Skip to main content

Lighthouse Turns GDAP Migration Into a Wizard, Not a CSV Project

Nick Ross4 min read

TL;DR

  • Starting January 17, 2023, Microsoft stops creating DAP relationships for new customers and begins removing DAP relationships inactive for 90 days.
  • After March 1, 2023, the Lighthouse GDAP tool still works, but it generates a per-tenant relationship link each customer must manually accept, so migrating before that date saves real time.
  • Lighthouse's predefined role tiers are the standout feature: recommended Azure AD role partitions you can rename and trim to fit your organization.
  • Just-in-time access for high-privilege roles requires Azure AD P2 licensing and creates an Access Package behind the scenes.
  • Compared with CIPP and Microsoft's bulk migration tool, Lighthouse is the only option with suggested roles and native PIM/JIT support.

The first generation of GDAP migration tooling was a CLI and a stack of CSVs, and it showed. We compared those options in an earlier video on GDAP bulk migration, and clunky was the polite word. Since then, the Microsoft 365 Lighthouse team has shipped a purpose-built GDAP migration tool that moves partners off DAP in bulk, across customers, through an actual wizard designed for how MSPs work. This post covers the deadlines that make the move urgent, what the wizard looks like end to end, and how Lighthouse stacks up against CIPP and the older bulk migration tool.

Why January 17 and March 1, 2023 are the dates that matter

Two milestones raise the urgency if you have not yet adopted a bulk migration approach.

Starting January 17, 2023:

  • Microsoft stops creating DAP relationships when a new customer or reseller relationship is created.
  • Microsoft starts removing inactive DAP relationships that have not been used in 90 days.

Starting March 1, 2023:

  • The Bulk Migration Tool for upgrading existing customer-granted DAP connections to GDAP goes away.
  • Microsoft begins transitioning remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles for least-privilege customer management. Partners will need to perform additional documented steps to keep access to Azure subscriptions after the limited roles are granted.

The Lighthouse migration tool survives past March 1. The catch: after that date, it can no longer automatically transition your active DAP relationships. Instead, you get a GDAP relationship link per tenant that each customer must accept manually. Migrating before the deadline spares you that one-customer-at-a-time slog.

What you need before launching the wizard

Walking through the wizard

Head to https://lighthouse.microsoft.com/ (opens in new tab) and a new widget kicks off the GDAP wizard.

Microsoft 365 Lighthouse home page widget launching the GDAP setup wizard

Tiers: Microsoft suggests the role partitions for you

The wizard opens with predefined tiers, recommendations for partitioning the various Azure AD roles within your organization. We think this is the single best part of the tool. You can rename the tiers to match how your org actually works and unselect any recommendation tied to an Azure AD role you will not use.

Predefined GDAP role tiers with recommended Azure AD role assignments in Lighthouse

Templates: one permission set per service level

Next come GDAP templates, where you apply one or many tiers to each template. Our MSP runs two: License Only and Managed Services. License-only customers need significantly fewer permissions than managed service customers, and templates keep that split clean.

Creating GDAP templates and assigning role tiers in Lighthouse

Security groups and just-in-time access

Security group creation follows. You create a new security group for at least each tier you plan to use, and the wizard steps through each template so you can associate the right groups. The example below also shows extra settings for the JIT tier. Just-in-time access works much like PIM but adds further security for the highest-privilege roles, Global Admins, Application Admins, and similar. We consider a JIT or PIM layer an important companion to GDAP, not an optional extra. Behind the scenes, Lighthouse creates an Access Package in your Azure AD environment with the settings you define here.

Security group association and just-in-time access settings in the Lighthouse GDAP wizard

Assign customers and confirm the relationships

The final section associates each template with one or many customers.

Assigning GDAP templates to customer tenants in Lighthouse

You get a summary to review, then a status page listing the customers where a GDAP relationship was successfully added.

Status page showing customers with successfully created GDAP relationships

To verify, open Partner Center and search for one of the companies: the new GDAP relationship appears under the Admin Relationships section.

GDAP relationship listed under Admin Relationships in Partner Center

Full demo on video: watch the Lighthouse GDAP migration walkthrough (opens in new tab).

How Lighthouse compares with CIPP and the bulk migration tool

Feature comparison of Lighthouse, CIPP, and the Microsoft bulk migration tool for GDAP

The diagram leans toward Lighthouse, and we will own that bias, because it currently offers the most complete migration option:

  • Templates exist in the bulk migration tool too, but building them is manual CSV work.
  • Group creation happens in both CIPP and Lighthouse, but CIPP creates one group per Azure AD role, which gets messy fast given the sheer number of groups. Lighthouse consolidates groups and reuses them across templates and roles.
  • Suggested roles are, in our view, the number one feature of Lighthouse.
  • Native PIM/JIT support exists only in Lighthouse. The bulk migration tool can get there, but only if you manually build the JIT/PIM groups as a prerequisite.
  • CIPP and Lighthouse are both genuinely easy to use.

Where we land

If you have not started the move to GDAP, use the Lighthouse migration tool. We worked with the Lighthouse team during earlier phases of the rollout and the attention to the MSP space was real, not a slide-deck claim. They are also building functionality for the longer-term management of GDAP relationships, which is the part of this story that matters after migration day.

Frequently asked questions

Do customers need specific licensing to appear in the Lighthouse GDAP tool?

No. There are no customer eligibility requirements; a tenant with any type of licensing shows up as selectable in the tool. The partner-side requirement is that a Global Admin runs the wizard, and Azure AD P2 licensing is needed only for the JIT features.

What happens if you run the Lighthouse migration tool after March 1, 2023?

The tool remains available, but it no longer transitions active DAP relationships automatically. Instead, you receive a GDAP relationship link per tenant that each customer must accept manually, one by one.

How is JIT in Lighthouse different from PIM?

Just-in-time access works much like PIM but adds another layer of control for the highest-privilege roles such as Global Admin and Application Admin. Lighthouse implements it by creating an Access Package in your Azure AD environment with the settings you define in the wizard.

GDAP is step one. Proving the tenants stay secure is the job.

Once least-privilege access is in place, every tenant still drifts. CloudCapsule checks 250+ controls across all your customers in about 60 seconds, so the posture you migrated to is the posture you keep.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading