ca7d8a2605
@mtniehaus & @greg-lindsay As per mizar - adding a note callout to let customers know they cannot remove a partner from MSfB. Manual removal is neccesary by sending email.
5.9 KiB
title, description, keywords, ms.reviewer, manager, ms.prod, ms.mktglfcycl, ms.localizationpriority, ms.sitesec, ms.pagetype, audience, author, ms.author, ms.collection, ms.topic
| title | description | keywords | ms.reviewer | manager | ms.prod | ms.mktglfcycl | ms.localizationpriority | ms.sitesec | ms.pagetype | audience | author | ms.author | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windows Autopilot customer consent | Learn how a cloud service provider (CSP) partner or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. | mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune | mniehaus | laurawi | w10 | deploy | medium | library | deploy | itpro | greg-lindsay | greglin | M365-modern-desktop | article |
Windows Autopilot customer consent
Applies to: Windows 10
This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
CSP authorization
CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
| Direct CSP | Gets direct authorization from the customer to register devices. |
| Indirect CSP Provider | Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. |
| Indirect CSP Reseller | Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
Steps
For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
-
CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
- CSP logs into Microsoft Partner Center
- Click Dashboard on the top menu
- Click Customer on the side menu
- Click the Request a reseller relationship link:
- Select the checkbox indicating whether or not you want delegated admin rights:
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Admin Center or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
-
Customer with global administrator privileges in Microsoft Admin Center clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested. If the customer did not request delegated admin rights they would see the following page:
Note
A user without global admin privileges who clicks the link will see a message similar to the following:
-
Customer selects the Yes checkbox, followed by the Accept button. Authorization happens instantaneously.
-
The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their customers list, for example:
OEM authorization
Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
-
OEM emails link to their customer.
-
Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
Note
A user without global admin privileges who clicks the link will see a message similar to the following:
-
Customer selects the Yes checkbox, followed by the Accept button, and they’re done. Authorization happens instantaneously.
Note
Once this process has completed, it is not currently possible for an administrator to remove an OEM. To remove an OEM or revoke their permissions, send a request to msoemops@microsoft.com
-
The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx. Note: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
Note
During the OEM authorization registration process, no delegated admin permissions are granted to the OEM.
Summary
At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.