GDAP Is Live in Partner Center. Here Is the Full Setup, Request to Role Assignment.
TL;DR
- Microsoft technically released GDAP for Microsoft 365 workloads in January 2022, with Azure support planned later in 2022.
- Every GDAP relationship carries a custom name, a duration capped at 2 years, and a specific set of Azure AD roles.
- A GDAP invitation link works for exactly one customer and must be approved by a Global Admin in that customer's tenant.
- Customer acceptance is not the end of setup: no one has access until you assign security groups to the relationship's roles in Partner Center.
- GDAP takes precedence over DAP, so a too-narrow test relationship can lock you out of admin centers you could previously reach.
January 2022 brought the technical release of GDAP, Granular Delegated Admin Privileges, for Microsoft 365 workloads, with Azure following later in 2022. The model itself is covered in our GDAP overview: GDAP replaces existing delegated admin relationships with true least-privilege access, improving security across the channel and shrinking the blast radius of supply chain attacks like the SolarWinds and Kaseya incidents of 2021. This post is the practical half: establishing GDAP relationships in Partner Center, end to end.
The part most MSPs miss on their first pass: the customer accepting your invitation is the middle of the process, not the end. Until you map security groups to roles, nobody on your team has access. We will get there.
What shipped in the January 2022 release?

How do relationships, roles, and security groups fit together?

With GDAP you can create one or many admin relationships per customer. Each relationship gets a duration (maximum of 2 years) and a set of granular Azure AD roles. On your side, you can create new security groups in your Azure AD or use the existing ones (Admin Agent, Helpdesk Agent, and so on), and those security groups get assigned to the roles across customers. As the diagram shows, you can get as granular as you want.
Requesting the relationship in Partner Center
- In Partner Center, navigate to the Customers tab > Administer > Request Admin Relationship

Fill out the name, duration, and Azure AD roles.
For the name, use a standard naming convention across all customers to keep things organized; the example here uses the format MSA-customerName. Pick whatever you like, but know that the same name cannot be used more than once in your tenant.
The duration maxes out at 2 years, though shorter relationships make sense for things like contract work.

Selecting Azure AD roles is where GDAP starts to feel overwhelming, because nobody managing SMB tenants has ever had to go this granular. The trap is standing up a relationship and then discovering you did not include the permissions needed to actually support the customer. Role selection deserves its own article, and there is a lot to weigh; we recommend this guide on choosing GDAP roles.
Select the roles from the pop-out window:

When you finish selecting roles, choose Save at the bottom of the pop-up, then Finalize Request. Partner Center generates a template email containing a custom invitation link and a description of the duration and roles. That link is what the customer accepts, and it requires a Global Admin in the customer tenant to approve.

When the customer opens the link as a Global Admin, they see this:

After a refresh, the relationship appears in the customer tenant under Settings > Partner Relationships:

Keep in mind: a GDAP relationship can only be used for one customer. If you try to reuse a generated link with another customer after one has accepted it, it will fail.
Mapping security groups to the relationship
The customer accepting the GDAP link is not the end of the process. You now need to assign security groups to that relationship in Partner Center.
Go to the customer page for each customer that has accepted a GDAP relationship and click Admin relationships to view the existing GDAP configurations:

Click + Add Security Group to bring up a pop-up of your existing security groups. If you need new security groups, create them in the aad.portal.azure.com portal first. After selecting a security group, add one or many of the Azure AD roles that were part of the relationship:


Two warnings before you start testing
GDAP takes precedence over DAP. Do not lock yourself out of admin centers because you are experimenting: a narrow GDAP relationship overrides the broad DAP access you had, for that customer.
Plan the DAP to GDAP transition. Microsoft published a bulk migration tool, available through the end of November 2022, and the team behind CIPP built a migration tool of their own. See our comparison of the two for more.
Frequently asked questions
Can one GDAP invitation link be reused across customers?
No. A GDAP relationship applies to a single customer. If another customer tries a link that has already been accepted, it fails. Generate a separate request per customer.
Who can approve a GDAP request in the customer tenant?
A Global Admin in the customer tenant. The finalized request generates a template email with the custom invitation link plus a description of the duration and roles.
What is the maximum duration of a GDAP relationship?
Two years. Shorter durations are worth considering for temporary engagements like contract work.
Set the roles once. Know when they drift.
GDAP narrows your access; CloudCapsule watches everything else. 250+ posture controls per customer tenant, checked in about 60 seconds each.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


