SoftSol IT Outsourcing Hub (Pty) Ltd
Microsoft 365
Administrative Access Rights Statement
Document reference: SS-M365-AARS-01
Version 1.0
Issued: May 2026
Classification: Client-Facing
1. Purpose
This document describes the administrative roles held by SoftSol IT Outsourcing Hub (Pty) Ltd ("SoftSol") within a client’s Microsoft 365 tenant, the specific permissions those roles carry, and the explicit boundaries of what SoftSol is technically able to access under those roles. It is provided to give client organisations complete, documented transparency regarding the scope of SoftSol’s administrative presence in their environment.
This document may be retained by the client for compliance records, shared with internal security or governance teams, or provided to auditors and insurers as evidence of due diligence in MSP access governance.
2. Administrative Framework
SoftSol administers client Microsoft 365 tenants exclusively through Microsoft’s Granular Delegated Admin Privileges (GDAP) framework. GDAP replaced the legacy Delegated Admin Privileges (DAP) model and is Microsoft’s current, recommended standard for MSP-to-tenant administrative relationships.
Under GDAP, each administrative role is individually specified, reviewed, and approved by an authorised administrator within the client’s own tenant before access is established. The client retains the ability to review, modify, or revoke the delegated relationship at any time through the Microsoft 365 admin centre.
SoftSol does not request or hold a Global Administrator role in client tenants. Global Administrator grants unrestricted access across all services and data and is not required for routine managed service operations. All SoftSol administrative work is performed under the specific, scoped roles listed in Section 3.
3. Administrative Roles Requested & Scope
The following roles constitute SoftSol’s standard GDAP request for a fully managed Microsoft 365 engagement. Roles are added or removed based on the specific services in scope for each client. The client’s signed service agreement specifies which roles apply to their engagement.
| Role Name | What it permits | What it does NOT permit |
|---|---|---|
| Exchange Administrator | Manage mail flow rules and transport configurations; configure connectors, accepted domains, and remote domains; manage shared mailboxes and distribution groups; configure anti-spam and anti-phishing policies; manage mail migration and hybrid configuration. | Read, access, copy, export, or search the content of any user’s mailbox, sent items, calendar entries, or contacts. This role does not confer default mailbox-read permissions. Any access to mailbox content requires a separate, explicit action that would itself be logged and alerted under the applicable compliance framework. |
| Teams Administrator | Manage Teams meeting policies, messaging policies, calling configurations, and app permission policies; manage Teams channels at the structural level; configure Teams-wide settings and guest access. | Read or access the content of private Teams chats, channel messages, meeting recordings, or calls. Structural administration does not grant content access. Accessing chat or call content would require a compliance-level eDiscovery action — a separate, explicitly logged operation. |
| User Administrator | Create, modify, and delete user accounts; manage group memberships; reset passwords for non-admin users; assign and remove licences; manage user properties and contact information. | Access any user’s mailbox content, files, or OneDrive data as a result of account management operations. Password resets are fully logged. This role cannot modify Global Administrator accounts or other privileged roles. |
| SharePoint Administrator | Manage SharePoint site collections; configure sharing and external access policies; manage OneDrive settings at the tenant level; configure information barriers and compliance features. | Read, access, download, or copy the content of documents, files, or items stored within SharePoint sites or OneDrive. Tenant-level configuration does not grant document-level read access. Accessing file content requires explicit, separately logged action. |
| Security Reader | View security alerts, recommendations, and reports in Microsoft Defender and Secure Score; view conditional access policies and sign-in logs; view identity protection reports. | Modify any security configuration, policy, or setting. This is a read-only role. Cannot access mailbox content, files, or user data. |
| Intune Administrator (if device management in scope) | Manage device compliance policies; deploy configuration profiles and applications; manage conditional access integration; wipe or retire enrolled devices when authorised. | Access the content of files, emails, or personal data stored on managed devices. Device management does not grant data-level read access. Remote wipe actions are fully logged and require explicit initiation. |
4. Access Activation Model
SoftSol operates under one of two access models, selected in agreement with the client at the time of onboarding and documented in the service schedule:
Model A — Just-In-Time (JIT) via PIM
The GDAP roles listed above exist in an assigned but inactive state. No active permissions are held. A technician must explicitly request elevation via Microsoft Privileged Identity Management (PIM), providing a written justification, before any administrative action can be taken. Activation windows are time-limited (typically 1—4 hours) and expire automatically. Client approval workflows are configurable.
Model B — Standing Access with Immutable Auditing
The GDAP roles listed above are held with standing activation for operational efficiency. All administrative actions are permanently logged in Microsoft Purview Audit and streamed in real time to an external, read-only, tamper-evident SIEM repository. Real-time alerts are dispatched to the client’s designated management contact upon sensitive administrative operations.
5. Explicit Confirmation: Data SoftSol Cannot Access Under Standard Roles
Under the roles listed in Section 3, and without taking separate, explicitly logged actions outside the scope of routine managed service operations, SoftSol cannot access the following:
- ✕The content of any user’s email messages, including inbox, sent items, drafts, or archived items
- ✕Personal calendar entries or meeting content
- ✕Private Teams chat messages or call recordings
- ✕Files stored in any user’s OneDrive
- ✕Documents stored in SharePoint sites
- ✕Personal contact information beyond what is visible in the global address list
- ✕Any data subject to privilege, confidentiality, or privacy obligations
6. Audit Logging & Client Rights
All administrative actions performed by SoftSol within the client’s Microsoft 365 tenant are permanently logged by Microsoft Purview Audit. These logs are accessible to the client’s own administrators at any time through the Microsoft 365 compliance centre. SoftSol does not have the ability to modify, suppress, or delete these logs.
The client may, at any time and without prior notice to SoftSol, review the full audit log of all administrative actions performed within their tenant. SoftSol actively encourages clients to exercise this right and will assist with log queries or report generation upon request.
7. Client Rights & Revocation
The client retains full control over SoftSol’s administrative access at all times. The client may:
- ✓Review the active GDAP relationship and all delegated roles at any time in the Microsoft 365 Admin Centre under Settings > Partner relationships
- ✓Revoke the GDAP relationship entirely at any time, immediately terminating all SoftSol administrative access
- ✓Remove individual roles from the GDAP relationship to further restrict scope at any time
- ✓Request from SoftSol, at any time, a written description of any specific action taken in the tenant
8. Contact & Queries
Questions about this document, the specific roles active in your tenancy, or requests for additional compliance documentation should be directed to SoftSol at support@softsol.co.za or via the support portal.