Workloads supported by granular delegated admin privileges (GDAP)

Appropriate roles: All users interested in Partner Center

This article lists tasks for workloads currently supported by granular delegated admin privileges (GDAP).

The following workloads are currently supported as part of the technical release:

The following workloads will be supported as part of general availability:

  • SharePoint (currently piloting with a few partners)

Azure AD

All Azure AD tasks are supported except the following capabilities:

Area Capabilities Issue
Group management Creation of Microsoft 365 group, Administration of dynamic membership rules Not currently supported
Devices Administration of settings for Enterprise State Roaming
Applications Consenting to an enterprise application inline with sign-in, Administration of enterprise application ‘User settings’
External identities Administration of external identity features
Monitoring Log analytics, Diagnostic settings, Workbooks, and the ‘Monitoring’ tab on Microsoft Azure Active Directory (Azure AD) overview page
Overview page My feed - roles for signed-in user May display incorrect role information; doesn't affect actual permissions
User settings ‘User features’ management page Not accessible to certain roles

Return to top


Exchange admin center

For the Exchange admin center, the following tasks are currently supported by GDAP.

Resource type Resource subtype Currently supported General availability
Recipient management Mailboxes Create Shared Mailbox, Update Mailbox, Convert to Shared/User Mailbox, Delete Shared Mailbox, Manage Mail-flow Settings, Manage Mailbox Policies, Manage Mailbox Delegation, Manage Email Addresses, Manage Automatic Replies, Manage More Actions, Edit Contact Information Groups Management
Resources Create/Add a Resource [Equipment/Room], Delete a Resource, Manage Hide from GAL setting, Manage Booking delegates settings, Manage Resource delegates settings
Contacts Create/Add a Contact [Mail User/Mail Contact], Delete a Contact, Edit Organization Settings
Mail-flow Message Trace Start a Message Trace, Check default/custom/autosaved/downloadable queries Alert, Alert Policies, Rules
Remote Domains Add a Remote Domain, Delete a Remote Domain, Edit Message Reporting, Reply Types
Accepted Domains Manage Accepted Domains
Connectors Add a Connector, Manage Restrictions, Sent email identity, Delete Connector
Roles Admin Roles Add Role Group, Delete Role Groups that aren’t in-built Role Groups, Edit Role Groups that aren’t in-built Role Groups, Copy Role Group
Migration Migration Add Migration Batch, Try Google Workspace Migration, Approve Migration Batch, View Details of the Migration Batch, Delete Migration Batch
Microsoft 365 admin center link Link to go to Microsoft 365 Admin Center from EAC
Miscellaneous Cloud Shell, Support Central Widget, Give Feedback Widget
Dashboard Reports Migration and Mail-flow Reports

Return to top


Microsoft 365 admin center

Important

Some key features of the Microsoft 365 admin center can be impacted by service incidents and ongoing development work. You can view active Microsoft 365 admin center issues at Microsoft Admin portal.

We’re excited to announce the release of the Microsoft 365 admin center support for GDAP. With this preview release, you’ll have the ability to sign in to the admin center with all of the Azure AD roles supported by enterprise customers.

This release has limited capabilities and will allow you to use the following areas of the Microsoft 365 admin center:

  • Users (including assigning licenses)
  • Billing > Your Products
  • Health > Service Health
  • Support Central > Creating support ticket

Return to top


Microsoft Purview

For Microsoft Purview, the following tasks are currently supported by GDAP.

Solution Currently supported Out of scope
Audit Microsoft 365 auditing solutions
- Set up basic/advanced audit
- Search audit log
- Using PowerShell to search audit log
- Export/configure/view audit log
- Turn auditing on and off
- Manage audit log retention policies
- Investigate common issues/compromised accounts
- Export/configure/view audit log
Compliance Manager Compliance Manager
- Build and manage assessments
- Create/extend/modify assessment templates
- Assign and complete improvement actions
- Set user permissions
MIP Microsoft Purview Information Protection
Learn about data classification
Learn about data loss prevention
Data Classification:
- Create and manage sensitive information types
- Create and manage Exact Data Match
- Monitor what’s being done with labeled content using Activity Explorer
Information Protection:
- Create and publish sensitivity labels and label policies
- Define labels to be applied to files and emails
- Define labels to be applied to sites and groups
- Define labels to be applied to schematized data assets
- Automatically apply a label to content using client-side auto-labeling and server-side auto-labeling and schematized data assets
- Restrict access to labeled content using encryption
- Configure privacy and external user access and external sharing and conditional access for labels applied to sites and groups
- Set label policy to include default, mandatory, downgrade controls and apply them to files and emails, groups and sites and Power BI content
DLP:
- Create, test, and tune a DLP policy
- Perform alerts and incident management
- View DLP rule match events in activity explorer
- Configure Endpoint DLP settings
- View labeled content in Content Explorer
- Create and manage Trainable Classifiers
- Groups and Sites label support
Microsoft Purview Data Lifecycle Management Learn about Microsoft Purview Data Lifecycle Management in Microsoft 365
- Create and manage static and adaptive retention policies
- Create retention labels
- Create retention label policies
- Create and manage adaptive scopes
- Archiving
- Import PST files
Microsoft Purview Records Management Microsoft Purview Records Management
- Label content as a record
- Label content as a regulatory record
- Create and manage static and adaptive retention label policies
- Create and manage adaptive scopes
- Migrate retention labels and manage your retention requirements with file plan
- Configure retention and deletion settings with retention labels
- Retain content when an event occurs with event-based retention
- Disposition management

