How to Lock Down Your Reseller From Owning Your Stuff
Stop your reseller owning your tenant. The Microsoft GDAP setup, Google reseller mechanics and the five contract clauses that keep your data in your name.
TL;DR
A good reseller adds value without owning anything. The tenant is yours. The super-admin lives at your domain. The partner gets delegated, role-scoped, time-bound access. Never the keys. Microsoft does this through GDAP, Google does it through the reseller programme plus a customer-side super-admin, and your contract should name the transfer process before you ever sign. This piece walks through what each platform calls “delegated”, how to set it up, and the five clauses every reseller agreement should carry.
Why does “reseller lock-in” happen so often?
Because it is easier. For both sides. When a small business signs up for Microsoft 365 or Google Workspace through a reseller, the fastest path is partner-controlled. The partner stands the tenant up under their own admin, makes themselves super-admin or Global Admin, hands a user account back to the client, and gets on with the work.
Two years pass. The relationship sours, the partner is acquired, or the client wants a competing quote. The partner literally owns the identity infrastructure. They control the recovery email. They hold the only Global Admin credentials. They have the billing relationship with Microsoft or Google. “Transfer” is a negotiation, not a clerical step.
We see this most weeks. Rarely malice. It is the default that drifts in when no one sets it up properly. The fix is not to refuse working with a reseller; a competent one saves real money and real risk. The fix is to insist on the right shape from day one. Delegated access, not owned access.
What’s the difference between delegated access and owned access?
Owned access means the partner’s identity is the privileged identity in your environment. If they walk, the tenant walks with them.
Delegated access means the partner’s identity is granted scoped, role-based permissions into an environment fully owned by the customer. Customer admin is the source of truth. Partner gets a role; that role can be revoked. The tenant stays put.
Mechanics differ by platform.
Microsoft 365 uses GDAP, Granular Delegated Admin Privileges. GDAP replaced the old DAP model, which gave partners blanket Global Admin with no audit trail. Under GDAP a Cloud Solution Provider (CSP) requests specific Entra ID roles for a specific duration, and the customer approves through the Microsoft 365 admin centre. Common roles a healthy CSP asks for: Helpdesk Administrator, User Administrator, Exchange Administrator, SharePoint Administrator, Intune Administrator, Authentication Administrator, Security Administrator, Service Support Administrator. Time-bound (typically 12 months, renewable on consent), logged against the partner’s identity, revocable from Settings → Partner relationships. Your own Global Admins remain customer-domain. The partner does not get a Global Admin seat. Ever.
Google Workspace uses a different mechanism. Google’s reseller programme gives the reseller a billing and SKU-management relationship, but the super-admin of the customer tenant is, and must be, a customer-domain identity. Reseller staff get added with scoped admin roles (User Management Admin, Help Desk Admin, custom roles) signing in as @reseller.com accounts. What ties you commercially is the transfer token: a one-time token Google issues that lets you move the billing relationship to another reseller, or to direct. The reseller does not own the tenant; they hold the SKU contract.
Neither platform requires you to give up ownership. Both make it easy to give it up accidentally if nobody is watching the setup.
How to set up Microsoft 365 properly with a CSP partner
Right shape, in order:
You own the tenant. Built against your own domain (verified by you in DNS), signed up in the name of a director, billing address at your registered office. Even if the partner does the click-work, the tenant owner record must be a person at your business.
Two break-glass Global Admins, both at your domain. Not the partner’s. Cloud-only accounts (no on-prem sync), passwords sealed in a manager only directors can open, MFA on FIDO2 hardware keys, excluded from any Conditional Access policy that could lock them out, sign-in alerting wired up. See Controls You Should Never Give Up and Most Break-Glass Accounts Won’t Work.
The partner gets GDAP roles, not Global Admin. Microsoft prompts you to approve the GDAP role request when the CSP relationship is formed. Read it. Roles should match the work: User Administrator and Helpdesk for tickets, Exchange Administrator for mail flow, Intune Administrator for devices, Security Administrator for Defender. Global Administrator should not be on the request. A reputable partner tunes to least privilege.
No partner identity holds Global Admin at your tenant. Even outside GDAP, no @partner-domain account should be a Global Admin. If one was added during stand-up, remove it.
Billing can sit with the CSP without the identity. Through the CSP programme the partner becomes reseller of record. Channel margin to them, ZAR invoice to you, licences flex monthly. Commercial reseller and technical delegated admin are separate relationships.
