The delegated admin privileges available to partner organizations such as MSPs and CSPs are fantastic to allow admin access without going to the trouble of maintaining a list of admin accounts for each customer. Along with just rotating accounts as people move through the business, ensuring the correct security is in place and requiring licensing for things like PIM becomes a headache for a large customer base.

Using delegated admin via the Microsoft 365 Partner Center allows service desk personnel to gain access via an already secured account (with MFA etc.) without using a customer specific account. In the past this was great for small tasks but anything that required scripting required a real admin account in the destination tenancy.

With the general release early this year of the Exchange Online PowerShell (v2) Module, a great feature that I find now everyone is using currently, is the ability to connect to an Exchange Online organization using Delegated Access Permissions (i.e. Partner account).

Exchange Online PowerShell V2

For those who don’t have the module installed and are still using the old Exchange Module, download it now with the below command:

Install-Module ExchangeOnlineManagement

Once installed, the Connect-ExchangeOnline cmdlet will allow you to connect to any organization with an appropriate account using modern authentication.

Some of the REST based cmdlets available in this module can really improve the speed and stability of your PowerShell scripts and I have previously uploaded some examples on this blog.

Connecting to a Customer Tenancy

For a delegated partner organization, a small change to the connection command will allow a delegated connection to customer tenancies:

Connect-ExchangeOnline -DelegatedOrganization contoso.onmicrosoft.com 

Simply specify the organization you wish to connect to and as long as you have delegated permissions, you’re in!

This functionality simplifies the support model for a lot of partners who often will have scripted processes for things like permissions and licensing. Not needed to provision all potential service desk analysts with an admin account and additional security is a nice touch.

Delegated Admin is also available in several other Office 365 related PowerShell Modules in different ways. In the future I might pull them all together into one post.