Supported Azure AD roles in Microsoft 365 compliance portal:

Return to top


Microsoft 365 Lighthouse

Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers secure and manage devices, data, and users at scale for small and medium-sized business customers who are using Microsoft 365 Business Premium or Microsoft 365 E3.

Note

For the initial release, customers can only be onboarded to Lighthouse with a delegated admin privileges (DAP) relationship. This will be updated to allow for GDAP-only relationships to be onboarded.

For Microsoft 365 Lighthouse, the following tasks are currently supported by GDAP.

Resource Currently supported General availability
Home
Tenants Customer Overview details are blocked when users don't have Intune or Azure AD permissions Technicians will be able to see the roles they’ve associated with each customer tenant on this page
Users Included
Devices Included
Threats Included
Baselines Included
Service health Included
Onboarding Customers must have DAP to be onboarded Soon, GDAP-only customers will be able to be onboarded
Error messages Current error messages may be slightly confusing Updates to separate error messages for read and write permissions

Supported Azure role-based access control (Azure RBAC) roles include the following:

  • Compliance Administrator
  • Conditional Access Administrator
  • Global Administrator
  • Global Reader
  • Help Desk Administrator
  • Intune Administrator
  • Password Administrator
  • Privileged Authentication Administrator
  • Security Administrator
  • Security Operator
  • Security Reader
  • Service Support Administrator
  • User Administrator
  • Cloud Device Administrator

Return to top


Windows 365

For Windows 365, the following tasks are currently supported by GDAP.

Resource Currently supported General availability
Cloud PC List Cloud PCs, Get Cloud PC, Reprovision Cloud PC, End grace period, Reprovision Cloud PC remote action, Bulk reprovision Cloud PCs remote action, Resize Cloud PCs remote action, Get Cloud PC remote action results
Cloud PC device image List device images, Get device image, Create device image, Delete device image, Get source image, Reupload device image
Cloud PC on-premises network connection List on-premises connection, Get on-premises connection, Create on-premises connection, Update on-premises connection, Delete on-premises connection, Run health checks, Update AD domain password
Cloud PC provisioning policy List provisioning policies, Get provisioning policy, Create provisioning policy, Update provisioning policy, Delete provisioning policy, Assign provisioning policy
Cloud PC audit event List audit events, Get audit event, Get audit activity types
Cloud PC user setting List user settings, Get user setting, Create user setting, Update user setting, Delete user setting, Assign
Cloud PC supported region List supported regions
Cloud PC service plans List service plans

Supported Azure RBAC roles include the following:

  • Global Administrator
  • Intune Administrator
  • Security Administrator
  • Security Operator
  • Security Reader
  • Global Reader
  • (In verification) Windows 365 Administrator

Unsupported resources for preview:

  • N/A

Return to top


Teams admin center

For the Teams admin center, the following tasks are currently supported by GDAP.

Resource Currently supported General availability
Users Assign policies, Voice settings, Outbound calling, Group call pickup settings, Call delegation settings, Phone numbers, Conferencing settings
Teams Teams policies, Update policies
Devices IP phones, Teams Rooms, Collaboration bars, Teams displays, Teams panels
Locations Reporting labels, Emergency addresses, Network topology, Networks and locations
Meetings Conference bridges, Meeting policies, Meeting settings, Live events policies, Live events settings
Messaging policies Messaging policies
Voice Emergency policies, Dial plans, Voice routing plans, Call queues, Auto attendants, Call park policies, Calling policies, Caller ID policies, Phone numbers, Direct routing
Analytics and reports Usage reports
Org-wide settings External access, Guest access, Teams settings, Teams upgrade, Holidays, Resource accounts
Planning Network planner
Teams PowerShell module All PowerShell cmdlets from the Teams PowerShell module (available from the Teams PowerShell module - 3.2.0 Preview version)

Supported RBAC roles include the following:

  • Teams Administrator
  • Global Administrator
  • Teams Communications Administrator
  • Teams Communications Support Engineer
  • Teams Communications Support Specialist
  • Teams Device Administrator
  • Global Reader

Unsupported resources for GDAP access include the following:

  • Manage Teams
  • Team templates
  • Teams Apps
  • Policy packages
  • Teams advisor
  • Call Quality Dashboard

Return to top


Microsoft 365 Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

The Microsoft 365 Defender portal is also the home of other products in the Microsoft 365 security stack, such as Microsoft Defender for Endpoint and Microsoft Defender for Office 365.

