Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Entra Tenant Governance is currently in PREVIEW. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
This article describes how to sign in to a governed tenant as a delegated administrator and manage delegated administration roles.
Cross-tenant delegated administration enables administrators in a governing tenant to sign in to and manage governed tenants using their governing tenant credentials. This capability doesn't require a local or B2B account in each governed tenant. It uses granular delegated admin privileges (GDAP) technology to provide centralized, least-privileged, cross-tenant access.
Prerequisites
An active governance relationship between the governing tenant and the governed tenant, with delegated administration configured in the governance policy template. For more information, see GDAP supported workloads.
The administrator must belong to a security group in the governing tenant that the governance relationship specifies.
Sign in to a governed tenant as a delegated administrator
After the governance relationship is active and GDAP role assignments are in place, members of the configured security group can sign in to the governed tenant.
Confirm that your account is a member of a security group in the governing tenant that is assigned roles in the governance policy template.
Open a supported admin portal URL and append the domain or tenant ID of the governed tenant. For a list of supported portals and workloads, see GDAP supported workloads. For example:
https://entra.microsoft.com/{governed-tenant-domain-or-id}Sign in with your governing tenant credentials.
After successful sign-in, perform administrative tasks in the governed tenant based on the roles assigned to your security group.
Important
Your user information appears different from a regular user:
- Your display name appears as
user_{your user object ID in the governing tenant without dashes}. - Sign-in logs and audit logs in the governed tenant show your display name as
{Governing tenant name} Technician.
- Your display name appears as
Update delegated administration roles
To add or change the roles available to delegated administrators, update the governance policy template and send a new governance request.
In the governing tenant, update the governance policy template to add or modify the Microsoft Entra built-in roles and security group assignments.
Note
Updating the template increments its version number by one.
Send a new governance request to the governed tenant using the updated policy template.
An administrator in the governed tenant reviews and accepts the request to apply the updated roles.