Skip to main content

DAP Has Been Consenting Your Apps for You. GDAP Will Not.

Nick Ross2 min read
Vendor Integrations will Break with GDAP

TL;DR

  • App registrations use DAP relationships as a form of pre-consent, so as long as DAP exists they can mint access tokens for every customer tenant automatically.
  • GDAP has no pre-consent mechanism, which means every app registration must be consented per customer tenant.
  • Starting January 17, 2023, Microsoft stops creating DAP for new customer relationships and begins removing DAP relationships inactive for 90 days.
  • Starting March 1, 2023, the bulk migration tool retires and Microsoft begins transitioning remaining DAP relationships to GDAP with limited Azure AD roles.
  • The practical fix is a GDAP relationship carrying the Application Administrator or Global Admin role, used to consent on the customer's behalf via the adminconsent URL.

There is a follow-up to this article covering the remediation in depth: Vendor Integrations Break with GDAP: The Fix!

This post assumes you know what GDAP (Granular Delegated Admin Privileges) is. If not, start with the overview.

Most MSPs never had to think about how their vendor tools authenticate into customer tenants, because DAP quietly handled it. That free ride is ending, and the bill arrives in early 2023.

Why the breakage happens

If a vendor's product runs on an app registration, or you built your own automation on one across your customers, that integration breaks when you move to GDAP and DAP is removed. The mechanics:

  • App registrations use DAP relationships as a form of pre-consent across your customer tenants. As long as DAP relationships exist, the app can create access tokens for customer environments and make API requests with whatever API permissions it was granted.
  • GDAP has no equivalent pre-consent. Every app registration has to be consented on a per-customer basis.

Who runs on app registrations? A partial list:

  • IT Glue
  • CIPP
  • Immy Bot
  • Lionguard
  • Cloud Radial
  • HaloPSA

And one more entry for the list: you. If you call the Microsoft Graph API across your customers internally, you are using an app registration too.

The clock on this, as of October 2022

Microsoft's GDAP timelines (subject to change, as always):

Starting January 17, 2023:

  • Microsoft stops creating DAP relationships when a new customer or reseller relationship is created.
  • Microsoft starts removing inactive DAP relationships that have not been used in 90 days.

Starting March 1, 2023:

  • The bulk migration tool for upgrading customer-granted DAP connections to GDAP retires.
  • Microsoft begins transitioning remaining active DAP relationships to GDAP with limited Azure AD roles for least-privilege customer management. Partners will need to perform extra steps to keep Azure subscription access once the limited roles land, as documented (opens in new tab).

The line that matters: once DAP relationships are removed or can no longer be established, app registrations lose the ability to read or write in those customer tenants. Unless Microsoft moves the dates again, the breakage starts in early 2023.

With pre-consent gone, consent has to happen per customer, and there are only two real options right now:

  1. Consent to each app registration per customer using that customer's Global Admin credentials
  2. Create a GDAP relationship carrying the Application Administrator or Global Admin role and consent on the customer's behalf

The second option is the one MSPs actually want, because it uses existing users in your Partner Center environment. Once the GDAP relationship exists and is assigned to a security group, any user in that group can consent to the application on behalf of the customer. The consent link is formatted as:

text
https://login.microsoftonline.com/<customerTenantID>/adminconsent?client_id=<AppID>

Opening it prompts you to sign in and accept the app registration's permissions:

Admin consent prompt for an app registration in a customer tenant

If you are a vendor, say something now

Vendors shipping products built on app registrations should be educating partners on these changes today. The alternative is a support queue full of "your product stopped working" calls the week DAP relationships disappear.

Frequently asked questions

Which tools does this affect?

Any vendor that authenticates through an app registration: IT Glue, CIPP, Immy Bot, Lionguard, Cloud Radial, and HaloPSA, to name a few. Any in-house Microsoft Graph automation you run across customers uses an app registration too.

When will integrations actually start failing?

When the DAP relationship backing them is removed or can no longer be established. Unless Microsoft changes timelines again, expect app registrations to start breaking in early 2023.

What does the per-customer consent URL look like?

https://login.microsoftonline.com//adminconsent?client_id=, opened by a user in a security group attached to a GDAP relationship holding the Application Administrator or Global Admin role.

Know what every app can touch, in every tenant

Consented app registrations are exactly the kind of quiet standing access that turns into risk. CloudCapsule surfaces risky consents and posture gaps across all your customer tenants in about 60 seconds each.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading