GDAP frequently asked questions

Appropriate roles: All users interested in Partner Center

The Granular Delegated Admin Permissions (GDAP) capability will allow partners to control more granular and time-bound access to their customers' workloads, meaning that partners will be better able to address security concerns from their customers. Partners will also be able to provide more services to customers who are uncomfortable with the current levels of partner access and who have regulatory requirements to provide only least-privileged access to partners.

For additional information view the readiness collection.

Setting up GDAP

Who can create a GDAP invitation request?

The partner admin agent within the partner organization can raise a GDAP invitation request.

When a Partner sends a GDAP relationship request to a customer, and the customer doesn't take any action on it, does this request itself expire at any time?

Yes. Pending relationships expire after 90 days.

When is the expiry of the GDAP relationship?

The expiry of the GDAP relationship is defined by the partner. The default is two years (maximum), however the partner can update this range and reduce it to a minimum of one day.

Is it possible to make the GDAP relationship with the customer permanent?

No. Permanent GDAP relationships with customers aren't possible for security purposes. The maximum duration for a GDAP relationship is two years.

How can a customer extend or renew the GDAP relationship?

To extend or renew the GDAP relationship, partners will need to resend the GDAP relationship request to the customer.

Is it possible to autorenew the GDAP relationship with the customer?

No, it isn't possible to autorenew GDAP relationships with customers for security purposes.

What do I do when my GDAP relationship with my customer expires? Is there an automatic renewal process?

If the GDAP relationship with your customer expires, you'll have to recreate the GDAP relationship again. There are analytics available for you to track the GDAP relationship expiration dates to prepare for their renewal. There's currently no automatic renewal process.

If the GDAP relationship expires, will the customer’s existing subscriptions be affected?

There will be no change to the customer’s existing subscriptions if the GDAP relationship expires.

How can I continue to administer services for my customers if DAP for inactive customers is removed?

While DAP and GDAP coexist, you can continue to administer services for your customers by establishing a GDAP relationship or recreating the DAP relationship with them through Partner Center. We recommend establishing a GDAP relationship to ensure you have the most secure and least privileged access to your customer’s tenant.

In the future, you'll be required to have a GDAP relationship with any customers you wish to administer services to.

Who will receive the GDAP relationship termination notification email?

Within the Partner organization, the admin agent role will receive a notification. Within the customer organization, the global admin agent role will receive the notification.

Is it possible to see when the customer removes GDAP in activity logs?

Yes, partners can see when a customer removes GDAP in the Partner Center activity logs.

Do I have to create a GDAP relationship with all of my customers?

No, GDAP is an optional capability for partners who want to manage their customer’s services at a granular level. Partners can choose which customers they want to create a GDAP relationship with.

If I have multiple customers, do I need to have multiple security groups for those customers?

It depends on your scenario. If you want your partner users to be able to manage all customers, then you can put all of your partner users into one security group and that one group can manage all of the customers.

If you would prefer to have different partner users managing different customers, then you should assign those partner users to separate security groups for per customer isolation.

Yes, indirect resellers (and indirect providers and direct bill partners) can create GDAP relationship requests from Partner Center.

GDAP API

Are there APIs available to create a GDAP relationship with my customers?

Yes, APIs will be available in the Partner Center developer documentation.

Can I create multiple GDAP relationships with different customers at once?

Yes, however this functionality isn't available through the Partner Center experience. It can be created using APIs, allowing partners to scale this process.

Can I bulk migrate my customers from DAP to GDAP?

Yes, this scenario is possible by using APIs. A partner can automate the process of creating GDAP relationships with their customers.

Can multiple security groups be assigned in a GDAP relationship using one API call?

The API works for one security group at a time but the UX can do multiple security groups to multiple roles mapping.

Can I use the beta GDAP APIs for production?

Yes. It is recommended that partners use the beta GDAP APIs for production and later switch to APIs v.1 when they become available in the future. Although there is a warning, “Use of these APIs in production applications is not supported,” this is generic guidance for any beta API under graph and is not applicable to the beta GDAP Graph APIs.

Roles

Which GDAP roles are needed to access an Azure subscription?

The partner must create a security group (such as Azure Managers) for managing Azure and nest it under Admin Agents for per-customer access partitioning, which is the recommended best practice. To access Azure subscription as owner for customer, any Azure AD role such as Directory Readers (least privileged role) must be assigned to Azure Managers security group. See [GDAP supported workloads](./gdap-supported-workloads.md] for steps to set up Azure GDAP.

Is there any guidance on the least privilege role I can assign to users for specific tasks?

Yes, you may refer to this article for information needed to restrict a user's administrator permissions by assigning least privileged roles in Azure Active Directory (Azure AD).

What least privilege role should I be assigned to the customer’s tenant to be able to create support tickets for the customer?

