Microsoft Entra ID · Remaining Built-in Roles
Partner Tier2 Support
Legacy Microsoft partner support role with elevated permissions (can reset admin passwords), marked "Do not use". Per MC1409305, new assignments are being phased out (rollout Aug 3–24, 2026). Replace with User Administrator, or License + Application Administrator; use GDAP for partners.
Scope: Legacy elevated partner support permissions — DO NOT USE for new scenarios
Permissions
- Reset passwords for any user including administrators (HIGH PRIVILEGE)
- Invalidate refresh tokens for any user
- Delete and restore non-administrator users
- Create and manage support tickets in Azure and Microsoft 365 admin centers
- Read service health information and messages
Common use cases
- NONE — Microsoft documents this role as "Do not use — not intended for general use"
- Internal scenarios: use User Administrator, or a combination of License + Application Administrator (MC1409305 guidance)
- Partner-delegated access: migrate to GDAP via Customer Delegated Admin Relationship Administrator
Best practices
- Do NOT assign new users to this role
- Audit existing membership and migrate to GDAP-based access
- Coordinate migration with partner organizations urgently — this role is high-risk
- Document removal plan if any legacy assignments exist
Security considerations
- Marked PRIVILEGED in Microsoft Entra — VERY HIGH risk
- Can reset passwords for ADMINISTRATORS — full admin account takeover path
- Can delete and restore users — destructive capability
- Legacy DAP relationships using this role bypass modern GDAP controls
- Should be treated as Tier 0 access if any assignments exist
- Migrate to GDAP for time-bound, scoped, audited partner access
Common questions
When should I assign the Partner Tier2 Support role?
Assign Partner Tier2 Support when you need to: NONE — Microsoft documents this role as "Do not use — not intended for general use"; Internal scenarios: use User Administrator, or a combination of License + Application Administrator (MC1409305 guidance); and Partner-delegated access: migrate to GDAP via Customer Delegated Admin Relationship Administrator. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Partner Tier2 Support role do?
The Partner Tier2 Support role grants permissions including: Reset passwords for any user including administrators (HIGH PRIVILEGE); Invalidate refresh tokens for any user; Delete and restore non-administrator users; Create and manage support tickets in Azure and Microsoft 365 admin centers; and Read service health information and messages. See the Permissions section above for the full list.
What are the security risks of the Partner Tier2 Support role?
Key considerations when assigning Partner Tier2 Support: Marked PRIVILEGED in Microsoft Entra — VERY HIGH risk; Can reset passwords for ADMINISTRATORS — full admin account takeover path; Can delete and restore users — destructive capability; and Legacy DAP relationships using this role bypass modern GDAP controls. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.