Liongard

When working with Partner Center integrations, Microsoft requires certain security group assignments for users interacting with the Partner Center APIs. One key group is the AdminAgents security group. This article outlines its purpose and when it is required.

___________________________________________________________

The AdminAgents security group is a built-in Microsoft Partner Center security group. It grants the necessary permissions for users to interact with the Partner Center APIs on behalf of customer tenants.

"The partner user must also be a member of the AdminAgents security group, which is required for calling the Partner Center APIs." — <a href="https://learn.microsoft.com/en-us/partner-center/developer/gdap-and-secure-application-model" rel="nofollow noopener noreferrer" target="_blank">Microsoft Documentation: GDAP and Secure Application Model</a>

Membership in the AdminAgents group enables the authenticated user to perform API calls related to customer and service management activities through Partner Center.

Partner Center API Access: Any user authenticating into the Partner Center APIs must be a member of the AdminAgents security group.

Inspector Integrations and Automated Systems: Systems or services that authenticate using a user account to query Partner Center APIs (such as monitoring or automation platforms) must ensure the account belongs to AdminAgents.

Secure Application Model Usage: Even when using the Secure Application Model, the partner user making API calls must still be a member of AdminAgents.

- Partner Center API Access: Any user authenticating into the Partner Center APIs must be a member of the AdminAgents security group.
- Inspector Integrations and Automated Systems: Systems or services that authenticate using a user account to query Partner Center APIs (such as monitoring or automation platforms) must ensure the account belongs to AdminAgents.
- Secure Application Model Usage: Even when using the Secure Application Model, the partner user making API calls must still be a member of AdminAgents.

Admin Relationship Security Groups: Partners may still configure custom security groups for Admin Relationships in Partner Center when managing customer tenants. However, the specific user account used for API authentication must belong to AdminAgents, regardless of the Admin Relationship group settings.

Scope of Permission: AdminAgents membership provides the minimum required role access for Partner Center API interactions. It does not necessarily grant full administrative access outside the Partner Center context unless additional roles are assigned.

- Admin Relationship Security Groups: Partners may still configure custom security groups for Admin Relationships in Partner Center when managing customer tenants. However, the specific user account used for API authentication must belong to AdminAgents, regardless of the Admin Relationship group settings.
- Scope of Permission: AdminAgents membership provides the minimum required role access for Partner Center API interactions. It does not necessarily grant full administrative access outside the Partner Center context unless additional roles are assigned.

For more details from Microsoft, please refer to the official documentation: 👉 <a href="https://learn.microsoft.com/en-us/partner-center/developer/gdap-and-secure-application-model" rel="nofollow noopener noreferrer" target="_blank">GDAP and Secure Application Model - Microsoft Docs</a>

M365 | Understanding the AdminAgents Security Group Requirement

Overview

What is the AdminAgents Security Group?

When is AdminAgents Required?

Important Clarifications

Reference