RBAC (and bonus, JIT/PIM) capabilities for Microsoft 365-focused AAD roles for partners/MSPs
With Azure Lighthouse, we can setup RBAC permissions based on the specific needs and roles our internal MSP employees need to perform their job functions.
As regulatory compliance and security frameworks (including Zero Trust) continue to evolve and MSPs are required to adhere to those same standards, having a capability to define AAD administrative roles to internal AAD SGs that allow very specific levels of access consistently into multiple customer environments.
Microsoft Partner Center (MPC) only allows for Global Administrator (which is way too much) and then Helpdesk Administrator (which is too low) through Delegated Administration without any flexibility to create custom roles that meet partners' unique needs based on their business processes.
This is a huge gap and I hope this can be figured out within this program!
Securing access to the rights roles is important, so we appreciate you taking the time to submit this. Currently we are investigating how to enable delegated administration for other AAD roles (outside of the Global Admin and Helpdesk Admin currently possible) in a future release of the service. Post that, we’ll make sure to investigate feedback on scenarios that may need custom role permissions.