Office 365 Partner Global Admin Account with Assigned Client Administration = FULL

One of the frustrating experiences I have had recently due to using ADFS2, DirSync or SSO is the Public Certificate used for ADFS2 and SSO expires 20 days early (more about this in an additional post). However this shouldn’t be an issue since my Partner Account / The Partner of Record should be able to reset Passwords and mange my Client Office 365 environment. However, as you can see from the screenshot below. There isn’t anywhere to manage your clients, like there was in BPOS. Though if you login to http://Partner.Microsoft.com you can find many users and clients that you have being managed.

Partner Overview

image

The Partner overview allows you to view additional marketing material or Build Your Business, Send Invitations,  and Confirm Purchase Orders. While I still have less than 500 Client Users with only a handful of clients including my own company.

Though as you can see from the next screen shot I am logged in as the Global Admin of my Partner Account and been granted Assign Administrative Access to Companies I support

Global Admin Settings

image

There doesn’t appear to be any way to manage your clients. This wouldn’t have been an issue if I hadn’t deprecated my Companies Global Admin Account by associating the email address with the ASDFS Service Account which is a domain user without certain privileges in my domain. Also, there isn’t any documentation that the companies Global Admin Account would be deprecated. The reason I did so was so that any issue with DirSync would be emailed to this account and it would be monitored. Interestingly, all DirSync failures go to your alternate email address in my case this is an unmanaged domain like yahoo.com.

There will be a more complete post where I walk through the steps of restoring SSO when your certificate expires 20 days prior to its Expiration.. The moral of the story is to use a Password LockBox Like the Lenovo Client Security Solution and create more than one Global Admin Account prior to implementing SS and don’t add the Global Admin Account to any of your Domain Users especially a service account.

 

-Ivan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>