We are buying Microsoft 365 licenses and the reseller is requesting full global domain admin rights in order to administer the licenses.
I'm thinking, "no way in Hello Kitty", but maybe I'm being unrealistic.
Is this a normal request? Is there a better permission set to provide them? What's the typical expectation here?
I'm thinking global reader, if anything, but I'm still in the camp that the reseller should not get visibility at all into our domain.
No, I work for a reseller and our shop never asked such, but our customers just order more license when they need more, or less.
Are you sure the shop you asked are a reseller ? as some small IT business would add the license via the customer portal directly to manage the licensing. It’s simplier for the tech but it bypass the reseller quote.
A but, we do manage 0365 for some customers to help them setup/start it, in such time we need access, but it’s another question as it can be a consultant at that point or any other IT ressources.
If you dont thrust your reseller to manage your 0365, just ask someone else to manage it, but as you talk read only access I guess the term administers dont mean the same thing for them as for you.
This is a terrible idea.
Microsoft is good at providing a way for organizations to shoot their foot off in O365. The US Cybersecurity and Infrastructure Security Agency (CISA) found last year that many third party vendors that performed these types of integrations did exactly that.
https://us-cert.cisa.gov/ncas/analysis-reports/AR19-133A