Microsoft Entra ID · Remaining Built-in Roles
Partner Tier1 Support
Legacy Microsoft partner support role. Microsoft documents this role with "Do not use — not intended for general use." Superseded by Granular Delegated Admin Privileges (GDAP) and the Customer Delegated Admin Relationship Administrator role.
Scope: Legacy partner support permissions — DO NOT USE for new scenarios
Permissions
- Reset passwords for non-administrators
- Invalidate refresh tokens for non-administrators
- Create and manage support tickets in Azure and Microsoft 365 admin centers
- Read service health information and messages
Common use cases
- NONE — Microsoft documents this role as "Do not use — not intended for general use"
- Use Customer Delegated Admin Relationship Administrator + GDAP instead
- Legacy DAP scenarios still using this role should migrate to GDAP
Best practices
- Do NOT assign new users to this role
- Audit existing membership and migrate to GDAP-based access
- Coordinate migration with partner organizations
- Document removal plan if any legacy assignments exist
Security considerations
- Marked PRIVILEGED in Microsoft Entra — high-risk if misused
- Can reset passwords for non-administrators — useful for account takeover
- Legacy DAP relationships using this role bypass modern GDAP controls
- Conditional Access may not apply uniformly to partner accounts using this role
- Migrate to GDAP for time-bound, scoped, audited partner access