# Delegated Administration for Partners Field Guide ## Overview Zoom's Delegated Admin Access feature allows partners to access and administer their customers' Zoom accounts without requiring shared credentials or a master/sub-account relationship. Partners and their customers operate as independent accounts, with the partner receiving controlled, permission-scoped access to each customer's environment. This guide covers the recommended end-to-end setup process, ongoing account management, and current feature limitations that partners should understand before getting started. ## Partner-Initiated Access Requests Previously, delegated access could only be initiated by the customer — their account admin would navigate to Roles and invite an external (partner) user to their account. This workflow required customers to define roles and permissions themselves. See the [Delegated Administration Field Guide](https://library.zoom.com/admin-corner/account-and-endpoint-management/delegated-administration-field-guide) for details about that process. A new partner-initiated flow allows partners to send the access request directly to the customer, who then reviews and approves it. {% hint style="warning" %} **Heads Up** Contact your Zoom channel account manager to request this feature. {% endhint %} Both flows (customer-initiated and partner-initiated) remain supported. ## Before You Begin Before configuring Delegated Admin Access, confirm that your Zoom account has the feature enabled. To verify, do the following: 1. Sign in to the [Zoom web portal](https://zoom.us/). In the left navigation, scroll to the **Admin** section and click **User Management** > **Roles**.

2. In the **Role Name** column, select the role used by the Administrators who will create customer relationships. For example, **Admin** or a custom role. 3. On the role screen that appears, go to the **Account Management** section. Make sure the **External accounts** field is selected.\ \ **Note:** By default, this role is disabled for everyone except the **Owner** role.

4. Determine the appropriate action: * If the permission is **not** visible, contact your Zoom channel account manager to request this feature. * If the permission **is** visible and enabled, click **Admin** > **Account Management** > **External Accounts**. The **Add an account button** will be available.

You'll also need the following before you begin: * A **licensed** Zoom account for the user who will manage all customer relationships. * Which team members (MS, PSO, Support) will need access to each customer account. * The appropriate permission scopes for each customer engagement type. See [Send an Access Request to Each Customer](#send-an-access-request-to-each-customer) below. ## Setup: Partner Side ### Designate a Delegated Admin Access Lead Designate a single user—or a dedicated alias account, if permitted by your organization—to serve as your organization's **Delegated Admin Access Lead**. This user will initiate and own all customer access relationships from the **Account Management** > **External Accounts** page. This is important because only the user who initiates a customer relationship (the "creator") has full visibility into that specific relationship. A second creator can't see relationships created by the first creator unless they're explicitly added. Centralizing relationship creation in one account ensures your organization maintains a complete view of all supported customers. **To configure this user's permissions:** 1. Sign in to the [Zoom web portal](https://zoom.us/) as an account owner or admin. 2. Navigate to User Administration > Roles and create a new role. Name it something like Zoom Delegated Admin Access Lead.

3. Under Account Management, enable Edit access for External Accounts. 4. Assign this role to your designated lead user. {% hint style="info" %} **Note** Managed Services, PSO, and Support team members do not require any admin permissions in your Zoom tenant. Only the lead initiating and managing customer relationships needs this role. {% endhint %} ### Create a Delegate Group for Each Customer Create the user group(s) that will represent your team members for each engagement. 1. Navigate to **User Management** > **Groups** and create a new group. Name it to reflect the customer and/or service type (for example, *Acme Corp – Managed Services Team*). 2. **Optional:** Enable multi-factor authentication (MFA) to streamline customer account access. See the following articles for more information. * [Managing two-step verification](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0066054) * [Verifying your account via one-time passcode (OTP)](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0063738) 3. Add the relevant MS, PSO, or Support team members to the group. **Current limitations to be aware of:** * Only **one group per customer relationship** is supported. If you provide multiple service types (for example, both Managed Services and break-fix Support) to a single customer, create a single group that includes all relevant team members and apply the broadest necessary permission set. * Group membership in Zoom can be synced dynamically via SAML/SCIM. However, this sync does not automatically update delegate membership when group members change. New members and removals require additional manual steps; see Managing Ongoing Changes below.\ \ For additional information about SAML, see: * [Setting up advanced SAML mapping](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0061497) * [Information to consider for advanced SAML mapping](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0058095) * [Setting up SAML auto mapping](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0059153) * We recommend leveraging Groups with the current limitations, so that you're ready to take advantage of any future enhancement to automatic Group syncing. ### Send an Access Request to Each Customer The Delegated Admin Access Lead performs this step for each customer. 1. Navigate to **Account Management** > **External Accounts** and click **Add an account**.\

