M365 partners request limited delegated access permissions to clients' tenants to properly support them. For example, to help clients with users' management, mail flow configuration, etc.
Security being always a priority, many tenants are using conditional access policies to restrict sign-ins by locations, apps, devices compliance, etc. This article is not about the partner delegated permission itself but rather for cases where the permission is already given but then unusable because of a conditional access policy. It is possible to add an exception to conditional access policies to allow partners to access the tenant’s information needed for support.
It is possible to exclude partners from existing policies that could block them for various possible reasons depending on the configured conditions. For example, because of a location condition. Microsoft created an option to add an exception specifically for “service providers.” Example:
*Note that multifactor authentication is already enforced on all partners' accounts. Therefore, a policy to enforce it would not be an issue and adding an exception would not be necessary for this enforcement condition.
For additional information on conditional access policies. See this Microsoft Article
- Microsoft 365 admins that created a conditional access policy that prevented the support partner from accessing the tenant configuration details, which is preferred for proper assisted support using partner delegated access permissions. The exception is not necessary if no conditional access policy exists in the tenant or if no condition in the policy blocks the partner’s users.