsurprised to find the Reseller has requested Global Administrator rights!
After removing your glasses and squeezing the bridge of your nose while contemplating how long and hard you would need to maintain pressure before you pass out, you compose yourself and continue…
Your security conscious mind – and just straight up common sense – begins an internal monologue: “Nope, that sounds completely unnecessary for simply adding a license key. Surely the Reseller, who claim to be take security as a priority, wouldn’t request Global Administrator rights out of laziness? Surely M365’s product portal can’t be a step back from the Microsoft Licensing Service Center, which sure as hell didn’t need Domain Admin rights to add Product keys? And surely Microsoft has some documentation on this outlining the most secure way for adding Products that doesn’t involve granting Global Administrator role to everybody and their granny…?”
You already know the answer to all these questions, but how and ever…
The second alarm bell (or was it third, fourth?) was this request coming in as a DAP request. A DAP request, as I understand it, is a basic form of partner relationship that defaults to granting Global Administrator role to the Partner for an unlimited duration. If that sounds scary, it is, and by all accounts it looks like Microsoft is phasing out DAP requests for that reason. The new G in town is a GDAP request, which requires the Partner to request specific roles for granular access to your environment for a limited period of time:
Sounds great. You are met with a fairly obvious warning on the M365 admin portal as soon as you click a DAP link:
If you attempt to accept the DAP request you get even more warnings:
Microsoft are making it abundantly clear that granting this request is not advised and comes with some severe security risks. So at this point, it was time to take a step back, and heed Microsoft’s advice; I went back to the Reseller, informing him of the above warnings, seeking the recommended GDAP link, requesting only permissions required to add Product licenses and for a reasonable timeframe. Hoping the Reseller would have done this many times previously, I presumed they would know exactly which role to request, but sent them along the below GDAP documentation anyway, which outlined the roles:
The Resellers response was disappointing but somewhat predictable; after sending the exact same DAP request a second time claiming Microsoft had “simplified it”, they doubled down, saying that “This is just the way Microsoft does it“, “I know it’s crazy but that’s Microsoft for you“, “There’s no other way to do this, they mandate Global Admin“.
Not happy with that, I decided to log a ticket with Microsoft to get a definitive answer. Pretty naïve in hindsight! Their response, after “reviewing with senior peers” and “multiple discussions”, was to direct any GDAP queries I had to the partner, as the subscription for the products was with them. A few mails explaining how ridiculous and unhelpful that was fell on deaf ears, and I was back to square one.
So, with men in more expensive shirts than mine breathing down my neck to get product keys, the Global Administrator request was accepted, provided that the keys were added within 24 hours, after which the Global Administrator role was to be removed. We agreed that this would be the process for all future Products to be added, as cumbersome as it was.
Fast forward a few weeks, and I see some additional Products have been added to our M365 portal from the same Reseller, but with no Global Administrator role requested or granted. So what gives?
It turns out that once a Partner has been added to your portal’s Partner Relationships, the Global Administrator role can be immediately removed, and that partner will still be able to add Products to your portal in the future.
After all the back and forth, between the combined experience of the Reseller who’ve presumably added Products countless times with other customers, and Microsoft who built the damn platform, neither of them could tell me that I can simply accept the request and then immediately remove the role. The only reference I can find of this in Microsoft documentation is below. Blink and you miss it:
So after all this, I’m still at a loss as to what the preferred and most secure method for this process is. Could the Reseller have sent a GDAP instead of a DAP for adding a Product license only? They were insistent they couldn’t. Is there a role that allows only access to the Products page to add products? Microsoft couldn’t tell me, and we so far haven’t had the time to do any testing with the Reseller.
With the above “solution”, I doubt we ever will. Waters are still murky, but we at least have some route through.