![Microsoft Entra: Blocking new assignments to partner tier support roles [MC1409305]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-cottonbro-4874232-1024x683.webp "Microsoft Entra: Blocking new assignments to partner tier support roles [MC1409305] 1")
[What and Why]
As part of ongoing role lifecycle management in Microsoft Entra, we will block new assignments to the Partner Tier1 Support and Partner Tier2 Support roles. These roles are no longer intended for use and are being retired. This change supports improved security and clearer role usage by encouraging the use of least-privilege roles.
[Rollout Schedule]
- Global: Beginning August 3, 2026, and expected to complete by August 24, 2026
[Impact on Your Organization]
Who is affected
- Admins who manage role assignments in Microsoft Entra, including those using CSP or GDAP delegated access scenarios
Platforms/Services
- Microsoft Entra ID across portals, APIs, and automation workflows
What will happen
- New assignments to Partner Tier1 Support and Partner Tier2 Support roles will be blocked.
- This change is part of the retirement process for these roles.
- If your organization does not use these roles, this change has no operational impact.
- Attempts to assign these roles will fail with HTTP 400 (Request_BadRequest), indicating that assignments are no longer allowed.
- Existing role assignments will continue to work without changes.
- Removal of existing assignments will continue to work.
- No other roles in Microsoft Entra are affected.
[Action Required/Recommendations]
- No action is required if your organization does not use these roles.
- If you currently use these roles, review and update any scripts, automation, or workflows that assign them.
- For most scenarios, User Administrator is the closest replacement.
- Replace usage with appropriate alternatives such as:
- User Administrator
- Helpdesk Administrator
- Groups Administrator
- License Administrator
- Domain Name Administrator
- Consider creating a custom role aligned to least privilege requirements if needed.
- Review CSP or GDAP delegated admin configurations for use of these roles.
- Update internal documentation and admin guidance as appropriate.
- Contact Microsoft Support if you need help identifying a replacement role.
Learn more:
- Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Partner Tier1 Support – Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Partner Tier2 Support – Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Roles not shown in the portal – Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
[Compliance considerations]
No compliance considerations identified, review as appropriate for your organization.
Source: Microsoft
Latest Posts
- AWS WAF adds support for Amazon Bedrock AgentCore Gateway
- Amazon ElastiCache now supports Valkey 9.1
- Microsoft Entra: Blocking new assignments to partner tier support roles [MC1409305]
- Microsoft Edge enforces screen capture restrictions for sensitivity-labeled PDFs in OneDrive and SharePoint [MC1409303]
![Microsoft Edge enforces screen capture restrictions for sensitivity-labeled PDFs in OneDrive and SharePoint [MC1409303]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-polina-kovaleva-5546851-96x96.webp "Microsoft Edge enforces screen capture restrictions for sensitivity-labeled PDFs in OneDrive and SharePoint [MC1409303] 6")