Ownership artifacts on demand: original tenant sign-up email, Global Admin recovery (phone and email at your business), GDAP role assignment list, copy of the partner contract.
How to set up Google Workspace properly with a reseller
Same principle, different mechanics.
Super-admin at your domain. Two super-admin accounts at your custom domain, hardware security keys, recovery info pointing back at you (not the reseller), enrolled in Google’s Advanced Protection Program where the cost makes sense. Your Workspace break-glass.
The reseller is a transfer-token holder, not a super-admin. The reseller’s contractual right is to manage your subscription with Google: seats, SKU, renewals. None of that requires super-admin in your tenant. The commercial relationship sits at the Google reseller console, not your admin console.
Reseller staff get scoped admin roles. They sign in as @reseller.com identities. Role should be Help Desk Admin or User Management Admin for routine work, Services Admin for Drive or Gmail policy, Mobile Admin for endpoints. Custom admin roles are supported and we use them often. Super Admin is not a default partner role. Grant temporarily for a change window, revoke the same day.
The transfer token is your exit lever. Google issues the customer a transfer token on request. It moves you to another reseller, or to direct billing. Tenant and data do not move. Only the SKU and billing relationship moves. A healthy reseller issues it within their advertised SLA. A locked-in reseller will delay, charge or refuse. Delay is the audit signal.
Recovery info at your domain. Google asked for a recovery email and phone when the tenant was stood up. Both should be at the customer organisation. Open Admin Console → Account → Account settings and confirm. We have walked into Workspace tenants where it was the reseller owner’s personal Gmail. Thirty-second fix; nobody had looked.
How to handle vendor-specific tools (Bitdefender, Exclaimer, Hexnode, Intune)
Same pattern at every vendor surface. Customer-named account with the vendor, partner technician given delegated access into it.
Bitdefender GravityZone. Right setup: a customer-named GravityZone Cloud Control Center company under your business name, owned by a customer-domain account. Partner gets a Partner or Custom role: daily admin rights, no ability to delete the company or change ownership. Wrong setup we still inherit regularly: endpoints registered inside the partner’s own GravityZone tenant under a folder named after your business. If that partner closes, is acquired or has a billing dispute, your endpoints stop reporting and you have no console. Customer-named company structure is non-negotiable.
Exclaimer Cloud Signatures. Subscription issued against a customer organisation. Partner added as additional administrator. Customer name, customer billing address.
Hexnode UEM. Customer-owned tenant, customer contact email as registered owner. Reseller technicians added as additional admins with scoped roles. Certificate stores, Apple Push Certificate and device enrolment programme tokens belong to the customer, signed under the customer’s Apple ID.
Microsoft Intune. Inherits the GDAP shape. Intune Administrator is the right scope. Apple Push Certificate, Apple Business Manager and Android Enterprise tokens configured under the customer’s Apple ID, not the partner’s. Goes wrong when Apple Business Manager was set up under the partner’s Apple ID; recoverable, but Apple requires notarised proof of business ownership to transfer.
Principle: the company-of-record at the vendor is your business. Partner access is a delegated layer on top. Apply that test at every console.
The 5 contract clauses you should always insist on
Technical setup is necessary, not sufficient. Contract is the second half.
1. Explicit account ownership. Customer named as sole owner of tenant, directory, data and vendor accounts (Microsoft tenant ID, Google customer ID, Bitdefender company ID, Hexnode account ID, Apple Business Manager organisation). Partner holds delegated technical access only. No persistent ownership-equivalent privilege without written customer approval.
2. Named transfer process and SLA. Name the steps (revoke GDAP, issue Google transfer token, change Bitdefender ownership), name the responsible party, give an SLA. Five business days is reasonable. Twenty is a delay tactic. Without a named SLA, “transfer in due course” has stretched to six months in cases we have seen.
3. Data export rights. Customer has the right, on request, during or after the contract, to a full export of customer data in a portable format. For M365: PST, OneDrive sync, SharePoint Migration Manager. For Workspace: Takeout and Vault exports. Partner assists at standard hourly rates, not exit-penalty rates.
4. No exit fees beyond the current term. Leave at the end of any committed term with no separate exit fee, transfer penalty or “deconfiguration charge”. Annual M365 commitments are fine; one-month notice on the managed-service fee should be the default.
5. Named SLAs for handover. Partner produces a documented handover pack on exit: tenant credentials path, GDAP revoked, Google transfer token issued, vendor ownership transferred, runbook of custom configuration, incoming reseller briefed. Ten business days from notice.
