Forum Discussion

Paul Youngberg's avatar
Paul Youngberg
Steel Contributor
Mar 06, 2020

Partners cannot access Security and Compliance Center

Partners haven't been able to access the Security and Compliance center on behalf of their clients for almost 18 months now. Last we heard on this was from Scott Landry back in July of 2019, but it's been silence since then. Is anyone on the Security and Compliance team working with the Microsoft Partner Center team on this?? This is the one item that's keeping us from being able to exclusively work from our Delegated Admin accounts. As it stands now we still have to share a generic global admin account with all our employees just so they can manage certain aspects of our client's Office 365 subscription.

 

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/34423372-allow-partners-to-access-the-security-and-complian

 

  • Paul Youngberg :  I've been working with Microsoft professionally for more than 30 years, and unfortunately MS partner relationships have only gotten worse over time.  I'd hoped they were planning on fixing the multitude of access issues for partner managed tenants with the recent GDAP updates, but there's been no improvement of any kind.  I've had multiple conversations with higher-ups in partner management about this over the years.  They always agree this is a security nightmare that makes our mutual customers far less secure.  They always promise they'll do something about it.  And they never, ever deliver.  I've appended this to almost every partner center support ticket I've created for the past five years, and every rep I've worked with already knows about the problem and agrees it's a huge security concern.  They apparently have about as much pull with Microsoft Partner Services as the rest of us.

     

    For reference, here's where I was hanging my hopes concerning GDAP.  Maybe I'm missing something:

     

  • Fastidius's avatar
    Fastidius
    Copper Contributor

    so it's 2023.....MSPs are struck by GDAP and NCE licensing effectively making it impossible to use our support chains on customers with Microsoft licensing, Godaddy and other ISPs are making tenants on default this locking out MSPs for 12 months and making it hard to deal with

    Purvie/compliance and security is still on a Global admin level only

    Pretty sure MSPs are not in Microsofts gameplan future

    • julienattard's avatar
      julienattard
      Copper Contributor

      Fastidius Indeed, they have never been, and it's not going to improve anytime soon, as MS has been seen contacting end users behind some MSPs back.

      Right now, I have access to some of my customers' MTO, but the ones I still don't have access to are the ones on which the role is "Full Administration".

      I already setup the GDAP roles on those tenants, so it would be on the new system, but it doesn't seem to switch to it...

      There would be so much to say about MS service that writing a whole book about it would take at least 10 years...

  • dave-gumpo's avatar
    dave-gumpo
    Copper Contributor

    So it's 2022 and it looks like the prediction above about finally getting partner access back by 2025 my be a bit optimistic.

     

    I still have yet to speak to a single other MSP who having success getting MS to understand that major stakeholders (IT Tech's working in MSP's) are rightly getting beyond pissed off by all this now.

     

    There is the same feedback all over the internet, changes made for no reason, dumb changes that in now way line up with stated policy goals..

     

    Obviously they would rather count money than give us the systems we need to do our jobs safely and securely without stress...

     

    #rantover.

  • AdelBrown's avatar
    AdelBrown
    Copper Contributor

    I am replying on behalf of my organization and to reiterate what I've told the MS partner support team + the regular O365 support team.

     

    1.) Partner relationships specifically have Global Admin privileges. Global Admin privileges specifically state access to the Security & Compliance centers. The fact that O365 tenant management within the partner center is missing the Security & Compliance center access is a contradiction of Microsoft's own stated policies.

     

    2.) The Security & Compliance center has several aspects that are accessible from other admin centers; Spam filter/policy, message trace, DKIM, etc. which are accessible through the old & new Exchange admin centers. Audit log search is also somewhat accessible through the Azure admin center. Limiting access to Security & compliance center for security reasons doesn't really make sense considering so much of it is accessible from other areas.

     

    3.) In order to fully manage a tenant, administrators will need access to the Security & Compliance center. If we need a dedicated Global Admin account to fully manage a tenant, this renders administering a tenant through the partner portal completely useless.

     

    4.) Best practices from Microsoft say every admin should have their own account and not a shared one, but says you shouldn't have more than 4 global admins. For us, as an MSP, this is impossible to achieve due to the amount of employees.

     

    This decision seems arbitrary and senseless. IT renders managing a tenant through the partner portal useless because a global admin account will always be needed regardless.

    • GaryHerbstman's avatar
      GaryHerbstman
      Brass Contributor
      I concur. The partner center is useless if we cannot manage our customers. This is a constant fight and time consuming for us to manage.
  • PowerShell should support delegated access to the SCC. There's also some work being done on the UI, see roadmap item #60975.

    • Paul Youngberg's avatar
      Paul Youngberg
      Steel Contributor

      Roadmap #60975 only applies to the Office 365 Admin center. I used this feature today - it's nice, but unrelated to my post about the S&C Center.

      The PowerShell you're referring to connects to Exchange Online and a handful of MSOL commands. Useful, but doesn't apply to my use case here. I need my techs to access UI features that are only available in our clients' S&C Centers. 

      • douglasstg's avatar
        douglasstg
        Copper Contributor

        Paul Youngberg 

         

        Don't worry, they'll give us access to it by 2025, after it's been depreciated and renamed and no longer useful...

         

        I normally don't complain, but what the hell...

Resources