What is GDAP?Responding to the growing security and compliance concerns Microsoft is reinforcing customer access control capabilities by introducing the Granular Delegated Admin Privileges (GDAP).
GDAP refers to all Microsoft Direct Bill Partners, Indirect Providers, and Indirect Resellers in Cloud Solution Provider (CSP) Program, including all Microsoft 365 products, Microsoft Dynamics 365, Microsoft Power Platform, and Microsoft Azure.
GDAP is a natural transformation of Delegated Admin Privileges (DAP) which allows partners to service customers, at the same time reducing security risks by enabling custom roles and access time limit constraints - as a result, the GDAP process will override the current DAP (DAP model has indiscriminate access, which cannot be controlled on a more granular level).
The downside of the prevailing DAP security feature is that many customers can’t feel safe choosing Microsoft services because the partner gets global admin access to the customer data and workloads. So, in case a partner account is compromised, the data of customers can also be compromised. GDAP eliminates this downside as customers can now choose to limit access to its data and workloads by giving custom permissions instead of allowing global admin access.
DAP vs. GDAP
Customers will no longer be required to grant admin permissions to partners, instead, acting partners will be able to tailor relationship access rights towards their customers based on their customer security compliance requirements in terms of access controls (e.g. Least privilege principle, which would only require a partner to operate as CSP support and Teams or Dynamics Service Administrator exclusively).
With GDAP, partners also no longer have access to all customer tenants across Azure subscriptions through Admin agents by default. Instead, partners managing Azure are part of a separate security group, which is a member of the Admin agent group. This group grants owner role-based access control (RBAC) access on all Azure subscriptions for that customer. These changes will allow partners to utilize the minimum access rights needed that correspond with the scope of support that customers expect to receive.
In addition, GDAP comes with extended visibility and granular activity logs that illustrate when GDAP permissions are being used along with the lifecycle of that relationship.
Act now to meet the new timelines without business disruption
The new timelines of Microsoft are providing partners with more time to make the transition from delegated admin privileges (DAP) to granular delegated admin privileges (GDAP).
Starting January 17, 2023
- Microsoft will stop creating DAP relationships when a new customer or reseller relationship is created.
- Microsoft will start removing inactive DAP relationships that haven't been used in 90 days.
Starting March 1, 2023
- The Bulk Migration Tool to upgrade existing DAP connections that were granted by customers to GDAP will no longer be available.
- Microsoft will begin to transition remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles to perform least-privilege customer management activities. Partners will be required to perform more steps to continue to have access to Azure subscriptions after the limited roles are granted, as documented.
Important! If GDAP is not enabled on customer tenants, partners will cease to receive Partner Earned Credits and Incentives and will not be able to provide CSP Support.
To avoid disruption to your business, we recommend that you do not delay until March 2023 and take action now to transition to GDAP for the level of access that you require to manage your customers. The limited GDAP roles (Directory reader, Global reader, User administrator, License administrator, Service support administrator, and Helpdesk administrator) granted by Microsoft during the transition will only allow you to perform least-privilege activities. All other access permissions (for example, access to Exchange workloads) will be lost, and in order to perform all other activities, additional GDAP roles will be required to be granted by the customer.
Call to action
- Audit Existing DAP Connections (from here). In Microsoft Partner Center, you have access to a reporting tool that identifies and displays all active connections with delegated administrative privileges and helps you discover inactive DAP connections.
- Remove inactive DAP Connections (from here). Identify inactive DAP connections and delete them as soon as possible.
- Start Planning for Your DAP-to-GDAP Transition. Identify what activities your users perform in the customer portal to determine which GDAP roles will be most applicable.
- Transition to GDAP using the GDAP Bulk Migration tool or AppXite GDAP Migration Solution for AppXite platform users.
- Disable DAP. Once your customer has granted you GDAP and confirmed that you can perform all necessary administrative activities on behalf of your customer, you must disable your existing DAP connection.
- Add a security contact in Partner Center.
GDAP Migration Solution for AppXite platform users
We are pleased to announce that AppXite released a custom GDAP migration solution that will significantly speed up the DAP-to-GDAP migration and simplify the GDAP relationship management.
AppXite Partner Management Solution can be used (free of charge) by any Direct and Indirect Microsoft partners using the AppXite Platform. Download it now from Microsoft Store.
Why is AppXite Partner Management Solution convenient for you?
- It is developed to operate seamlessly on your Microsoft automation platform provided by AppXite.
- It is a 100% self-service solution and by following our extensive tutorials, the GDAP migration won’t put any strain on your business.
- It is flexible enough so you can tailor it to fit your own business need e.g. different security groups for different customers.
- It is already available for you, so you don’t need to look for workarounds or design extensive migration plans.
- It is tried and tested by AppXite, and you can reach out to us for additional guidance if you stumble upon a roadblock.
- And you can add it to your tech stack now.
Find out more about the solution's capabilities from our GDAP how-to tutorials:
1. GDAP - Software Client Setup
2. GDAP - User Account Registration & Activation
3. GDAP - CSP Roles / Template Management / Security Group Provisioning
4. GDAP - Customer Transition and Synchronization