This blog was originally published by 360 Visibility here

Why Multiple Microsoft Cloud Partners Can Increase Security Risk

Many organizations unknowingly grant access to multiple Microsoft partners within their Microsoft 365 or Azure tenant. While this often happens during transitions, acquisitions, or project-based engagements, it can create unnecessary complexity and increase security exposure.

This issue is commonly referred to as administrative sprawl.

If more than one external provider holds Global Administrator privileges, the organization’s attack surface expands significantly.

The Key Principle

To strengthen security and governance:

• Designate one primary Cloud Solution Provider (CSP)
• Use Granular Delegated Administrative Privileges (GDAP) instead of legacy full administrative access
• Retain full ownership and control of Global Admin accounts internally

60-Second Audit: Check Your Microsoft 365 Partner Access

You can quickly review your current partner relationships:

1. Log in to the Microsoft 365 Admin Center

2. Go to Settings → Partner Relationships

3. Review all listed partners

Look for:

• Partners you no longer work with
• Multiple partners with Global Administrator access
• Legacy DAP (Delegated Admin Privileges) relationships

If any inactive or unnecessary relationships exist, remove them.

Four Risks of Multi-Partner Environments

1. Expanded Attack Surface

Each partner represents a group of external administrators who may have access to your environment.

If a partner’s credentials are compromised, attackers may gain access to:

• SharePoint
• OneDrive
• Exchange Online
• Azure resources

Best practice: Replace permanent Global Admin access with time-bound GDAP roles aligned to specific responsibilities.

2. Loss of Administrative Control

In some cases, organizations lose visibility or control over Global Admin accounts when transitioning between providers.

Best practices:

• Maintain at least two internal Global Administrator accounts
• Create a secure “break-glass” emergency account
• Ensure all Global Admin credentials are owned by your organization

Your tenant should never be dependent on a third party for administrative control.

3. Conflicting Configurations and Policy Drift

Multiple partners working independently can unintentionally override each other’s policies.

Examples include:

• Conflicting Conditional Access policies
• Duplicate or inconsistent security baselines
• Misconfigured data loss prevention (DLP) rules

This increases operational risk and weakens governance.

Best practice: Centralize oversight under a clearly defined governance model with documented role separation.

4. Increased Supply Chain Exposure

Threat actors increasingly target IT service providers to gain downstream access to client environments. More partners = more potential entry points.

Mitigation measures to verify with your provider:

• 100% enforced Multi-Factor Authentication (MFA)
• Role-based access controls
• Security training for administrative staff
• Regular access reviews

Recommended Access Model (GDAP vs. Legacy DAP)

Microsoft has shifted from broad, permanent administrative access toward granular, role-based access through GDAP.

Below are examples of appropriate role alignment:

The principle: grant the minimum level of access required for the task.

Governance Best Practices

Organizations should:

• Consolidate to a single primary Microsoft partner where possible
• Review partner access quarterly
• Eliminate legacy DAP relationships
• Maintain internal Global Administrator ownership
• Document administrative roles and escalation paths

Multiple Microsoft partners within a tenant can introduce complexity, reduce visibility, and increase risk. A consolidated partner model combined with GDAP and strong internal governance significantly reduces exposure. Regular audits of partner relationships should be part of your Microsoft 365 security hygiene.