Dynamics 365 – Partner Hygiene

I was looking for a customer in Partner Center the other day. I had to scroll though like ten pages to find them, past a whole bunch of other customers, many of which we no longer had a relationship with. But I still had full access to their tenant. I thought, that is not a good thing for either of us.

Things Change

There could be any number of reasons that a customer and partner are no longer actively engaged with each other. Maybe they had a falling out, maybe the customer moved to another partner for a better deal, maybe the customer simply does not require any assistance from the partner anymore, or maybe, as in our case, the partner no longer supports the products that the customer bought. The relationship should probably be removed in any of these cases. But usually it is not.

Risk on Both Sides

If a customer still has a partner listed in their Partner Relationships area, even if it was just for a little help one time, that partner has full access to their systems. This is obviously a risk for a customer, particularly if there was a falling out. But there is also risk for the partner. Imagine that something happens at the customer. Maybe some employee deletes a bunch of records on his way out the door after being fired. Maybe the client cannot tell that this was done by the employee… who knows how many scenarios there are that could happen. In any event a check of who has, or could have full access shows a partner, who has not been involved in 4 years. Suddenly, the partner is named in the lawsuit. If you do not have an active relationship, there is no benefit to either party in having the partner listed in the Partner Relationships.

How to remove a Partner Relationship

For a customer, the process of removing a partner relationship is pretty straight-forward, depending on what that relationship is. Start by logging into your Office 365 Admin center (you will need to be an Account Admin to do this). In the left column scroll down to Settings, and then Partner Relationships and click it.

This will open the list of all Partner Relationships you have, which may surprise you. Are there partners listed that you are no longer actively engaged with? Click the box next to their name and select “Delete Partner” from the window that pops open.

To be extra safe, go to your list of Active Users. Often Partners will create an Admin User Account, which they are able to do if they have a Partner Relationship. You may also want to delete that user(s).

You can always add the partner back later if you re-engage with them.

One caveat, this works when the partner is listed as an “Advisor”, but what if they are listed as the CSP Reseller? This gets trickier, but you can still prevent them from accessing your systems by removing their “Delegated Admin” privileges. To remove them completely would require a support ticket with Microsoft and may require moving licenses you purchased from them. Note, that if you did not purchase any licenses, you still can’t remove them without Support, but the Partner can remove themselves if you ask.

How to Remove yourself as a Partner Relationship

From the partner side, it is a little trickier to remove yourself from a customer. Microsoft Partner support told me that only a Customer Admin can remove a partner and suggested that I contact my customers. Some of these customers were no longer even Microsoft customers, having cancelled their service years ago. From Partner Center, clicking on Office 365 to access their tenant may even throw an error. Even if you can get in, as a Delegated Admin you can’t remove yourself. So here is the workaround, starting from Partner Center, go to the customer on your list and click “Users and Licenses”:

Then click to Add User

I created a dummy User, and gave it Global Admin Rights (Yes customers, any partner in your Partner Relationships list can do this)

This will create new Admin credentials:

Login to https://login.microsoftonline.com with these new credentials, and Boom, you are into the tenant with Global Admin privileges:

From there, the steps to remove yourself, are the same as for the customer above. Once removed, the Customer will no longer show up in your customer list.

Hey, Wait a Minute!

Can’t the partner still get in with the dummy credentials they created at any time? Yes they can, so you should alert your customer to remove this dummy user. Once this user is removed, the Partner no longer has any access. Ideally, you would create an email and ask the customer to do all of this, instead of the Partner. This example was really meant for inactive tenants, where there is no one at the customer end to do it. I utilized this procedure to remove a bunch of dead Customer Accounts from our Partner Center Customer list.

 

Add your 2 cents to my 2 cents and we'll have 4 cents!