Documentation of all capabilities and security products is available in the Microsoft 365 Defender portal:

Microsoft Defender for Endpoint:

Microsoft Defender for Office 365:

App governance:

The following are capabilities that are available for tenants accessing the Microsoft 365 Defender portal using a GDAP token.

Resource type Currently supported Out of scope
Microsoft 365 Defender features All Microsoft 365 Defender features (as listed in the documentation above): Incidents, Advanced hunting, Action Center, Threat Analytics, Connection of the following security workloads into Microsoft 365 Defender: Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint features All Microsoft Defender for Endpoint features listed in the documentation above, see details per P1 / SMB SKU in the table below.
Microsoft Defender for Office 365 All Microsoft Defender for Office 365 features listed in the documentation above. See details per each license in this table: Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection
App Governance Authentication works for GDAP token (App+User token), Authorization policies work according to the user roles as before

Supported Azure AD roles in Microsoft 365 Defender portal:

Documentation of supported roles in Microsoft 365 Defender portal

Note

Not all roles are applicable to all security products. For information about what roles are supported in a specific product, refer to the product documentation.

Return to top


Supported MDE features in Microsoft 365 Defender portal per SKU

Endpoint capabilities per SKU Microsoft Defender for Business Microsoft Defender for Endpoint Plan 1 Microsoft Defender for Endpoint Plan 2
Centralized management X X X
Simplified client configuration X
Threat and vulnerability management X X
Attack surface reduction X X X
Next-gen protection X X X
Endpoint detection and response X X
Automated investigation and response X X
Threat hunting and six-month data retention X
Threat analytics X X
Cross-platform support for Windows, MacOS, iOS, and Android X X X
Microsoft threat experts X
Partner APIs X X X
Microsoft 365 Lighthouse for viewing security incidents across customers X

Return to top


Power BI

For the Power BI workload, the following tasks are currently supported by GDAP.

Resource type Currently supported Out of scope
Administrator tasks - All menu items under “Admin portal” except "Azure connections"
- Known issue (Restriction): First time users may experience sign-in failure at first attempt.
None

Supported Azure AD Roles in scope:

  • Power BI Administrator
  • Global Administrator

Power BI properties out of scope:

  • Not all non-administrator tasks are guaranteed to work
  • "Azure connections" under Admin portal

Return to top


SharePoint

For SharePoint, the following tasks are currently supported by GDAP.

Resource type Currently supported
Homepage Cards render but data may not render
Sites Management – Active Sites Create sites: Team site, Communication site, Assign/change site owner, Assign sensitivity label to site (if configured in Azure AD) during site creation, Change sensitivity label of site, Assign privacy settings to site (if not predefined with a sensitivity label), Add/Remove members to a site, Edit site external sharing settings, Edit site name, Edit site URL, View site activity, Edit storage limit, Delete a site, Change built-in views of sites, Export site list to CSV file, Save custom views of sites, Associate site with a Hub, Register site as a Hub
Sites Management – Active Sites Create other sites: Document Center, Enterprise Wiki, Publishing Portal, Content Center
Sites Management – Deleted Sites Restore site, Permanently delete site (except for Microsoft 365 group-connected team sites)
Policies – Sharing Set External Sharing policies for SharePoint and OneDrive for Business, Change “More external sharing settings”, Set policies for File and Folder links, Change “Other settings” for sharing
Access control Set/change unmanaged device policy, Set/change idle sessions timeline policies, Set/change network location policy (separate from Azure AD IP policy, Set/change modern authentication policy, Set/change OneDrive access
Settings SharePoint - Home site, SharePoint - Notifications, SharePoint - Pages, SharePoint - Site creation, SharePoint - Site storage limits, OneDrive - Notifications, OneDrive - Retention, OneDrive - Storage limit, OneDrive - Sync
PowerShell To connect a customer tenant as a GDAP admin, use a tenanted authorization endpoint (with the customer's tenant ID) in the AuthenticanUrl parameter instead of the default common endpoint.
For example, Connect-SPOService -Url https://contoso-admin.sharepoing.com -AuthenticationUrl https://login.microsoftonline.com/<tenantID>/oauth2/authorize.

