Standing GDAP Access Is a Supply Chain Breach Waiting to Happen
TL;DR
- Most MSPs run standing GDAP access into customer tenants, so one compromised technician account inherits 24/7 admin rights across every downstream tenant.
- PIM for Groups in Entra ID makes technicians eligible for group membership instead of permanent members, with activation gated by MFA, justification, and optional approval.
- A three-tier group model keeps helpdesk work friction-free while putting approvals and one-hour windows around high-impact roles.
- PIM for Groups requires Entra ID P2 or Microsoft 365 E5 in the MSP tenant, not in customer tenants.
- Activated membership expires automatically, so after-hours and weekend access simply does not exist unless someone activates it.
Ask an attacker what they want for Christmas and they will describe a technician account at an MSP: one credential with always-on admin rights into dozens, sometimes hundreds, of customer tenants. That is exactly what standing GDAP access creates, and most MSPs are still running it.
The fix is not new tooling. It is Privileged Identity Management (PIM) for Groups in Entra ID, which converts those always-on rights into just-in-time (JIT) access: time-bound, MFA-gated, optionally approved, and fully audited. This post covers why standing access is the risk, the tiered architecture we recommend, and the exact steps to deploy it.
What makes standing GDAP access so dangerous?
If you run an MSP, your GDAP relationships probably grant technicians roles like Global Reader, Exchange Admin, Intune Admin, and sometimes (yikes) Global Administrator across every customer. In many environments those assignments are always on, around the clock.
That convenience becomes a liability the moment a technician account is compromised, for example through token theft or a successful adversary-in-the-middle phish. The attacker inherits the same 24/7 rights into every downstream tenant your team can reach. That is how supply chain risk propagates from one MSP login to an entire client base.
The fix is to replace standing access with JIT access: engineers activate only the rights they need, when they need them, for a tightly controlled window, and those rights expire automatically.

How PIM for Groups changes the model
PIM for Groups lets you:
- Make technicians eligible for group membership instead of permanent members
- Require activation with time limits, MFA, justification, and optional approval
- Audit every activation: who, when, where, and for how long
The result: after hours, on weekends, and over holidays, your techs hold no lingering rights into customer tenants. If a tech account is compromised, the attacker still has to activate access, and your controls (MFA, approval, alerts) stand in the way.
A three-tier group architecture that matches real work

Create PIM-enabled groups that map to the work your team actually does. Keep the least-privileged work easy, and escalate controls as permissions increase.
Tier 1, everyday helpdesk (low impact)
- Examples: password reset, basic user management, Global Reader
- Controls: JIT activation, no approval, justification optional, 8 to 10 hour max duration (shift length)
Tier 2, admin workloads (moderate impact)
- Examples: Exchange Admin, Teams Admin, Intune Admin
- Controls: JIT activation, MFA plus justification (ticket number), shorter 1 to 2 hour windows
Tier 3, high impact and emergency (very high impact)
- Examples: Security Admin (avoid putting Global Admin here if at all possible)
- Controls: JIT activation, MFA plus justification plus approval, windows of 1 hour or less, enhanced notifications
Tip: if you use tooling that creates one security group per permission (like CIPP), you can enable PIM on each group for the most granular least-privilege model. More setup work, superb risk containment.
What you need before you start
- Licensing: Entra ID P2 (or Microsoft 365 E5) in your MSP tenant for PIM for Groups
- GDAP relationships already established in Partner Center
- A clear inventory of the roles your team genuinely needs across tenants
Step by step: configure PIM for Groups in the MSP tenant
1. Create or identify the security group
- Entra ID → Groups → New Group → Security
- Name it clearly (for example
GDAP-Tier1-Helpdesk,GDAP-Intune-Admins)
2. Enable PIM on the group
- Entra ID → Privileged Identity Management → Groups → Discover groups
- Select your group → Enable PIM for this group
- Set Assignment type = Eligible for technicians, not Active
3. Configure activation settings per tier
- Activation duration:
- Tier 1: up to a full shift (8 to 10 hours)
- Tier 2: 1 to 2 hours
- Tier 3: 1 hour or less
- Require Azure MFA: on for all tiers
- Require justification / ticket number: on for Tiers 2 and 3
- Require approval: on for Tier 3
- Notifications: keep Tier 1 quiet to avoid noise from daily activations; notify on Tier 2 and 3 activations and on new assignments
Note: if a user has already satisfied MFA in their session, PIM may not prompt again during activation. That is expected behavior; it respects existing MFA session claims, even though some admins wish it always re-prompted.
4. Map the group to customer tenants through GDAP
- Partner Center → Customers → Granular admin relationships
- Add your PIM-enabled security group to the relationship
- Grant the specific roles (for example Directory Reader, User Admin, Intune Admin) the group should hold in that tenant
5. The daily activation flow for technicians
- Tech signs in → PIM → Groups → Activate
- Provides justification or ticket number, if required
- Completes MFA and/or waits for approval, if required
- Works within the time window
- Membership auto-expires, no cleanup needed
Microsoft's reference docs: Privileged Identity Management (PIM) for Groups, Microsoft Entra ID Governance (opens in new tab)
How do you roll this out without breaking the helpdesk?
- Start with one customer tenant and one tier (Tier 1).
- Document the flow with screenshots and a 60-second video clip for your team.
- Collect feedback on friction points.
- Add Tier 2, then Tier 3 with approvals.
- Scale out across tenants once the process feels smooth.
PIM for Groups changes what a compromised technician account is worth. You reduce supply chain risk, gain clear audit trails, and keep the team moving fast. Prove the workflow on Tier 1, then bring the stronger controls online.
Frequently asked questions
Why does PIM sometimes skip the MFA prompt during activation?
If the user already satisfied MFA in their current session, PIM honors the existing MFA claim and may not prompt again. That is expected behavior as of December 2025, even though many admins would prefer a forced re-prompt.
Which license do you need for PIM for Groups?
Entra ID P2 or Microsoft 365 E5 in your MSP tenant. Customer tenants do not need the license; the PIM-enabled groups live on your side and map into customer tenants through GDAP.
Does this work with CIPP or similar tooling?
Yes. If your tooling creates one security group per permission, as CIPP does, you can enable PIM on each group individually. It is more setup work, but it gives you the most granular least-privilege model available.
Prove the access model, not just the intention
CloudCapsule checks the tenants you manage for privileged access risks like standing admin rights and missing MFA, and gives you the report to show clients the gap is closed. 250+ controls, 60 seconds.
Book a demo
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


