Skip to main content

DAP Gave Every Partner the Keys to the Kingdom. GDAP Takes Them Back.

Nick Ross5 min read
Granular Delegated Admin Privileges

TL;DR

  • As of November 2021, every DAP relationship grants the partner permanent Global Admin and Helpdesk Admin access to the customer tenant, with no way to narrow it.
  • GDAP, announced by Microsoft in November 2021, lets partners choose granular Azure AD roles per customer and caps every relationship at a maximum of 2 years.
  • GDAP invitation links are unique per customer, unlike the universal regional DAP link, because access levels can now differ tenant by tenant.
  • GDAP writes relationship lifecycle and usage events into Azure AD activity logs on both the partner and customer side, visibility DAP never provided.
  • Microsoft began transitioning remaining active and inactive DAP relationships to GDAP with limited Azure AD roles starting May 22, 2023.

Think about what your Partner Center actually holds: a standing Global Admin credential into every customer tenant you manage. Your distributor holds the same thing. That is what Delegated Admin Privileges (DAP) means in practice, and it is why a single compromised partner or distributor can turn into a compromised customer base. Supply chain attacks like Nobelium ran straight through this design.

In November 2021, Microsoft announced the introduction (opens in new tab) of granular delegated admin privileges, or GDAP, arriving in early 2022. Until now, both distributors (Microsoft Indirect Providers, the CSP Tier 1s) and MSPs (Indirect Resellers) have established DAP with all downstream customers: distributors use it to license tenants and provide support, and you use it to provide support and perform day to day management through Partner Center. GDAP rebuilds that arrangement around least privilege. The details below come from what Microsoft has made public so far; expect a lot more as the rollout approaches.

What actually changes between DAP and GDAP?

DAP vs GDAP comparison chart covering roles, timelines, links, security groups, logs, admin center access, and PIM

The chart above summarizes the differences at a glance. Here is each one unpacked.

Roles go granular

DAP hands you Global Admin and Helpdesk Admin by default, with no ability to change either. GDAP lets you select granular permissions and make them unique per customer. If you work with a distributor today and do not want that third-party risk sitting at Global Admin, this is the change that matters most: realistically a distributor needs rights to license the tenant and provide a baseline of support, not the keys to everything.

Relationships expire

A DAP relationship lasts forever. The customer accepts the delegated admin link once and the relationship is permanent unless someone removes it under Settings > Partner Relationships. GDAP relationships carry a custom duration with a hard maximum of 2 years, which means every 2 years the customer re-approves your access, per customer.

DAP links are universal per region: the same link onboards every customer into Partner Center. Because GDAP access can differ per customer, every invitation link becomes custom to that customer.

Security groups stratify access inside your own shop

DAP has no layers. Everyone in your Partner Center environment with customer access gets the same level of access. GDAP supports nested security groups with separate roles so you can stratify permissions across your team. Microsoft's own example:

"Partners can create a tier 1 support group and grant it service support admin (opens in new tab) and global reader (opens in new tab) roles, which means the group can create tickets on behalf of customers but cannot make any changes. Partners can create a tier 2 support group and grant it high-privilege roles such as Intune admin (opens in new tab), Exchange admin (opens in new tab), and Dynamics 365 admin (opens in new tab)."

Activity logs finally exist

With DAP there are no granular activity logs showing when delegated access is actually used from Partner Center, and nothing records the lifecycle of a relationship: when it was accepted, when it was removed. GDAP writes this into the Azure AD activity logs at both the partner level and the customer level.

More admin centers open up to delegated access

DAP has never let you enter certain admin portals on behalf of customers, and the Security and Compliance center (now splitting into two admin centers) has been the prime example for years. GDAP opens more flexibility here; which additional admin centers become reachable through delegated access remains to be seen.

PIM brings just-in-time elevation

Privileged Identity Management is the Microsoft service for "just in time" access: elevate a role temporarily, perform the admin task, drop back down. PIM will couple with GDAP so partners can elevate into specific security groups carrying specific roles in customer environments, tightening security another notch.

What should you decide before GDAP arrives?

  • Your baseline roles per customer. You now have autonomy over which roles you hold in customer tenants, so you need a baseline, and possibly a stratification, sized to your practice. If you work with a distributor, ask them what their baseline role set is for every customer and request specific roles where applicable. They should be getting rights to license the tenant and provide baseline support, nothing more.
  • The operational overhead. GDAP adds layers: deciding access levels, re-approving relationships at least every 2 years, and managing custom links per customer. We think the security benefits outweigh the added complexity, and either way, you should already be reviewing your access levels in customer tenants periodically, for yourself and for third parties.
  • The admin center win. If GDAP delivers delegated access to the admin centers that have been missing for years, like the Security and Compliance center, it kills the worst workaround in the channel: MSPs creating a Global Admin in each customer tenant and sharing one MFA registration across a group of techs.
  • Free Azure AD Premium P2. Microsoft announced in October 2021 (opens in new tab) that partners get P2 free for a year, which covers PIM. Take advantage of it to tighten your own Partner Center environment.

How does the migration timeline look? (updated May 7, 2022)

Transition of active and inactive DAPs: starting May 22, 2023.

  • Microsoft will begin transitioning active and inactive DAP relationships to GDAP with limited Azure Active Directory (AD) roles, with clarity on which roles promised by March 15, 2023.
  • For relationships transitioned from DAP to GDAP, Microsoft will remove the corresponding DAP relationships 30 days later.
  • The transition pauses for the month of June 2023 to support the fiscal year closure.

Dates for the following milestones were slated for communication on March 15, 2023:

  • Stop new DAPs. DAP is currently granted when a new customer tenant is created; Microsoft will stop granting it.
  • Grant GDAP default roles for new customers. New customer tenants will come with GDAP carrying certain default roles instead.
  • Retire the bulk migration tool.

Partner Center announcement: February 2023 announcements, Partner Center (opens in new tab)

Where to go next

Related walkthroughs:

Microsoft resources:

Frequently asked questions

Why is Microsoft replacing DAP with GDAP?

Supply chain attacks like Nobelium showed that compromising one partner or distributor can compromise every downstream customer, because DAP grants standing Global Admin access to all of them. GDAP applies least privilege to break that blast radius.

How long can a GDAP relationship last?

Up to 2 years. After that the customer has to approve the relationship again, which forces a periodic review of partner access instead of the indefinite access DAP allowed.

Does GDAP work with Privileged Identity Management?

Yes. PIM pairs with GDAP so partner technicians can elevate into specific security groups just in time for a task instead of holding high-privilege roles permanently. Microsoft also announced in October 2021 that CSP partners get Azure AD Premium P2 free for a period to support this.

Least privilege is step one. Proving it holds is step two.

Partner access is one control among hundreds that drift. CloudCapsule checks 250+ controls per tenant in about 60 seconds, so the posture you set under GDAP is the posture you can show.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading