A security concern that often come up for Business Central customers is whether they really need to give their Business Central partner delegated admin rights to their Azure Active Directory (AD). In the past, partners were granted Global admin rights and many customers were concerned about the risks this posed. In this blog, we take a look at the new Granular Delegated Admin Privileges (GDAP) introduced in the Business Central April 2022 Wave 1 Release, and how this should help to alleviate any security concerns.

Why does your Business Central partner need delegated admin rights to your Azure AD?

Giving your BC partner delegated admin rights allows them to:

  • Access your environment without you having to pay a licence fee for their access.
  • Access your BC admin centre which they can use to maintain your environment (for example, handle any system updates and implementations).
  • Create and maintain your sandbox environments.
  • Look at your application telemetry.

In the past, these delegated admin rights needed to be Global Admin Rights and therefore the partner had the rights to administer all areas of your tenant, not just Business Central. In November 2021, Microsoft announced that the April 2022 Wave 1 update would include the introduction of granular delegated admin privileges (GDAP).

What are Granular Delegated Admin Rights?

Granular delegated admin privileges (GDAP) is a security feature of the Microsoft Partner Centre that provides partners with least-privileged, granular, and time-bound access to their customers’ workloads in production and sandbox environments.

These rights, which you must explicitly grant to your partners, gives them the same level of access with your Business Central instance and the Business Central Admin Centre as they had before. However, by using GDAP, partners get significantly less access to the other workloads within your Azure Active Directory.

Partners can now get these granular admin permissions by requesting access for two particular roles: Dynamics 365 Administrator and HelpDesk Agent. These roles will give them the access they need for your production instance and sandbox.

For further information about Granular Delegated Admin Privileges, click here.

How can TVision help you?

TVision is one of the largest and most experienced providers of Business Central and NAV in the UK. If you want to know more about Microsoft Business Central and how it can help improve your business processes, please feel free to contact us to arrange a demo. If you are already using Business Central but would like better support and advice than you are currently receiving, please contact us for an informal, no-strings attached chat on what TVision could do for you.