Introduction
Recently, I encountered a special behavior with Microsoft 365 SharePoint that could be relevant for all Microsoft Cloud Solution Providers (CSPs) working with customer tenants. I attempted to share a SharePoint folder or document from a customer’s tenant—where we have a Granular Delegated Admin Privileges (GDAP) relationship—to an account in our own tenant.
While the account received the email with the link and appeared as an external account in the customer’s tenant, accessing the folder or document resulted in a message indicating that it did not have permission. Interestingly, this same folder or document could be shared with literally any other Microsoft account (from different Microsoft 365 business tenants or personal Microsoft accounts) without issues.
This behaviour raised some questions for me, thus I investigated this further.
The Challenge: Guest Access and Partner Accounts
When CSPs access customer tenants, they may use accounts that reside in their tenant via Granular Delegated Admin Privileges (GDAP). The issues described by me and other people in the community particularly appear when these accounts are members of groups such as AdminAgents or HelpdeskAgent. For more information about these groups, see Manage subscriptions and resources as a Microsoft CSP. Notably, user accounts in the SalesAgents group do not experience this issue.
Although these “admin accounts” can be invited as B2B users within the customer tenant, the B2B access to certain resources (such as Azure resources or Microsoft 365 Apps) may function correctly. However, direct sharing of documents does not work at all. This inconsistency not only disrupts collaboration but also confuses both partners and customers regarding how sharing permissions operate. As highlighted in discussions on Microsoft forums and community platforms, this issue is often a result of the GDAP configuration/scope, which can disproportionately affect partner accounts (Microsoft Community). A Microsoft states int their docs, Guest accounts do not work with GDAP. Customers must remove any guest accounts to get GDAP to work, and vice versa.
Workaround
A practical workaround is to grant access directly to the guest account on the SharePoint site or within the specific Microsoft Teams team. Once access is granted, the user can then utilize the Microsoft Teams client or a web browser—switching organizations as needed—to access the shared resources seamlessly.
NOTE: This is only a workaround and not a solution backed up and supported by Microsoft.
Another workaround could be, to remove the partner account from the groups AdminAgents or HelpdeskAgent and add it to the SalesAgents group. The direct sharing will work, but you will encounter administrative access errors due to fewer permissions.
Solution
To systematically address these challenges, you should separate admin accounts associated with GDAP from your regular day-to-day user accounts. This strategy allows customers to share documents with your “normal account” instead of your admin account, which helps reduce confusion and improve accessibility. By maintaining distinct accounts, you also enhance security over your administrative accounts while ensuring a smoother collaboration experience with customer resources.
Conclusion
Navigating the complexities of guest access in Microsoft 365, particularly for CSPs utilizing GDAP, is essential for an effective collaboration between partners and customers. By identifying the limitations and applying best practices—such as the separation of normal user accounts and administrative accounts—partners can significantly enhance the user experience and streamline access to shared resources.