We recommend assigning the Service Support Administrator role. Learn more about Azure AD roles.

Is it possible to exclude all Azure AD roles from the GDAP relationship and still allow the partner to open support tickets for the customer?

No. The least privileged role for partner users to be able to create support tickets for their customer is the Service Support Administrator. Therefore, to be able to create support tickets for the customer, the partner user would need to be in a security group and assigned to that customer with this role.

Where can I find information on all the roles and workloads included in GDAP?

All roles can be found at Azure AD built-in roles. Workload information can be found here.

What GDAP role would provide access to the Microsoft 365 Admin Center?

There are many roles that the Microsoft 365 Admin Center uses, you can find the most commonly used Microsoft 365 Admin roles here.

Can we create custom security groups for GDAP?

Yes, the partner will need to create a security group, assign approved roles, and then assign partner tenant users to that security group.

Which GDAP role will give read-only access to the customer’s subscriptions but won't allow the user to manage them?

The Global Reader, Partner Tier 2 Support, and Directory Reader roles will provide read-only access to customer’s subscriptions.

What role should I assign to my partner agents if I would like them to manage the customer tenant but not modify the customer’s subscriptions (currently admin agents)?

We recommend removing the partner agents from the Admin Agent role and adding them only to a GDAP security group. In this way, they can administer services (for example, service management, log service requests) but can't purchase and manage subscriptions (change quantity, cancel, schedule changes, etc.).

What happens if the customer has granted GDAP roles to partner and then removes roles/severs the GDAP relationship?

The security groups assigned to that relationship will lose access to that customer. This behavior is the same if a customer terminates the DAP relationship.

Can some roles in my GDAP relationship with my customer have a longer time to expiry than others?

No, it isn't possible to have some roles in a GDAP relationship with a customer to have a longer time to expiry than others. All roles within the GDAP relationship will have the same time to expiry that is chosen when the relationship is created.

Do I need GDAP to fulfill orders for new and existing customers in Partner Center?

No, you don't need GDAP to fulfill orders for new and existing customers. You can continue to use the same process to fulfill customer orders in Partner Center.

Do I have to assign one partner agent role to all customers or can I assign a partner agent role to one customer only?

GDAP Relationships are per customer. You can have multiple relationships per customer. Each GDAP Relationship can have different roles and use different Azure AD Groups within your CSP Tenant.

Role assignment works at customer to GDAP relationship level through the Partner Center interface. If you want to multicustomer role assignment, you can automate using APIs.

DAP and GDAP

Do I have to transition all my customers to GDAP, or can I continue to use DAP?

While DAP and GDAP will coexist during the transition period, GDAP will eventually replace DAP to ensure we provide a more secure solution for our partners and customers. It's advised that you transition your customers to GDAP as soon as possible to ensure continuity.

How will GDAP work with Privileged Identity Management in Azure AD?

Partners can implement Privileged Identity Management (PIM) on a GDAP security group in the partner's tenant to elevate the access of a few high-privilege users, just in time (JIT) to grant them high-privilege roles like password admins with automatic removal of access. To enable this implementation, Microsoft will be offering a free Azure AD Premium Plan 2 license that is currently required by PIM.

Is GDAP going to replace DAP?

Yes. During the transition period, both DAP and GDAP will coexist, with GDAP permissions taking precedence over DAP permissions for Microsoft 365, Dynamics 365 and Azure workloads.

While DAP and GDAP coexist, will there be any changes to the way a DAP relationship is created?

There are no changes to the existing DAP relationship flow while DAP and GDAP coexist.

How can I transition from DAP to GDAP if I have a large customer base (for example, 10,000 customer accounts)?

This action can currently be carried out by APIs.

Will there be any impact to my PEC earnings if I transition from DAP to GDAP? Any impact to PAL?

No, there will be no impact to your PEC earnings when you transition to GDAP. There will be no changes made to PAL with the transition, ensuring you continue to earn PEC.

How will GDAP permissions take precedence over DAP permissions while DAP and GDAP coexist?

When the user is part of both the GDAP security group and the DAP Admin Agents group and the customer has both DAP and GDAP relationships, GDAP access takes precedence at the partner, customer, workload level.

For example, if a partner user logs in for a given workload and there's DAP for the Global Admin role and GDAP for the Global Reader role, the partner user will get the Global Reader permissions only. If there are three customers with GDAP roles assignments to only GDAP security Group (not Admin Agents).

Diagram showing the relationship between different users as members of Admin Agent and G D A P security groups.

Customer Relationship with partner
Customer 1 DAP (no GDAP)
Customer 2 DAP + GDAP both
Customer 3 GDAP (no DAP)

The following table describes the behavior in different cases where a user is signing in to a different customer tenant.

