Microsoft Entra ID · Remaining Built-in Roles
Partner Tier2 Support
Legacy Microsoft partner support role with elevated permissions over Partner Tier1 Support. Microsoft documents this role with "Do not use — not intended for general use." Superseded by Granular Delegated Admin Privileges (GDAP).
Scope: Legacy elevated partner support permissions — DO NOT USE for new scenarios
Permissions
- Reset passwords for any user including administrators (HIGH PRIVILEGE)
- Invalidate refresh tokens for any user
- Delete and restore non-administrator users
- Create and manage support tickets in Azure and Microsoft 365 admin centers
- Read service health information and messages
Common use cases
- NONE — Microsoft documents this role as "Do not use — not intended for general use"
- Use Customer Delegated Admin Relationship Administrator + GDAP instead
- Legacy DAP scenarios still using this role should migrate to GDAP
Best practices
- Do NOT assign new users to this role
- Audit existing membership and migrate to GDAP-based access
- Coordinate migration with partner organizations urgently — this role is high-risk
- Document removal plan if any legacy assignments exist
Security considerations
- Marked PRIVILEGED in Microsoft Entra — VERY HIGH risk
- Can reset passwords for ADMINISTRATORS — full admin account takeover path
- Can delete and restore users — destructive capability
- Legacy DAP relationships using this role bypass modern GDAP controls
- Should be treated as Tier 0 access if any assignments exist
- Migrate to GDAP for time-bound, scoped, audited partner access