GDAP Access That Expires: Setting Up Azure AD PIM Groups for Customer Tenants

TL;DR
- Pairing Azure AD Privileged Identity Management with GDAP gives MSP technicians just-in-time access to customer workloads instead of perpetual standing access.
- PIM requires Azure AD P2 licensing, which as of March 2022 Microsoft was offering free for a year to indirect resellers.
- Only security groups created with the Azure AD Roles toggle set to Yes can be used for PIM eligible memberships, and the toggle cannot be changed after creation.
- Eligible PIM assignments can last up to one year, and each activation defaults to a maximum of 8 hours unless you change the setting.
- Requiring a reason at activation gives you a built-in audit trail for every privileged session into a customer tenant.
Most MSP technicians do not need access to every customer tenant every hour of every day. GDAP already narrowed what your techs can touch; Azure AD Privileged Identity Management (PIM) narrows when they can touch it. Instead of perpetual membership in the security groups behind your GDAP relationships, techs hold an eligible membership they activate for a few hours, with a reason logged every time.
We covered how to pick the roles themselves in our notes on choosing GDAP roles. This walkthrough covers the next step up: wiring PIM to the security groups in your own Azure AD tenant so customer access becomes just-in-time rather than standing. Everything below reflects the portals as of March 2022.
What you need before you start
One prerequisite: an active Azure AD P2 subscription in your partner tenant, because PIM is a P2 feature. As of March 2022, Microsoft was offering Azure AD P2 free for a year (opens in new tab) to indirect resellers, which makes this a cheap moment to pilot a least-privilege model inside your own organization.
The build has five parts:
- Create a security group with Azure AD role assignment enabled
- Enable privileged access on the group
- Add eligible assignments
- Attach the security group to a GDAP relationship's workloads
- Test a user activating their membership
Step 1: Create a role-assignable security group
PIM eligible memberships only work on groups created with role assignment enabled, so this choice happens at creation time.
Create a new security group and toggle Azure AD Roles to Yes. The group does not need any owners, members, or roles assigned to be created. It is likely you will leave all of those blank and add eligible members in the next step instead.

Step 2: Turn on privileged access for the group
Open the group from the Groups blade, select Privileged Access, and click Enable Privileged Access.

Step 3: Add eligible members instead of permanent ones
Once privileged access is enabled, you can add two kinds of assignments: permanent (Active) or eligible. Eligible means the user can activate the membership for a specified window rather than holding it continuously. Click the Eligible tab and then Add Assignments.

From the dropdown, select Member, then add the users who should be able to activate. These are the people in your Partner Center who access specific customer workloads, whether that is Global Reader, Exchange, SharePoint, or something else.

After selecting members, set the duration of eligibility. The maximum is one year, and you can shorten it as needed.

Step 4: Attach the group to a GDAP workload
The group now needs to be assigned to a workload from an existing GDAP relationship. This step assumes the relationship is already in place; if you have not established one yet, see our walkthrough on adding GDAP relationships.
In Partner Center, go to Customers, then Administer, and select a single customer.

Select one of your existing GDAP relationships.

Click Add Security Groups, select the group you just created, and click Next.

Pick the roles matching the workload this group should reach. In this example the group gets Global Reader. After you save, the status moves from Pending to Active in about 30 seconds, though you may need to refresh the page.

Step 5: Activate a membership and prove it works
With the PIM group attached to a workload, test the experience your techs will have.
Sign in to aad.portal.azure.com (opens in new tab) as a user you added as an eligible member. From the left navigation, select All Services and search for Azure AD Privileged Identity Management.

From the main page, select My Roles.

Select Privileged Access Groups and click Activate.

Enter the number of hours you need and a reason for the activation. That reason field is worth taking seriously: it gives you an audit trail for compliance with zero extra tooling.

Once you activate, Azure AD automatically walks through the activation steps and refreshes your session.

The Active Assignments tab now shows the membership as active, including the end time and the option to deactivate early.

With the membership active, confirm access through Partner Center: Customers, then Administer, then expand the customer you attached the security group to.

The workloads listed should mirror the roles you granted the group. With Global Reader, you can open the M365 Admin Center, click into Users, and view accounts but not create them. If you assigned something narrower, like Exchange Admin, Exchange should be the only workload you see.
Tightening the activation rules
The defaults work, but PIM's management settings let you go further: require approval before an activation succeeds, prompt for MFA at activation, or change the maximum activation duration from the 8-hour default.
In the Azure AD portal, return to Azure AD Privileged Identity Management from All Services, select Privileged access groups, and open the security group you created.

Under Manage, select Settings.

Click Member to reach every granular setting for the eligible membership.

Where PIM fits in your access model
We think PIM belongs in front of the higher tiers of customer access, such as the Global Reader assignment used in this example. The goal is secure access, not punitive access: if you lock everything behind activation, every routine investigation becomes a chore. A practical split is a perpetual security group for the techs who are in customer portals constantly, and eligible PIM membership for everyone who only needs access occasionally.
Frequently asked questions
Do you need Azure AD P2 for every technician using PIM with GDAP?
PIM is an Azure AD P2 feature in your partner tenant. As of March 2022, Microsoft offered indirect resellers a free one-year Azure AD P2 trial, which makes it a low-risk time to pilot just-in-time access.
Should every tech go through PIM activation for customer access?
No. A sensible split is a perpetual security group for techs who live in customer portals every day, and eligible PIM membership for techs who only occasionally need access. Locking everything behind activation makes routine administration painful.
Can you require approval before a tech activates membership?
Yes. The PIM settings for the group let you require approval to activate, require MFA on activation, and change the maximum activation duration from the 8-hour default.
Standing access is drift you can measure
CloudCapsule scans every customer tenant for risky access and 250+ other controls in about 60 seconds, so you can prove the least-privilege work you just did is still holding next quarter.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


