Another day, another hidden global administrator

In Microsoft 365 there is an option that allows Microsoft-certified solution providers (partners) to purchase and manage products and services for your organization or school.

To enable these partners to manage your products and services you establish a partner relationship (invitation and redemption process).

These permissions can be extremely far-reaching, up to Global Administrator. Details about the different relationship types. The relationships are not visible in the Azure AD roles / blades, hence they will also bypass access reviews.

If you have responsibility for your companies Azure Active Directory, please ensure you only have desired partner relationships that are following least privilege. The documentation for removal of these relationship shows you were in the M365 admin center you can find and review the relationships.

Working with several customers the review of these relationships usually bring big surprises, often the relationships had been established several years ago without the required awareness.