Microsoft Entra ID · Remaining Built-in Roles
Partner Tier1 Support
Legacy Microsoft partner support role marked "Do not use". Per MC1409305, new assignments are being phased out as part of deprecated-role lifecycle management (rollout Aug 3–24, 2026). Replacements: User Administrator (primary), or GDAP / Customer Delegated Admin Relationship Administrator for partners.
Scope: Legacy partner support permissions — DO NOT USE for new scenarios
Permissions
- Reset passwords for non-administrators
- Invalidate refresh tokens for non-administrators
- Create and manage support tickets in Azure and Microsoft 365 admin centers
- Read service health information and messages
Common use cases
- NONE — Microsoft documents this role as "Do not use — not intended for general use"
- Internal scenarios: use User Administrator (primary), or Helpdesk / Groups / License / Domain Name Administrator (MC1409305 guidance)
- Partner-delegated access: migrate to GDAP via Customer Delegated Admin Relationship Administrator
Best practices
- Do NOT assign new users to this role
- Audit existing membership and migrate to GDAP-based access
- Coordinate migration with partner organizations
- Document removal plan if any legacy assignments exist
Security considerations
- Marked PRIVILEGED in Microsoft Entra — high-risk if misused
- Can reset passwords for non-administrators — useful for account takeover
- Legacy DAP relationships using this role bypass modern GDAP controls
- Conditional Access may not apply uniformly to partner accounts using this role
- Migrate to GDAP for time-bound, scoped, audited partner access
Common questions
When should I assign the Partner Tier1 Support role?
Assign Partner Tier1 Support when you need to: NONE — Microsoft documents this role as "Do not use — not intended for general use"; Internal scenarios: use User Administrator (primary), or Helpdesk / Groups / License / Domain Name Administrator (MC1409305 guidance); and Partner-delegated access: migrate to GDAP via Customer Delegated Admin Relationship Administrator. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Partner Tier1 Support role do?
The Partner Tier1 Support role grants permissions including: Reset passwords for non-administrators; Invalidate refresh tokens for non-administrators; Create and manage support tickets in Azure and Microsoft 365 admin centers; and Read service health information and messages. See the Permissions section above for the full list.
What are the security risks of the Partner Tier1 Support role?
Key considerations when assigning Partner Tier1 Support: Marked PRIVILEGED in Microsoft Entra — high-risk if misused; Can reset passwords for non-administrators — useful for account takeover; Legacy DAP relationships using this role bypass modern GDAP controls; and Conditional Access may not apply uniformly to partner accounts using this role. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.