Roles in scope include the following:

  • SharePoint Administrator
  • Global Administrator
  • Global Reader

SharePoint Admin Center properties out of scope include the following:

  • All Classic Admin features/functionality/templates are out of scope and not guaranteed to work correctly

Return to top


Dynamics 365 and Power Platform

For Power platform and Dynamics 365 customer engagement applications (Sales, Service), the following tasks are currently supported by GDAP.

Resource type Currently supported Out of scope
Administrator tasks - All menu items except ‘Settings’ and environment URL navigation in Power Platform admin center
- Settings will be fully functional by May 6th, 2022.
All tasks

Supported Azure AD Roles in scope include the following:

  • Power platform administrator
  • Global administrator

Properties out of scope:

  • None

Return to top


Dynamics 365 Business Central

For Dynamics 365 Business Central, the following tasks are currently supported by GDAP.

Resource type Currently supported Out of scope
Administrator tasks All tasks* All tasks*

* Some tasks require permissions assigned to the administrator user within the Dynamics 365 Business Central environment. Refer to the available documentation.

Supported Azure AD Roles in scope include the following:

  • Dynamics 365 administrator
  • Global administrator
  • Help Desk administrator

Properties out of scope:

  • None

Return to top


Intune (Endpoint Manager)

Supported Azure AD Roles in scope:

  • Intune Administrator
  • Global Administrator
  • Global Reader
  • Reports Reader
  • Security reader
  • Compliance Administrator
  • Security Administrator

To check access level for the above roles, see the Intune RBAC documentation.

Return to top


Azure portal

Diagram showing the relationship between partner and customer using GDAP.

Azure AD roles in scope:

  • Any Azure AD role such as Directory Readers (least privileged role) for accessing Azure subscription as owner

GDAP role guidance:

  • Partner and customer must have Reseller relationship
  • Partner must create security group (e.g Azure Managers) for managing Azure and nest it under Admin Agents for per customer access partitioning as recommended best practice.
  • When partner purchases Azure plan for the customer, Azure subscription is provisioned and Admin Agents group is assigned Azure RBAC as owner on Azure subscription
  • Since Azure Managers security group is member of Admin Agents group, users that are members of Azure Managers become the Azure subscription RBAC owner
  • To access Azure subscription as owner for customer, any Azure AD role such as Directory Readers (least privileged role) must be assigned to Azure Managers security group

Return to top


Visual Studio

Diagram showing the relationship between the Visual Studio managers group and the customer through GDAP.

Azure AD Roles in scope:

  • Any Azure AD role such as Directory Readers (least privileged role) for accessing Azure subscription as owner

GDAP role guidance to partners:

  • Pre-requisites:
    • Partner and customer must have a Reseller relationship
    • Partner must purchase Azure subscription for the customer
  • Partner must create security group (for example, Visual studio managers) for purchasing and managing Visual Studio subscriptions and nest it under Admin Agents for per customer access partitioning as recommended best practice.
  • GDAP role for purchasing and managing Visual studio is same as Azure GDAP.
  • Visual studio managers Security Group must be assigned any Azure AD role such as Directory Readers (least privileged role) for accessing Azure subscription as owner
  • Users part of Visual studio managers Security Group will be able to purchase Visual studio subscription on Marketplace https://marketplace.visualstudio.com (due to nested member of Admin Agents users will have access to Azure subscription)
  • Users who are part of the Visual Studio managers security group can change quantity of Visual Studio subscriptions

Screenshot showing available Visual Studio subscriptions.

  • Users who are part of the Visual Studio managers security group can cancel Visual Studio subscription (by changing quantity to zero)
  • Users who are part of the Visual Studio managers security group can add subscriber to manage Visual Studio subscriptions (for example, browse customer directory and add Visual Studio role assignment as subscriber)

Visual Studio properties out of scope:

  • None

Return to top


DAP AOBO links Reason why it's missing in GDAP Service Management page
Microsoft 365 Planner
https://portal.office.com/
This is duplicate of Microsoft 365 https://portal.office.com/ AOBO link that already exists
Sway
https://portal.office.com/
This is duplicate of Microsoft 365 https://portal.office.com/ AOBO link that already exists
Windows 10
https://portal.office.com/
This is a duplicate of Microsoft 365 https://portal.office.com/ AOBO link that already exists
Cloud App Security
https://portal.cloudappsecurity.com/
Microsoft Defender for Cloud Apps https://portal.cloudappsecurity.com/ will be retired. This portal will merge into Microsoft 365 Defender https://security.microsoft.com, which supports GDAP.
Azure IoT Central
https://apps.azureiotcentral.com/
Currently not supported. Out of scope for GDAP.
Windows Defender Advanced Threat Protection
https://securitycenter.windows.com
Windows Defender Advanced Threat Protection will be retired. Partners are advised to move to Microsoft 365 Defender https://security.microsoft.com, which supports GDAP.

Next steps