Microsoft's GDAP Migration Tool Is a CLI and a Pile of CSVs. CIPP Built a Wizard.
TL;DR
- Without a bulk migration tool, every GDAP relationship must be accepted manually per customer by a Global Admin in that customer's tenant.
- Microsoft extended the bulk migration tool's availability from the end of October 2022 to March 2023, and after that the manual path is all that remains.
- Microsoft's tool is a CLI driven by three CSV files for customers, Azure AD roles, and security groups, and it expects the security groups to exist already.
- CIPP's built-in migration wizard is far simpler but creates one new security group per Azure AD role, fixes durations at 730 days, and names relationships with a GUID.
- Choose Microsoft's tool when you need custom durations, naming conventions, existing or PIM-enabled security groups, or many roles mapped to one group.
Every MSP staring down the GDAP deadlines eventually meets the same fork in the road: migrate DAP relationships in bulk now, or accept new GDAP relationships manually, per customer, with a Global Admin inside each customer tenant, the same ceremony DAP onboarding used to require. The bulk path only exists for a limited time. Microsoft originally gave partners until the end of October 2022 to use its migration tooling and has since pushed that to March 2023 (opens in new tab).
If GDAP itself is still fuzzy, read the overview article first; it links to the other helpful resources.
What surprised us about Microsoft's tool is what it is not: there is no UI in Partner Center. It is a CLI plus CSV files, which is a rough first impression for anyone still getting up to speed on GDAP. The team behind CIPP saw the same gap and built their own migration tool into the CIPP app, and the user experience is 100x better. Both are demonstrated end to end in this video:
Watch the GDAP bulk migration demo: CIPP vs Microsoft (opens in new tab)
The decision in two sentences
If you want simplicity and ease of use around GDAP, CIPP is a great option. If you want granular control over the setup, Microsoft's bulk migration tool is the one that bends, and these are the common reasons you would need it to:
- You want to set different durations per relationship
- You want your own naming conventions
- You want Azure AD roles assigned to existing security groups instead of newly created ones
- You do not want a strict 1:1 mapping of role to group; you want multiple AD roles on a single security group
- You want PIM enabled security groups
What Microsoft's tool demands of you
The full guide is in Microsoft's documentation (opens in new tab). The prerequisites stack up:
- Homework first: know which customers, Azure AD roles, and security groups you are configuring for GDAP
- Security groups you plan to use must already exist (created manually)
- An app registration in Azure AD
- A Global Admin
- A new service principal for the GDAP APIs
- .NET Framework installed
- A zip file downloaded from GitHub
From there, the CLI downloads and manipulates three CSV files:
- Customers file: which customers to migrate, the name for each GDAP relationship, and the duration (730 days maximum, custom values allowed)
- AD roles file: the Azure AD roles to assign to the GDAP relationships, by name, description, and GUID
- Security groups file: maps the Azure AD roles onto security groups that already exist in your environment
It migrates one or many customers per run, and there is no limit on how many times you can use it.
What CIPP does instead
CIPP's migration wizard is built into the app, and the prerequisite list is short:
- The same homework: know your customers, Azure AD roles, and security groups
- A Global Admin
The wizard walks you through selecting customers and Azure AD roles. The trade-off is convention over configuration:
- CIPP creates a new security group in your Partner Center environment per Azure AD role; an Exchange Admin role produces an M365 GDAP Exchange Administrator group
- Duration defaults to 730 days
- The GDAP relationship name defaults to a GUID
Like Microsoft's tool, it handles one or many customers per run with no usage limit.
Pick based on your security group design, not the UI
The UI gap is real, but the deciding factor should be the access model you mapped out before migrating. If your GDAP design calls for PIM enabled groups, multiple roles per group, or naming a compliance auditor can read, the CSVs are worth the friction. If your design fits CIPP's conventions, take the wizard and bank the afternoon.
Frequently asked questions
Is there a limit on how many times either tool can run?
No. Both Microsoft's bulk migration tool and CIPP's wizard can move one or many customers per run, with no limit on the number of runs.
What homework do both tools require before you start?
The same homework: know which customers you are migrating, which Azure AD roles you need, and which security groups the roles map to. Neither tool makes those decisions for you, and both require a Global Admin.
Can CIPP's wizard assign roles to existing security groups?
No. As of October 2022, CIPP creates a new security group per Azure AD role, for example an Exchange Admin role produces an M365 GDAP Exchange Administrator group. Use Microsoft's tool if you need existing groups or many-to-one mappings.
After the migration, prove the access model holds
GDAP is step one; keeping every tenant's controls passing is the recurring work. CloudCapsule scans 250+ controls per customer tenant in about 60 seconds and hands you the report.
Book a demo
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


