When you login then as a Delegated Admin we don’t have enough rights. (because it’s finding a local user)
We discussed this last week with MS and they heared this before (“Teams adding users as guests”). But unfortunately it does conflict with the design – guest users are considered local users and therefore don’t get the same access as DA. This works as designed. MS relies on the delegated admin relationship when assigning DA rights. They cannot validate if a local guest user is also a DA – AAD does not provide an API for that, and we cannot provide any guest user with full access to BC, as that can be easily abused (free access to BC).
Comments
The ideas is to go for the same principle for Delegated Admin as being implemented in Azure Lighthouse. This means that you can create Delegated Admin User Group into the Client/Customer Tenant direclty from Azure Lighthouse and put Partner Employees into these groups allowing them access to customer resources. This is also more compliant with security measures and rolebased access control. We are aware of the fasct tha O365 is currently not supported by Azure Lighthouse.
In principle its more or less the same as you are doing with the Device User. If in the Device User Permission Group the Guest user is added or the partner Delegated Admin user its all working. And the customer is more in control of its data within the tenant.
So you can then create Role Based Partner Permison Groups allowing specific users only access to for instance a specific D365 BC tenant. And we do not require full Azure tenant access for all employees. We can reduce this for only a few Azure Admin employees.
Category: Tenant Administration
Business Central Team (administrator)