Example user Example customer tenant Behavior Comments
User 1 Customer 1 DAP This is DAP as-is
User 1 Customer 2 DAP There's no GDAP role assignment to the Admin Agents group, which results in DAP behavior
User 1 Customer 3 No access There's no DAP relationship, so the Admin Agents group doesn't have access to customer 3
User 2 Customer 1 DAP This is DAP as-is
User 2 Customer 2 GDAP GDAP takes precedence over DAP because there's a GDAP role assigned to customer 2 through the GDAP security group even if user is part of the Admin Agent group
User 2 Customer 3 GDAP This is a GDAP-only customer
User 3 Customer 1 No access There's no GDAP role assignment to customer 1
User 3 Customer 2 GDAP User isn't part of the Admin Agent group, which results in GDAP-only behavior
User 3 Customer 3 GDAP GDAP-only behavior

How does DAP and GDAP coexist if a customer buys Azure and Microsoft 365 or Dynamics 365?

GDAP is generally available with support for all Microsoft commercial cloud services (M365, Dynamics 365, Azure and Power platform workloads). For more information on how DAP and GDAP can co-exist and how GDAP takes precedence see How will GDAP take precedence over DAP.

Is PEC impacted when DAP/GDAP is removed?

  • If the partner's customer has DAP only and DAP is removed, PEC isn't lost
  • If the partner's customer has DAP, and they move to GDAP for Office and Azure simultaneously, and DAP is removed, PEC isn't lost
  • If the partner's customer has DAP, and they move to GDAP for Office but keep Azure as-is (they don't move to GDAP) and DAP is removed, PEC won't be lost, but Azure subscription access will be lost
  • If RBAC role is removed, PEC is lost, but note that removing GDAP won't remove RBAC

Will disabling DAP or transitioning to GDAP impact competencies I've attained?

Your competency may be impacted with the disabling of DAP. Go to Partner Center competencies to view what other partner association types are eligible for customer monthly active usage (MAU) for the performance threshold calculation. You can also see your currently active competencies.

How will GDAP work together with Azure Lighthouse? Do GDAP and Azure Lighthouse impact each other?

With respect to the relationship between Azure Lighthouse and DAP/GDAP, think of them as decoupled parallel paths to Azure resources, so severing one shouldn't affect the other. In the Azure Lighthouse scenario, users from the partner tenant never sign-in to the customer tenant and don't have any Azure AD permissions in the customer tenant. Their Azure RBAC role assignments are also kept in the partner tenant.

In the GDAP scenario, users from the partner tenant sign-in to the customer tenant, and the Azure RBAC role assignment to the Admin Agents group is also in the customer tenant. You can block the GDAP path (users can no longer sign-in) while the Azure Lighthouse path is unaffected. Conversely, you can sever the Lighthouse relationship (projection) without affecting GDAP. For more information, see the Azure Lighthouse documentation.

What is the best way to move to GDAP and remove DAP without losing access to Azure subscriptions if I have customers with Azure?

The correct sequence to follow for this scenario is:

  1. Create a GDAP relationship for both Microsoft 365 and Azure.
  2. Assign Azure AD roles to security groups for both Microsoft 365 and Azure.
  3. Configure GDAP to take precedence over DAP.
  4. Remove DAP.

Important

If these steps aren't followed, existing Admin Agents managing Azure may lose access to Azure subscriptions for the customer.

The following sequence could result in losing access to Azure subscriptions:

  1. Remove DAP. You won't necessarily lose access to Azure subscription by removing DAP. But at this time you can't browse the customer’s directory to do any Azure RBAC role assignments (such as assigning a new customer user as subscription RBAC contributor).
  2. Create a GDAP relationship for both Microsoft 365 and Azure together. You may lose access to Azure subscription at this step as soon as GDAP is set up.
  3. Assign Azure AD roles to security groups for both Microsoft 365 and Azure You'll regain access to Azure subscriptions after Azure GDAP setup is complete.

I have customers with Azure subscriptions without DAP. If I move them to GDAP for Microsoft 365, will I lose access to Azure subscription?

If you have Azure subscriptions without DAP that you manage as owner, by adding GDAP for Microsoft 365 to that customer, you may lose access to the Azure subscription. In order to avoid that, you need to move the customer to Azure GDAP at the same time that you move the customer to Microsoft 365 GDAP.

Important

If these steps aren't followed, existing Admin Agents managing Azure may lose access to Azure subscriptions for the customer.

Offers

Is management of Azure subscriptions included in this release of GDAP?

Yes, the current release of GDAP supports all products: Microsoft 365, Dynamics 365, Power Platform, and Azure.

How will GDAP work together with Microsoft 365 Lighthouse?

Either Granular Delegated Admin Privileges (GDAP) plus an indirect reseller relationship or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Soon customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse. For more information on requirements for Microsoft 365 Lighthouse, see Requirements for Microsoft 365 Lighthouse.