A question that often comes up from Business Central customers are if they really need to give their Business Central partner delegated admin rights to their Azure AD? These kind of question comes more often from Business Central customers with their own IT department than from customers that might have less or none dedicated IT resources in house.
My recommendation to you as a Business Central customer is definitely yes – you should give your Business Central partner delegated admin rights in your Azure Active directory.
You make it way harder for your partner to act as a professional and proactive Business Central partner if you refuse to give them these rights into your system. Refusing them these right will require that you make sure that you have in house resources that can handle the necessary task within your Business Central environment that you cut off your partner from doing.
So what is the delegated admin rights used for by your Business Central partner?
- Access to Business Central without you having to pay license fee for your partners use
Delegated admin rights gives your partner access to your Business Central environment with out you have to pay any license fee for their access. This means that those of your partners employees that have the right security group assigned to the in your partners setup can access your Business Central without you having to pay extra for it.
If you instead chose to define your partners employees as guest users in your Azure AD this means that you will also have to assign a license to them. It also means that every time a new employee from your partner needs to access your system a new guest user have to be created and a new license has to be purchased. A process that will cost you both time and money.
- Access to the Business Central admin center
Every Business Central tenant got its own admin center. This is used for maintenance and administrative tasks connected to your Business Central environment. This can be restore from backup, restart of your environment, monitor database locks, handle updates etc.
- Create an maintain sandbox environments
For every production environment you have in Business Central you can deploy up to 3 sandbox environments. The sandbox environments can be used for testing, training and for looking at preview versions of coming updates to Business Central. The delegated admin rights gives your partner access to help you setup and maintain these sandbox environments for you.
- Looking at application telemetry
Application telemetry is important for analyzing irregularities and handle errors that might occur in your Business Central environment. Without delegated admin access to your Business Central environment it is very hard for your partner to assist you if a challenging situation should occur in connection to your implementation.
If you feel that it is insecure or too risky to grant your Microsoft Dynamics 365 Business Central partner delegated admin access to your Azure active directory, i recommend you to have a dialog with your partner about how to govern the access instead of denying them the access. I the long run this will be better both for you and your Business Central partner.