Stop Cloning Admin Agents: How to Pick a GDAP Role Baseline That Holds Up

TL;DR
- A GDAP relationship is the full bucket of permissions you could hold in a customer tenant; security groups in your own Azure AD decide who actually gets which slice.
- GDAP role assignment is not one-to-one: you can map as many security groups as you want to one relationship, broken out by technician tier or by workload.
- Microsoft's delegate-by-task documentation lists the least privileged Azure AD role for each admin task and is the right starting point for a GDAP role baseline.
- Granting Global Administrator through GDAP defeats much of its purpose; Global Reader covers most needs, and remaining GA access belongs behind a PIM-gated security group.
- As of March 2022, not every workload supported GDAP admin-on-behalf-of links, so keeping DAP alongside GDAP until coverage completes was the pragmatic move.
The hardest part of GDAP is not creating the relationship. It is the dropdown that follows: a list of granular Azure AD roles most MSPs have never had to think about, because DAP handed everyone Global Admin and called it a day. If you need the background on what GDAP is in the first place, start with the high-level overview. This post is about the decision that comes after: which roles to request, and how to structure them so the granularity actually means something. Everything here reflects GDAP as it stood in March 2022.
Think in buckets, not checkboxes

The architecture rewards a moment of planning. The GDAP relationship link is the large bucket: every permission you could possibly want in that customer's environment. Once the relationship is established, you assign those roles to security groups inside your own organization, and that mapping is not one-to-one. You can carve as many sub-buckets as you want with as many security groups as you want.
Most partners have only ever used the Admin Agents and Helpdesk Agents groups in Partner Center. We would push hard against recreating that pattern. Depending on the size of your organization, build security groups per technician tier, or break them out by workload: Intune, 365 licensing, Exchange, and so on. The groups are the mechanism that turns a pile of granted roles into actual least privilege.
Build the baseline from Microsoft's least-privilege map
Microsoft maintains a breakdown of which Azure AD role is least privileged for each admin task (opens in new tab), alongside broader roles that encompass each permission set. Run through that list and define a baseline: the roles you would always want in any customer environment.
Two things fall out of that exercise:
- Some roles you will simply never need in certain environments, MFA Server being an obvious example. Leave them out.
- Some rights are customer-specific. If a customer has no Power BI footprint, the Power BI permission has no business being in that customer's GDAP invitation.
If you have never defined access controls for your Partner Center users, a simple matrix works: technicians down one axis, roles across the other, and an honest answer in each cell about who needs what. That exercise produces both your baseline and your per-customer exceptions.
The Global Admin problem
Work through the least-privilege documentation and you will notice a handful of tasks still list Global Administrator as the minimum role, mostly initial configuration jobs like setting up AD Connect. Requesting Global Admin through GDAP defeats much of the point of GDAP.
Our recommendation, in order:
- Reach for Global Reader first. It grants no write capability, and GDAP opens portals that delegated administration never reached before, including the Security and Compliance Center. That alone should retire some bad habits, like a shared customer-tenant GA account with MFA codes passed between techs.
- If you genuinely need GA, gate it. Put the Global Administrator role on its own dedicated security group and control that group's membership with PIM (Privileged Identity Management). The key points:
- Azure AD P2 licensing, which includes PIM, was open as a free full-year trial for indirect resellers as of March 2022.
- You can create a role-assignable group in Azure AD and configure eligible members for just-in-time access, optionally gated by approval. Microsoft documents the pattern here: assign eligible group members and owners (opens in new tab).
- That security group gets applied against the customer with Global Administrator rights attached.
- When someone in your org needs GA, they request temporary membership, do the task in the customer tenant, and the membership expires.
The result: the GA permission can still exist in your GDAP relationship, but the attack surface around it shrinks to the hours someone has actively claimed it.
Keep DAP until the gaps close
One caveat that matters as of March 2022: not every workload supported GDAP yet. Adding the SharePoint Admin role, for instance, did not yet produce the admin-on-behalf-of link into that admin center. Until coverage completes, keep your DAP relationships running alongside GDAP rather than cutting over early and stranding your techs.
Frequently asked questions
Why not just recreate Admin Agents and Helpdesk Agents under GDAP?
Because those two groups are exactly the all-or-nothing model GDAP exists to replace. Creating purpose-built security groups per tier or per workload is what makes the granularity real.
Do you still need DAP after setting up GDAP?
As of March 2022, yes, for some workloads. If you added the SharePoint Admin role through GDAP, for example, the admin-on-behalf-of link to that admin center did not exist yet, so dropping DAP early would have cut off access.
What about tasks where Global Admin is still the least privileged role?
A few setup tasks, like initial AD Connect configuration, still listed Global Admin as the minimum as of March 2022. Gate that role behind a dedicated security group with PIM-controlled membership rather than handing it out as standing access.
Your role baseline is only as good as its enforcement
CloudCapsule checks privileged access and 250+ other controls across every tenant you manage, so the least-privilege design you built this quarter does not quietly unravel by the next one.
Book a demo
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


