MC1409305Microsoft Entra: Blocking new assignments to partner tier support roles
Summary
Microsoft Entra will block new assignments to Partner Tier1 and Tier2 Support roles starting August 3, 2026, as these roles are retired. Existing assignments remain valid. Admins should update scripts and use alternative roles like User Administrator. No impact if these roles aren't used.
More information
What and Why
As part of ongoing role lifecycle management in Microsoft Entra, we will block new assignments to the Partner Tier1 Support and Partner Tier2 Support roles. These roles are no longer intended for use and are being retired. This change supports improved security and clearer role usage by encouraging the use of least-privilege roles.
Rollout Schedule
- Global: Beginning August 3, 2026, and expected to complete by August 24, 2026
Impact on Your Organization
Who is affected
- Admins who manage role assignments in Microsoft Entra, including those using CSP or GDAP delegated access scenarios
Platforms/Services
- Microsoft Entra ID across portals, APIs, and automation workflows
What will happen
- New assignments to Partner Tier1 Support and Partner Tier2 Support roles will be blocked.
- This change is part of the retirement process for these roles.
- If your organization does not use these roles, this change has no operational impact.
- Attempts to assign these roles will fail with HTTP 400 (Request_BadRequest), indicating that assignments are no longer allowed.
- Existing role assignments will continue to work without changes.
- Removal of existing assignments will continue to work.
- No other roles in Microsoft Entra are affected.
Action Required/Recommendations
- No action is required if your organization does not use these roles.
- If you currently use these roles, review and update any scripts, automation, or workflows that assign them.
- For most scenarios, User Administrator is the closest replacement.
- Replace usage with appropriate alternatives such as:
- User Administrator
- Helpdesk Administrator
- Groups Administrator
- License Administrator
- Domain Name Administrator
- Consider creating a custom role aligned to least privilege requirements if needed.
- Review CSP or GDAP delegated admin configurations for use of these roles.
- Update internal documentation and admin guidance as appropriate.
- Contact Microsoft Support if you need help identifying a replacement role.
Learn more:
- Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Partner Tier1 Support - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Partner Tier2 Support - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Roles not shown in the portal - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.