When a Microsoft partner (CSP) sends you an invitation into your M365 tenant you might also give them Global Administrator and Helpdesk admin permissions even though the partner just provides you with licenses.
This is a problem as a partner could access your M365 tenant and can make changes like adding accounts, changing permissions, read and forward emails and much much more, without having to conform to the tenant’s conditional access policies, e.g. to use MFA. Furthermore, the partner accessing your tenant is not logged by the tenant.
It is therefore recommended to create dedicated accounts with specific roles (e.g. Global Administrator) within the tenant and then protect these accounts with conditional access policies (e.g. to require MFA).
Microsoft recognized this major problem last year during the NOBELIUM attack (https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/).
Check your partner relationships
In M365 Admin Center (https://admin.microsoft.com) > Show all > Settings > Partner relationships
In the above screenshot you see that both partners („Reseller“) have Global Administrator and Heldesk admin access to the tenant. In general, a partner does not need this kind of elevated access and it is recommended to:
- Create a dedicated user in the tenant with the specific role following least privilege and need to know principles and
- Verify that the user is protected by conditional access policies, e.g. to enforce MFA.
To remove these roles from the partner:
With the steps taken above you’ll restrict the partner from having admin access to your tenant. The partner will still be able to access your tenant through the Microsoft Partner Center to, for example, add licenses to the tenant.
To completely remove the CSP from your tenant:
- Contact the partner and have them remove you from their Partner Center or
- Open a ticket with Microsoft to have them remove the partner from the tenant.
For more informationen on how to remove partner admin roles see https://docs.microsoft.com/en-us/microsoft-365/commerce/manage-partners?view=o365-worldwide#remove-partner-admin-roles