Granular delegated admin privileges (GDAP) API overview

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

As part of the Microsoft Partner Center ecosystem, Microsoft partners in the Cloud Solution Provider, Value Added Reseller, or Advisor programs can perform administrative operations on their customer tenants to help manage the customer's services, for example, Azure AD and Microsoft 365. This capability previously allowed partners to assume a Global Administrator role in the customer tenant indefinitely, creating potential security exposures and limiting market potential.

Granular delegated admin privileges (GDAP) provide partners with least-privileged access to their customer tenants following the Zero Trust cybersecurity model. Through GDAP, partners configure and request granular and time-bound access to their customers' environments, and customers must explicitly grant this least-privileged access to partners. In addition, partners must request specific roles for customer tenant administration for a definite amount of time. This control eliminates the need for partners to have the Global Administrator role in their customer's tenant but rather, they now have lesser privileged permissions that they absolutely need for delegated administrative tasks.

For more information about GDAP, see:

Use cases for GDAP APIs

This section describes the ways that Microsoft partners can use the GDAP APIs to programmatically manage delegated admin relationships for their customers.

Delegated admin relationship

Use cases APIs
Create a new delegated admin relationship for approval by any customer
Create a new delegated admin relationship for approval by a specific customer
Create delegatedAdminRelationship
List all delegated admin relationships of a partner
List all delegated admin relationships for a specific customer
List delegatedAdminRelationships
Get a delegated admin relationship by ID Get delegatedAdminRelationship
Delete delegated admin relationship Delete delegatedAdminRelationship

Delegated admin relationship request

Use cases APIs
Create a delegated admin relationship request to lock a relationship for customer approval or terminate an existing relationship. Create requests
Get a delegated admin relationship request by ID Get delegatedAdminRelationshipRequest
List all delegated admin relationship requests for a given relationship List requests

Role assignments

Use cases APIs
Create new delegated admin access assignment for a delegated admin relationship Create accessAssignments
List access assignments for a delegated admin relationship List accessAssignments
Get a delegated admin relationship access assignment by ID Get delegatedAdminAccessAssignment
Delete an access assignment of a delegated admin relationship Delete delegatedAdminAccessAssignment
Update role assignments for a delegated admin relationship access assignment Update delegatedAdminAccessAssignment

Long-running operations

Use cases APIs
List all long running operations of a delegated admin relationship List operations
Get a long running operation of a delegated admin relationship Get delegatedAdminRelationshipOperation

Delegated admin customers

Use cases APIs
List all delegated admin customers List delegatedAdminCustomers
Get a single delegated admin customer by ID Get delegatedAdminCustomer
Get service management details for a delegated admin customer List serviceManagementDetails

GDAP Workflow

GDAP Relationship Status Transition

The status of the Delegated Admin relationship transitions as follows:

Delegated Admin relationship status transition diagram

  1. Create delegatedAdminRelationship
  2. Update delegatedAdminRelationship
  3. Create delegatedAdminRelationshipRequest (action: lockForApproval)
  4. Create delegatedAdminRelationshipRequest (action: terminate)

GDAP Relationship Access Assignment Status Transition

The status of the Delegated Admin access assignment. The status transitions are as follows:

Delegated Admin access assignment status transition diagram

  1. Create delegatedAdminAccessAssignment
  2. Delete delegatedAdminAccessAssignment

Permissions

To manage delegated admin relationships, the calling principal must be in the partner tenant and be granted the appropriate granular delegated admin privileges permissions.

See also