Delegated Administrator Access to Business Central Online

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

As a Business Central reselling partner, you must set up your employees to work in Partner Center, and you must assign employees to support your customers. When you request a reseller relationship with a customer, you can choose to include delegated administration privileges for Microsoft Entra ID and Microsoft 365 in the request email that you send to the customer.

Tip

Since February 2022, you can request access to your customer's tenant with granular delegated admin privileges. This way, you set up security groups to specify which users in your own organization must have access to a specific customer as Dynamics 365 administrator or any other role you prefer. For more information, see Introduction to granular delegated admin privileges (GDAP) in the Partner Center content. We recommend that you switch off any existing relationship and request granular delegated admin privileges instead. For more information, see the GDAP FAQ.

When a customer accepts a partner's request for granular delegated administration privileges, the relevant members of the specified security group in the partner's Microsoft Entra tenant get access as indicated in the following list:

For more information, see Least-privileged roles in the GDAP section of the Partner Center content.

The members of the security group have either the Admin agent or Helpdesk agent role in your own Microsoft Entra tenant. For more information, see Assign roles and permissions to users.

For certain tasks, you can access the Business Central administration center, which is a powerful tool for you to manage your customers' tenants. From the administration center, you can manage upgrades and access the tenants as the delegated administrator. For more information, see The Business Central Administration Center.

Tip

Always include the domain or the Microsoft Entra ID of the customer in the URL when you log in as a delegated admin, such as in https://businesscentral.dynamics.com/contoso.com/admin. This way, you always know exactly which customer you are trying to access.

Caution

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Quite often, partner users are registered as business-to-business (B2B) guest users in their customer's Microsoft Entra ID, such as to collaborate through Teams. However, when a partner user is added as a guest to their customer's Microsoft Entra ID, they can no longer log in as a delegated admin into the customer's Business Central. These guest users do not have a valid Business Central license assigned to them. But if the partner user has granular delegated admin privileges, they can access the customer's Business Central administration center and manage the environments there. Starting in 2022 release wave 2, partner users that are guest users and have granular delegated admin privileges are no longer blocked from accessing Business Central. But we continue to consider it a best practice that customers do not invite partner users to their tenant as guests but ask them to set up granular delegated admin privileges, using the Dynamics 365 administrator role. For more information, see Move to GDAP and remove DAP in the Partner Center FAQ.

Managing delegated permissions as a partner

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated admin logs into a Business Central environment on behalf of their customer, they're automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.

With granular delegated admin privileges (GDAP), the user is shown in the Users list and can be assigned any permissions. They aren't shown with name and other personal information but with a unique ID and their company name. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. But they can't see the actual name of these users. GDAP users are listed with user names such as USER_1A2B3C4D5E6F, and an email address such as USER_1A2B3C4D5E6F@partnerA.com, which isn't the person's actual email address. Because they aren't part of their customer's Microsoft Entra ID, their authentication email address isn't an email address at all but reflects the company that they work for, such as Partner A. This way, the GDAP user accounts don't reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.

At the partner company, we encourage you to keep track of which user names your technicians and consultants have in your customers' Business Central tenants. For example, you have a consultant who is an admin with GDAP in your partner company's five customers' Business Central. Your consultant can see which customers they have GDAP access to in the Granular administration list in the Administer page in Partner Center. But as an organization, you can also maintain a list of names and IDs.

If a customer removes delegated permissions from you, you can still manage their subscription from the Partner Center, such as adding or removing licenses for their subscription, but you'll no longer be able to log into and manage their Business Central environment, Microsoft Entra ID, and other services. You'll also not be able to manage their users (add/remove/assign licenses) from the Customer page in the Partner Center.

Restricted access to Business Central as delegated administrator

When you sign in to your customers' Business Central as the delegated administrator from the Business Central administration center, you have access to all areas of their Business Central. However, because you aren't registered as a regular user, there are certain tasks that you can't do.

The following tasks aren't available to the delegated administrator:

  • Run scheduled tasks in the job queue.

