Dynamics 365 Business Central: delegated admins and AAD guests users

When working with your Dynamics 365 Business Central online customers, one of the first thing you should do as a partner is to setup your employees on Partner Center and then assigning to them the permissions to support your online customers.

For this task, they need to have the Assists your customers as role set as Admin Agent or Helpdesk Agent:

Then you need to request a reseller relationship with a customer and you need to include delegated administration privileges for Azure Active Directory (Azure AD) and Office 365 in the request email that you send to the customer:

When a customer grants the delegated administration privilege to a partner:

• The Admin Agent group of the partner is assigned to the Global Administrator role in the customer’s Azure AD tenant.
• The Helpdesk Agent group of the partner is assigned to the Helpdesk Administrator role in the customer’s Azure AD tenant.

Based on the roles assigned, members of both groups can sign in to the customer’s Azure AD tenant, Microsoft 365 services, Business Central administration center, and Business Central tenants by using their partner credentials.

When you sign in to your customers’ Business Central as the delegated administrator, you have access to all areas of their Business Central without consuming a customer’s license. There are however some tasks that you cannot perform and these are listed here.

Delegated administrators are not visible in the customer’s Azure AD user list and cannot be managed by the customer’s internal admin. However, when a delegated admin logs into a Business Center environment on behalf of a customer, they are automatically created as a user inside the Business Central environment.

The setup process is quite easy. However, sometimes I’ve found partners that receives the following error when connecting to the customer’s Business Central tenant and try to install applications:

Here it seems that the user has not the right permissions for installing extensions, but when checked this is not the case. So what’s the problem here?

The problem that often causes this error is related to partner’s user added as guest to the customer’s AAD tenant.

In the Microsoft 365 admin center and Microsoft Azure Management portal, both customers and partners can invite external users (guests) into their Active Directory (in order to collaborate). When a partner user is added as a guest to the customer’s Azure AD, they can no longer log in as a delegated admin into the customer’s Business Central. In order to log in, the local user (guests or native) must have a valid Business Central license assigned to them.

It’s possible to quickly check what users are added as Guest to the customer’s tenant by executing the following Powershell script:

Connect-AzureAD
Get-AzureADUser -All $true | Where-Object {$_.UserType -eq 'Guest'}

If you want to have also group membership informations, you can also do something like the following:

$Group = Get-AzureADGroup -SearchString '<GroupName>'
Get-AzureADGroupMember -ObjectId $Group.ObjectId -All $true | Where-Object { $_.UserType -eq 'Guest'}

If you receive the above error and you’re sure to have the right permissions to install extensions, please remember to check also the Guests users in the customer’s AD.