this is very new so not sure if anyone knows or has had experience in this.
So context first... Microsoft is pushing MSP's to migrate over to Granular Delegated Administrative Privileges (GDAP) from Delegated Administrative Privileges (DAP) in their partner center to manage client tenants.
So instead of just either being a helpdesk admin or a global admin, through DAP, you can now granularly assign roles to security groups, where these security groups are then applied on a per tenant basis.
So one of the administrative roles titled: Azure AD Joined Local Device Administrator can be assigned as a role to the security group, which then applies to a client tenant.
Traditionally, a Azure AD Joined Local Device Administrator lets an azure account on a tenant to be a local admin on an azure joined device.
After performing the GDAP migration, the security group from my parent tenant (MSP's tenant) which has the Azure AD Joined Local Device Administrator role, is now appearing under all my client tenants, in the normal area where you check which users or groups are Azure AD Joined Local Device Administrator.
So in theory, I understand this as, now I SHOULD be able to use an azure account from my parent tenant as a local admin on a device that is Azure joined from another tenant. Of course though when testing this, it did not work.
This would be a game changer in my opinion for local admin management on devices .. but would like to find out if I have the right idea the way I'm understanding this and if anyone might know if this is going to be the case?
Sorry for the length of this, I just couldn't find any information yet out there. Happy to clarify anything that I may have muddled up in my explanation.