2. Enter the customer's account information and configure the following options: * **Expiration date:** Set an end date if the engagement has a known term. Leave unchecked for ongoing support relationships. * **Allow me to add delegates to manage the account:** Enable this to allow your team members to be added under this relationship. * **I will act as the point of contact and keep my delegates undisclosed:** Enable this if you do not want your individual team members' names to appear in the customer's **Roles** > **External Accounts** view.

3. Define the **permission scope** for this customer relationship. Only one role per partner-customer relationship is currently supported, so configure the **superset** of permissions your team will need across all service types for this customer. There are more than 230 granular options, with separate View and Edit controls.\ \ **Recommended starting points:**

Engagement Type	Suggested Approach
Support / read-only troubleshooting	View access only for relevant areas
Full admin / managed services	Edit access across required areas
Product-specific (for example, Zoom Phone only)	Limit scope to that product area

\ **Best practice:** Avoid granting access to sensitive user content areas (for example, chat history, recordings, billing) unless explicitly required for the engagement.

4. Click **Send add account request**. Notify the customer to expect an approval email or direct them to **Admin** > **User Management** > **Roles** to approve from the banner notification in the web portal.

### Add Delegates After Customer Approval After the customer approves the request, the account will appear in the Approved tab of your External Accounts page. 1. Click the **…** menu on the customer's row and select **Manage Delegates**. 2. Add individual users by name or email, and/or select the group created in the [Create a Delegate Group for Each Customer](#create-a-delegate-group-for-each-customer) section above.

Note

Selecting a group performs a one-time import of current group members into the delegate list. Future group membership changes are not automatically reflected. See Managing Ongoing Changes below for information about managing these updates.

\ **Known UI issue:** The delegate management interface currently references "Channels" — this is a typo. The feature supports **User Groups**, not Channels.
3. Notify all newly added delegates that they will receive an individual email invitation for each customer they have been added to. Each email must be accepted individually — there is no bulk acceptance interface. ### Managing Ongoing Changes See the table below for some common situations that you may need to manage for customers.

Change	Required Action
Add a new team member to an existing customer	Re-add the group in Manage Delegates to re-import updated membership, then notify the new member to accept their email invitation.
Remove a team member from an existing customer	Remove them manually in Manage Delegates and from any groups you may re-import from in the future.
Add an individual user (not via group)	Add by name or email in Manage Delegates, then notify them to accept the invitation.
Customer relationship ends	There are two options to manage this scenario: On the External Accounts page, change the customer relationship expiration date. Ask the customer to delete the customer relationship from Admin > User Management > Roles.

## Setup: Customer Side (Reference) Customers don't need to initiate anything when the partner-initiated flow is used. After approving the partner's access request (via email or the banner in **Admin** > **User Management** > **Roles**), the relationship is active. Customers can review active delegated relationships at any time under **Admin** > **User Management** > **Roles (with external users)**. ## Delegate Onboarding: Team Member Actions Each team member added as a delegate must complete the following steps independently. 1. Accept the email invitation for each customer account they have been added to. Each invitation must be accepted individually. 2. Sign in to [zoom.us](https://zoom.us/). In the left navigation, scroll to the **Admin** section, then click **Account Management**, **External Accounts**. This section only becomes visible after the invitation has been accepted. 3. The page will list one row for each customer. Click **Manage** in the **Action** column for the desired customer. 4. On the **Verify to Continue** prompt (optional, shown if MFA is not enabled for these users): * Click **Send** to receive a one-time verification code by email. * Enter the code and click **Verify**. Check spam if the email does not arrive promptly. * Upon successful verification, you will enter the customer's account in delegated admin mode, with the permissions configured by your organization's lead.