GDAP Relationships

GDAP Relationships

As a Microsoft Partner that wants to safely operate with your customer's workloads, it is imperative to know all about Granular Delegated Admin Privileges (GDAP).
Whether you're new to GDAP or seeking to enhance your understanding, this article is your compass to navigate the ever-evolving landscape of security and access control.


What is GDAP in Partner Center?

GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers.


What Azure AD roles does Microsoft allows to assign when a establishing a GDAP relationship?

Users with admin agent role at a partner organization can create a GDAP relationship request with these roles:
  1. Directory readers: Can read basic directory information. Commonly used to grant directory read access to applications and guests
  2. Directory writers: Can read and write basic directory information. Commonly used to grant access to applications. This role isn't intended for users.
  3. Global Reader: Can read everything that a Global Administrator can, but not update anything.
  4. License administrator: Can manage product licenses on users and groups.
  5. Service support administrator: Can read service health information and manage support tickets.
  6. User administrator: Can manage all aspects of users and groups, including resetting passwords for limited admins.
  7. Privileged role administrator: Can manage role assignments in Azure AD and all aspects of Privileged Identity Management (PIM).
  8. Helpdesk administrator: Can reset passwords for non administrators and helpdesk administrators.
  9. Privileged authentication administrator: Can access, view, set, and reset authentication method information for any user (admin or non admin).

How does GDAP work with Microsoft 365 Lighthouse?

Managed Service Providers (MSPs) enrolled in the Cloud Solution Provider (CSP) program as indirect resellers or direct bill partners can use Microsoft 365 Lighthouse to set up GDAP for any customer tenant. It also let Microsoft Partners to adopt security measures like just-in-time (JIT) access.


How long does a GDAP relationship last?

The default and maximum duration is two years. However, a partner can update the duration and reduce it to as little as one day.


Who receives a GDAP relationship termination notification email?

Within a partner organization, people with the Admin agent role receive a termination notification. Within a customer organization, people with the Global admin role receive a termination notification.


Which GDAP roles are needed to access an Azure subscription?

To manage Azure with per-customer access partitioning (which is the recommended best practice), create a security group (such as Azure Managers) and nest it under Admin agents.

To access an Azure subscription as an owner for a customer, you can assign any Azure Active Directory (Azure AD) built-in role (such as Directory readers, the least privileged role) to the Azure Managers security group.

    • Related Articles

    • Can't access Users or Licenses for a Customer

      If there's an error trying to view the Users or Licenses for a Customer, here are a few steps you can take to troubleshoot the issue: 1. Verify the GDAP Relationship Ensure that the customer has an active GDAP (Granular Delegated Admin Privileges) ...

    • What's New: June 2024

      Version 4.71.0 Updates Microsoft Marketplace is now available! We are excited to announce you can now transact Microsoft Marketplace offers directly within the platform! Effortlessly choose which marketplace providers you want to transact, browse, ...

    • Monthly Update for Microsoft Partners - August 2023

      We've carefully selected Microsoft's most significant updates over the last month, making sure you're always up to date. 01. Secure Your Partner Ecosystem with GDAP 02. CSP Program Guide Update Coming in October 03. Updates for Solutions Partner ...

    • Monthly Update for Microsoft Partners - November 2023

      NCE Price List Preview Error: Triennial Microsoft 365 & Office 365 SKUs Important Dates: November 30, 2023 Impacted Audience: Cloud Solution Provider partners (indirect providers and direct bill) globally An error in the Microsoft price list will ...

    • Monthly Update for Microsoft Partners - July 2023

      We've carefully selected Microsoft's most significant updates over the last month, making sure you're always up to date: 01. CSP new commerce: Commercial legacy seat-based subscription migration 02. CSP public sector legacy offers (government, ...