These clauses are not unreasonable. We sign them with our own clients. Any reseller resisting them is telling you how the relationship will end.
What does the renewal conversation actually look like?
Renewal with a healthy reseller is short and slightly boring. That is the goal.
The reseller sends a renewal pack 60 to 90 days before term end. It lists current SKUs and seat counts, flags licence drift (Business Premium seats that only need Standard, or vice versa), shows the next-period rate in ZAR, confirms that GDAP and scoped admin assignments will be renewed on consent. Pricing changes are explained, not smuggled in.
You ask three questions. Has anything changed in the access scope? Are we still right-sized? What is the cancellation path? Answers should be: nothing without your consent, here is the right-sizing analysis, here is the transfer process documented in the contract.
Trouble signal: renewal presented as automatic and bundled with a multi-year commitment that “locks in pricing” while exit terms stay vague. Another signal: the reseller never raises right-sizing on their own initiative. Right-sizing reduces partner revenue. Raising it anyway is the marker of a reseller playing the long relationship rather than the short margin.
What if your current reseller HAS owned access?
It happens. Recovery sequence works most of the time. Stay calm. Document.
Step one: request transfer in writing, with a date. Email the reseller. State that you want to (a) regain Global Admin and Super Admin under your own domain, (b) move GDAP to a named scope, (c) receive the Google transfer token if applicable, (d) transfer ownership of vendor accounts into your name. Ten business days is fair. Cc your operations director.
Step two: document the resistance. If the reseller delays, asks for fees, claims the transfer is not technically possible, or stops responding, save every message. Note dates. Move follow-ups to email rather than WhatsApp; you want a forensic record.
Step three: escalate inside the partner’s organisation. A first-line account manager locking you in is usually doing it on their own initiative. Find the partner’s director or channel lead. Reference the original commercial agreement and documented requests. Most resistance evaporates here.
Step four: vendor escalation. Microsoft, Google, Bitdefender and Hexnode all have channel-partner conduct standards. For Microsoft, the CSP partner support line; you can request Microsoft reset GDAP, reset billing or relocate the tenant to a different CSP. For Google, customer-of-record transfer-token requests through Google support. Document the partner first; vendors want evidence, not opinion.
Step five: last-resort, vendor-led migration. Worst cases (partner insolvent, hostile or silent): vendors can help the customer rebuild the relationship under direct ownership. Both Microsoft and Google require proof of legitimate domain ownership. Painful, recoverable, slow.
The point: the customer always has a path back. What the partner holds is friction, not control. If you escalate, the friction breaks.
How OSH does it
Microsoft CSP partner. Google Workspace reseller. We resell Bitdefender, Hexnode and Exclaimer. The inverse pattern is built into our engagement document.
Every M365 tenant we manage is customer-owned. Customer Global Admins at the customer’s domain. We hold GDAP roles only: typically User Administrator, Helpdesk Administrator, Exchange Administrator, Intune Administrator, Security Administrator and Service Support Administrator, scoped to 12 months. We do not hold Global Administrator at any client tenant. Ever.
Every Workspace tenant we manage has a customer-domain super-admin owned by the customer. Our staff sign in as @osh.co.za identities with scoped roles. Customer gets the transfer token on request, no questions, no delay.
Bitdefender clients get a customer-named GravityZone company. We are a partner with technician access. Customer can revoke us in two clicks. Same for Hexnode, same for Exclaimer.
Our contract names the transfer SLA at five business days for GDAP revocation and Google transfer-token issuance, ten for full handover documentation. No exit fees beyond the committed term.
A reseller confident in their service quality has no need to hold the keys.
Get a free reseller-relationship audit
Sixty minutes. We log into your M365, Google Workspace and major vendor consoles read-only, with your sign-off, and produce a written current access map: who holds Global Admin, who holds Super Admin, what GDAP roles are assigned, where transfer tokens sit, what recovery email and phone live on each account, what the contract says about exit. GDAP review and contract review included.
Report is yours to keep. If the current reseller comes out clean, we say so. If there are gaps, we name them. If you bring the relationship to OSH, we run the transfer at the SLAs above.
Email support@osh.co.za. Same-business-day reply with a calendar link.
Wider context: Controls You Should Never Give Up, Why Your IT Partner Should Be Offering You X. Platforms: services, professional services, Microsoft 365, Google Workspace.
