Microsoft 365 Message Center item MC1409305
MC1409305 - Microsoft Entra: Blocking new assignments to partner tier support roles
Microsoft Entra will block new assignments to Partner Tier1 and Tier2 Support roles starting August 3, 2026, as these roles are retired. Existing assignments remain valid. Admins should update scripts and use alternative roles like User Administrator. No impact if these roles aren't used.
- Message Center ID
- MC1409305
- Category
- plan For Change
- Severity
- normal
- Services
- Microsoft Entra
- Tags
- User impact, Admin impact, Retirement
- Published
- 2026-06-29
- Last updated
- 2026-06-29
- Expires
- 2026-09-24
[What and Why]As part of ongoing role lifecycle management in Microsoft Entra, we will block new assignments to the Partner Tier1 Support and Partner Tier2 Support roles. These roles are no longer intended for use and are being retired. This change supports improved security and clearer role usage by encouraging the use of least-privilege roles.[Rollout Schedule]Global: Beginning August 3, 2026, and expected to complete by August 24, 2026[Impact on Your Organization]Who is affected Admins who manage role assignments in Microsoft Entra, including those using CSP or GDAP delegated access scenariosPlatforms/Services Microsoft Entra ID across portals, APIs, and automation workflowsWhat will happenNew assignments to Partner Tier1 Support and Partner Tier2 Support roles will be blocked.This change is part of the retirement process for these roles.If your organization does not use these roles, this change has no operational impact.Attempts to assign these roles will fail with HTTP 400 (Request_BadRequest), indicating that assignments are no longer allowed.Existing role assignments will continue to work without changes.Removal of existing assignments will continue to work.No other roles in Microsoft Entra are affected.[Action Required/Recommendations]No action is required if your organization does not use these roles.If you currently use these roles, review and update any scripts, automation, or workflows that assign them.For most scenarios, User Administrator is the closest replacement.Replace usage with appropriate alternatives such as:User AdministratorHelpdesk AdministratorGroups AdministratorLicense AdministratorDomain Name AdministratorConsider creating a custom role aligned to least privilege requirements if needed.Review CSP or GDAP delegated admin configurations for use of these roles.Update internal documentation and admin guidance as appropriate.Contact Microsoft Support if you need help identifying a replacement role.Learn more: Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft LearnPartner Tier1 Support - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft LearnPartner Tier2 Support - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft LearnRoles not shown in the portal - Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Entra | Microsoft Learn[Compliance considerations]No compliance considerations identified, review as appropriate for your organization.