Synopsis

M365 partners request limited delegated access permissions to clients' tenants to properly support them. For example, to help clients with users' management, mail flow configuration, etc.


Security being always a priority, many tenants are using conditional access policies to restrict sign-ins by locations, apps, devices compliance, etc. This article is not about the partner delegated permission itself but rather for cases where the permission is already given but then unusable because of a conditional access policy. It is possible to add an exception to conditional access policies to allow partners to access the tenant’s information needed for support.


How to

It is possible to exclude partners from existing policies that could block them for various possible reasons depending on the configured conditions. For example, because of a location condition. Microsoft created an option to add an exception specifically for “service providers.” Example:



*There can be multiple policies that blocks partners from accessing the tenant configuration. The exclusion must be added to all the policies.
Note that multifactor authentication is already enforced on all partners' accounts. Therefore, a policy to enforce it would not be an issue and adding an exclusion would not be necessary for this enforcement condition. An exception to this however would be Conditional Access policies to enforce MFA with a third-party provider. “DUOMFA” for example. In this case the exclusion of support partners is necessary.


For additional information on conditional access policies. See this Microsoft Article


 

Applicable to

  • Microsoft 365 admins that created a conditional access policy that prevented the support partner from accessing the tenant configuration details, which is preferred for proper assisted support using partner delegated access permissions. The exception is not necessary if no conditional access policy exists in the tenant or if no condition in the policy blocks the partner’s users.
  • If you get the following error when using the “Manage M365” feature in the Cumulus portal.

    Error: AADSTS53003


    It means that our system is blocked by a Conditional Access policy of the tenant and the exclusion of support partners is required to use that feature.