Microsoft granular delegated administrator privileges or GDAP is the new feature that reduces the security risks and vulnerabilities for Microsoft customers, especially enterprise clients.
It brings new security capabilities, allowing partners to set up granular and time-bound access to the workloads of their customers.
With the existing DAP security feature, many customers don’t feel confident in opting for more Microsoft services. It’s because the partner gets global admin access to customer's data and workloads. So, in case a partner account is compromised, the data of customers can also be compromised.
GDAP eliminates this issue as customers can now choose to limit access to its data and workloads by giving specific permissions instead of allowing global admin access. There are nearly a hundred Access Roles that partners and customers can mutually decide and proceed with.
There are plenty of new features coming with granular delegated administrator privileges that you must know.
With DAP, partners used to have the role of Global Admin, which was the same for every customer and couldn’t be changed. Microsoft GDAP allows customers to choose from numerous partner roles available with Azure AD. These roles can be different for each customer.
GDAP brings the need for a defined relationship duration between the partner and customer, which can be up to 730 days (2 years). For longer relationship durations, there will be a need to renew it before the defined duration ends. DAP had an indefinite duration.
The invitation links that partners send to customers for access will now be unique for every customer. It’s because every customer may choose a unique access level. The global admin at the customer tenant will have the ability to approve it. With DAP, this link used to be the same for every customer in the region.
Partners have the ability to set up nested groups to avoid giving the same level of customer account access to all employees. There can be distinct permissions for every group. For instance, group 1, supposed to create tickets, has reader roles; while group 2, supposed to make changes, has high-privilege roles.
Microsoft GDAP also introduces activity logs for both customers and partners. Partners can view the overall activity logs as well as sign-in and audit logs for Azure Active Directory (AD). Whereas customers can view their tenant to track Azure AD sign-in activity logs by the partner.
To make things easier for partners in the Microsoft Cloud Solution Provider (CSP) program, the tech giant has also released GDAP APIs. These APIs can be used for efficient management of delegated admin relationships, role assignments, relationship requests, long-running operations, and delegated admin customers.
There are numerous differences between Microsoft DAP and GDAP and that’s the reason partners need to migrate to GDAP at the earliest.
DAP allows partners to do admin operations on the customer tenants. But GDAP limits access to granular levels and allows customers to approve the permissions.
The relationship duration between customer and partner was indefinite with Microsoft. It has changed in GDAP. This duration can now range from 1 day to 730 days.
GDAP brings security group assignment which was not available in DAP. In addition, there are several more security features in Microsoft GDAP, like activity log tracking and access to the security & compliance center, which were not part of DAP.
Another important question of partners is, “What is the Microsoft GDAP release date?” Well, the rollout was expected in September 2022, but Microsoft has extended the timeline.
The company has said that it will announce the new Microsoft GDAP timelines in the first half of October 2022. But it does not mean that you can delay the transition from DAP to GDAP. As a reliable Microsoft CSP, it’s crucial for you to stay compliant and meet the new requirements.
What you must do is understand exactly what is Microsoft GDAP in CSP program, the actions you need to take, and become ready for those actions.
As part of the GDAP rollout, Microsoft is going to
Hence, as a responsible CSP, you need to act now to avoid any negative impact on your customer experience and security.
Here is what you need to do
If you are a Microsoft direct partner, indirect provider, indirect reseller, or advisor, moving to Microsoft GDAP is essential.
AppGallop is the leading cloud automation and subscription management platform built by cloud veterans. With a team of cloud experts working closely with Microsoft, as well as distributors and resellers, we help you make a smooth transition to Microsoft GDAP.
It is a new security feature and regulation by Microsoft for its partners and customers to enhance the security of customers’ workloads and data. With it, the customers no longer need to provide admin-level access to their data to the Microsoft partner. There are numerous roles now, which customers can choose for their partners.
It impacts the direct partners, indirect providers, indirect resellers, and advisors.
Microsoft GDAP stands for Granular Delegated Admin Privileges.
From the partner organization, someone who has the Admin agent role can send the request to the customer.
From the customer end, someone with a Global admin role can approve it.
By default, the duration of the relationship is two years. It is also the maximum duration that can be chosen for the relationship.
While sending the relationship request to the customer, the partner chooses the duration. It can't be more than two years.
The request remains valid for the next 90 days. After that, it expires and the partner needs to send another request.
No. The new feature doesn’t have permanent relationships for security purposes.
No. GDAP doesn’t allow the set-up of auto-renewal for security purposes.
The partners need to send a new request to the customer for relationship renewal. The customer will approve it again at the time of renewal.
Partners will need to move from DAP to GDAP.
GDAP shows relationship analytics where the partners can view the details and also set up notifications.
It won’t have any impact on the customers’ subscriptions. On expiry, the partners will not be able to manage the workloads of customers and offer support. To do this, a new request will need to be sent to the customer.
Yes. Partners can send a request to the customer for admin role access, but it is up to the customers to approve it or not. Moreover, Microsoft recommends that partners don’t have global admin access for security reasons.
Someone who has the Admin agent role at the partner end will be notified by email. On the customer end, someone with the Global admin role will receive the email notification.
Yes. Custom security groups can be formed, with the assignment of roles as per the need.
No. The duration is defined for the relationship, not for the roles. All the roles will have the same duration as chosen for the relationship.
Yes. Microsoft is going to replace DAP with GDAP. The transition period has started and all partners will need to move their customers from DAP to GDAP.
Microsoft has also released the GDAP API which can be used for bulk migration. Moreover, the assistance of a reliable CSP expert can be of great help.
Our experts are available to answer your queries.