    However, delegated administrators can create job queue entries and set them as ready to run. Then, a licensed user from the customer can start the job queue entry. Delegated administrators can also test that the job queue can run without issues, before asking their customer to start it, by using the Run once (foreground) action on the Job Queue Entry card. This action creates a temporary non-recurrent copy of this job and runs it once in the foreground. You can then call it as many times as you need before you hand it over to your customer so that they can start it as a recurrent job. After the job queue completes, it will be put in the on-hold status and can't be rescheduled.

  • Trigger a web hook or any other application action that relies on the job queue functionality, except by using the Run once (foreground) action.

  • Use the Invite External Accountant assisted setup guide

    Instead, you can add the external user in the Azure portal and assign this user the External Accountant license.

  • Access a web service by using a Web Service Access key.

    Usage of Web Service Access key was deprecated in 2022 release wave 1. Find out more here.

Note

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Customers can choose to configure conditional access that may restrict delegated admin access further. For example, it's a best practice to set up a conditional access policy to require multi-factor authentication for admins, and to set up terms of use policies. Learn more at Microsoft Entra ID Conditional Access documentation.

Managing delegated permissions as an internal administrator

As a Microsoft customer organization, you can have multiple partners registered as your resellers. It isn't unusual for a single organization to use one partner as the delegated admin for their Microsoft 365 subscription and another for Business Central, for example. However, as soon as the delegated administration right is granted in the Microsoft 365 admin center, you can't restrict partner access to a specific service only. The delegated admin access applies to all Microsoft services that your organization subscribes to.

Tip

If the partner has requested access to your tenant using granular delegated admin privileges, then you can see the relevant users in the Users list in Business Central, and you can see them in the Sign in log in your Microsoft 365 admin center. With granular delegated admin privileges, the partner typically does not have global admin access to your tenant but only access to Dynamics 365. You will not be able to see the name of the partner user, but you can see an ID and the name of their company.

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated admin logs into a Business Central environment on behalf of their customer, they're automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.

With granular delegated admin privileges (GDAP), the user is shown in the Users list and can be assigned any permissions. They aren't shown with name and other personal information but with a unique ID and their company name. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. But they can't see the actual name of these users. GDAP users are listed with user names such as USER_1A2B3C4D5E6F, and an email address such as USER_1A2B3C4D5E6F@partnerA.com, which isn't the person's actual email address. Because they aren't part of their customer's Microsoft Entra ID, their authentication email address isn't an email address at all but reflects the company that they work for, such as Partner A. This way, the GDAP user accounts don't reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Customers can choose to configure conditional access that may restrict delegated admin access further. For example, it's a best practice to set up a conditional access policy to require multi-factor authentication for admins, and to set up terms of use policies. Learn more at Microsoft Entra ID Conditional Access documentation.

If you don't need delegated admin help continuously, you can restrict access for the partner users into your environment. There are two approaches that you can use to restrict delegated admin access to a Business Center environment:

  • Disable a specific delegated admin user within the Business Central environment. For more information, see How to remove a user's access.
  • Revoke delegated administration rights from all partner users at once in the Microsoft 365 admin center, without breaking the reseller relationship with the partner.

In the Microsoft 365 admin center, internal administrators can find information about their partner relationships in the Settings/Partner Relationship menu. On the same page, you can remove delegated permissions from the partner, to restrict their access to Business Central and other services, while still keeping the reseller relationship with them.

If you then want to allow access to your environment again, you can ask the partner to share the "Request a reseller relationship" invitation link with you again.

For more information, see Customers delegate administration privileges to partners in the Partner Center content.

Note

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Quite often, partner users are registered as business-to-business (B2B) guest users in their customer's Microsoft Entra ID, such as to collaborate through Teams. However, when a partner user is added as a guest to their customer's Microsoft Entra ID, they can no longer log in as a delegated admin into the customer's Business Central. These guest users do not have a valid Business Central license assigned to them. But if the partner user has granular delegated admin privileges, they can access the customer's Business Central administration center and manage the environments there. Starting in 2022 release wave 2, partner users that are guest users and have granular delegated admin privileges are no longer blocked from accessing Business Central. But we continue to consider it a best practice that customers do not invite partner users to their tenant as guests but ask them to set up granular delegated admin privileges, using the Dynamics 365 administrator role. For more information, see Move to GDAP and remove DAP in the Partner Center FAQ.

See also

Administration of Business Central Online
Get Started as a Reseller of Business Central Online
Exporting Databases