Do you know what is GDAP?

Microsoft responds to the increasing security concern, moves forward with the Zero Trust cybersecurity protocol and takes steps to protect access to end customer’s environment. The initiative that is now introduced to the CSP ecosystem offers the transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP). GDAP refers to all Microsoft Direct Bill Partners, Indirect Providers, and Indirect Resellers in Cloud Solution Provider (CSP) Program, including all Microsoft 365 products, Microsoft Dynamics 365, Microsoft Power Platform, and Microsoft Azure.
But what is GDAP after all? GDAP (Granular Delegated Admin Privileges) is a security feature that provides partners with granular and time-bound access to their customers’ workloads in production and sandbox environments. This access now needs to be explicitly granted to partners by their customers, so GDAP is in fact the transformation of Delegated Admin Privileges (DAP) which allows partners to enable custom roles and access time limit constraints reducing potential security risks.
With GDAP, partners no longer have access to all customer tenants across Azure subscriptions through Admin agents by default. This means that partners managing Azure no longer receive the Global Admin role on their customer’s tenant but rather, receive lower permissions to read a customer directory by default. What partners can do is transition from DAP to GDAP and eventually remove DAP (Global Admin) on customers’ tenant without any effect to partner earned credit (PEC).

Transition Time plan

It’s true that Microsoft will be replacing DAP with GDAP. But, during the transition period, both DAP and GDAP will coexist. GDAP permissions will be taking precedence over DAP permissions for Microsoft 365, Microsoft Dynamics 365 and Microsoft Azure workloads. However, GDAP will eventually replace DAP as Microsoft works toward providing greater security for partners and customers.

According to Microsoft, starting January 17, 2023:

1. Microsoft will stop creating DAP relationships when a new customer or reseller relationship is created.
2. Microsoft will start removing inactive DAP relationships that haven’t been used in 90 days.

Starting March 1, 2023:

1. The Bulk Migration Tool to upgrade existing DAP connections that were granted by customers to GDAP will no longer be available.
2. Microsoft will begin to transition remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles to perform least-privilege customer management activities. Partners will be required to perform more steps to continue to have access to Azure subscriptions after the limited roles are granted, according to Microsoft.

How to avoid disruption: Prioritize wisely

To avoid disruption to your business, Microsoft recommends that you do not delay until March 2023 and take action to transition to GDAP for the level of access that you require to manage your customers. The limited GDAP roles (Directory reader, Global reader, User administrator, License administrator, Service support administrator, and Helpdesk administrator) granted by Microsoft during the transition will only allow you to perform least-privilege activities. All other access permissions (for example, access to Exchange workloads) will be lost, and to perform all other activities, additional GDAP roles will be required to be granted by the customer.

Get GDAP-ready with interworks.cloud

Fortunately, interworks.cloud is soon launching GDAP features that make you GDAP-ready. Our GDAP enablement will allow you to select the GDAP roles you wish and automatically request them from any new customers of yours. This selection helps you send the requests automatically, saving you a lot of time, as you won’t have to do it manually for every new customer in MPC. As for the existing customers, you can GDAP them automatically with the Microsoft Bulk Migration Tool or directly from the MPC.
With our upcoming GDAP feature, you, as a CSP, will be able to select the GDAP roles you wish to request from your customers and also define the time you wish to maintain this GDAP relationship with them (which is up to 730 days). Based on your predefined GDAP settings, a request will be automatically sent to create a GDAP relationship between you and the customer when creating a new MS tenant or when synchronizing a new customer to an existing MS tenant. Isn’t that super cool?

Want to begin your DAP to GDAP transition?

Well, Microsoft has already created a Bulk Migration Tool for transitioning large numbers of users without requiring end customer consent (as consent is implied if there’s a pre-existing active DAP relationship). So, you can leverage it at once. The Bulk Migration Tool is now available for general use until at least March 1, 2023. Want to learn more? This  GDAP bulk migration tool FAQ  also contains very useful information. Just have a look at it.

Follow Microsoft instructions and start planning your DAP to GDAP transition! Identify what activities your representatives perform in the customer portal and determine which GDAP roles will be most applicable to maintain the level of access you have now. Begin your transition to GDAP by referring to the step-by-step guide. Just remember, this process will require your customers to approve the GDAP request.

Extra available documentation from Microsoft

• Documentation collection
• Partner Center documentation
• Bulk Migration Tool &  GDAP bulk migration tool FAQ
• Partner Center security requirements & CSP security best practices.
• Partner Journey Map