Right now, thanks to GDAP, partner could ask customer to have Dynamics 365 Admin role in the tenant, to be able to access the BC and support customers.

But for many customers (mostly corporate customers having centralized tenant administration) this brings a problem. In these environments, the administration is done in-house. In this case there is not possibility to assign permissions to partner to be able to connect BC environment as delegated user to support end-users, but disallow him to manage the environments. Another problem is, that in these cases there are multiple BC partners doing support for different environments (e.g. UK, US, CZ environments in one tenant, each "supported" by local partner in the country) and in this case, there is no standard way how to limit each partner to connect only to selected Environment (could be workadounded by removing default permissions for Delegated admin license and let someone assign the permissions when some Partner's user need access). But still, Partner from CZ could easilly delete environemnt of partner from UK (for example).

Possible solutions:

  1. Split Delegated Admin rights (to access admin portal as delegated admin) from Delegated User rights (access BC environment as delegated user) - it means partner could ask to be admin (D365 Admin role) or user (some new role?)
  2. Add possibility for customer to assign environments to GDAP Partner relation - it means if environment is created by partner A, it will be maintained by partner A, not B,C etc. and other partners will not have access into it. Customer must be able to assign the Partner relation to the environment (in case of change of the partner etc.)

Possibility 2 is better because the Partner will have access to admin tools like Active Session list, App list etc. and can work with these for environments, which are under his relation.

2023 Release Wave 2
Ideas Administrator

Thank you for this suggestion! We are planning to introduce an environment-level setting that lets internal administrators allowlist partner tenant IDs. Delegated users and multitenant apps will only be able to view, access, and administer environments if their home tenant is allowlisted or if no tenants are allowlisted for the environment.

Best regards,
Business Central Team



We would love to have these features implemented.

Always an issue with large enterprise customers.

Would also be great with an admin role which only gives access to Business Central and not also F&O, CE and so on.

Category: Tenant Administration


Of course, to have both solution will be best, because we can cover multiple cases with these...

Category: Tenant Administration