Granular delegated admin privileges (GDAP) API overview
APIs under the
/beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
As part of the Microsoft Partner Center ecosystem, Microsoft partners in the Cloud Solution Provider, Value Added Reseller, or Advisor programs can perform administrative operations on their customer tenants to help manage the customer's services, for example, Azure AD and Microsoft 365. This capability previously allowed partners to assume a Global Administrator role in the customer tenant indefinitely, creating potential security exposures and limiting market potential.
Granular delegated admin privileges (GDAP) provide partners with least-privileged access to their customer tenants following the Zero Trust cybersecurity model. Through GDAP, partners configure and request granular and time-bound access to their customers' environments, and customers must explicitly grant this least-privileged access to partners. In addition, partners must request specific roles for customer tenant administration for a definite amount of time. This control eliminates the need for partners to have the Global Administrator role in their customer's tenant but rather, they now have lesser privileged permissions that they absolutely need for delegated administrative tasks.
For more information about GDAP, see:
Use cases for GDAP APIs
This section describes the ways that Microsoft partners can use the GDAP APIs to programmatically manage delegated admin relationships for their customers.
Delegated admin relationship
|Create a new delegated admin relationship for approval by any customer
Create a new delegated admin relationship for approval by a specific customer
|List all delegated admin relationships of a partner
List all delegated admin relationships for a specific customer
|Get a delegated admin relationship by ID||Get delegatedAdminRelationship|
|Delete delegated admin relationship||Delete delegatedAdminRelationship|
Delegated admin relationship request
|Create a delegated admin relationship request to lock a relationship for customer approval or terminate an existing relationship.||Create requests|
|Get a delegated admin relationship request by ID||Get delegatedAdminRelationshipRequest|
|List all delegated admin relationship requests for a given relationship||List requests|
|Create new delegated admin access assignment for a delegated admin relationship||Create accessAssignments|
|List access assignments for a delegated admin relationship||List accessAssignments|
|Get a delegated admin relationship access assignment by ID||Get delegatedAdminAccessAssignment|
|Delete an access assignment of a delegated admin relationship||Delete delegatedAdminAccessAssignment|
|Update role assignments for a delegated admin relationship access assignment||Update delegatedAdminAccessAssignment|
|List all long running operations of a delegated admin relationship||List operations|
|Get a long running operation of a delegated admin relationship||Get delegatedAdminRelationshipOperation|
Delegated admin customers
|List all delegated admin customers||List delegatedAdminCustomers|
|Get a single delegated admin customer by ID||Get delegatedAdminCustomer|
|Get service management details for a delegated admin customer||List serviceManagementDetails|
GDAP Relationship Status Transition
The status of the Delegated Admin relationship transitions as follows:
- Create delegatedAdminRelationship
- Update delegatedAdminRelationship
- Create delegatedAdminRelationshipRequest (action: lockForApproval)
- Create delegatedAdminRelationshipRequest (action: terminate)
GDAP Relationship Access Assignment Status Transition
The status of the Delegated Admin access assignment. The status transitions are as follows:
To manage delegated admin relationships, the calling principal must be in the partner tenant and be granted the appropriate granular delegated admin privileges permissions.
Submit and view feedback for