GDAP frequently asked questions
Appropriate roles: All users interested in Partner Center
Granular delegated admin permissions (GDAP) give partners access to their customers' workloads in a way that is more granular and time-bound, which can help to address customer security concerns.
With GDAP, partners can provide more services to customers who might be uncomfortable with the high levels of partner access.
GDAP also helps with customers who have regulatory requirements to provide only least-privileged access to partners.
Setting up GDAP
Who can request a GDAP relationship?
Someone with the Admin agent role at a partner organization can create a GDAP relationship request.
Does a GDAP relationship request expire if the customer doesn't take any action?
Yes. GDAP relationship requests expire after 90 days.
Can I make a GDAP relationship with a customer permanent?
No. Permanent GDAP relationships with customers aren't possible for security reasons. The maximum duration of a GDAP relationship is two years. You can set Auto extend to Enabled to extend an admin relationship by six months, until terminated or auto extend being set to Disabled.
Does GDAP relationship support enterprise agreement?
No, GDAP relationship doesn't support subscriptions purchased through enterprise agreements.
Can a GDAP relationship with a customer autorenew/auto extend?
Yes. A GDAP relationship can auto extend by six months until terminated or auto extend set to Disabled.
What do I do when the GDAP relationship with a customer expires?
If the GDAP relationship with your customer expires, request a GDAP relationship again.
You can use GDAP relationship analytics to track GDAP relationship expiration dates and prepare for their renewal.
How can a customer extend or renew a GDAP relationship?
To extend or renew a GDAP relationship, the partner or customer must set Auto extend to Enabled. Learn more at Manage GDAP Auto extend and API.
Can an active GDAP expiring soon be updated to auto extended?
Yes, if GDAP is active, it could be extended.
When does auto extend get into action?
Say a GDAP is created for 365 days with auto extend set to Enabled. On the 365th day, the End Date is effectively updated by 180 days.
Would emails be sent when auto extend is toggled between Enabled/Disabled?
No emails are sent to the partner and the customer.
Can a GDAP created with a Partner Led Tool (PLT), Microsoft Led Tool, Partner Center UI, or Partner Center API be auto extended?
Yes, you can auto extend any active GDAP.
Is customer consent required to set auto extend against existing active GDAPs?
No, customer consent isn't required to set auto extend to Enabled against an existing active GDAP.
Should granular permissions be reassigned to security groups post auto extend?
No, granular permissions that are assigned to security groups continue as-is.
Can an admin relationship with Global Administrator role be auto extended?
No, you can't auto extend the admin relationship with a Global Administrator role.
Why can't I see the Expiring Granular Relationships page under the Customers workspace?
The Expiring Granular Relationships page is only available to partner users with the Global Administrators and Admin Agent roles.
This page helps filter GDAPs expiring across different timelines, and helps update auto extend (enable/disable) for one or more GDAPs.
If a GDAP relationship expires, are the customer's existing subscriptions affected?
No. There's no change to a customer's existing subscriptions when a GDAP relationship expires.
How can a customer reset their password and MFA device if they're locked out of their account and can't accept a GDAP relationship request from a partner?
Refer to Troubleshoot Microsoft Entra multifactor authentication issues and Can't use Microsoft Entra multifactor authentication to sign in to cloud services after you lose your phone or the phone number changes for guidance.
What roles does a partner need in order to reset an admin password and MFA device if a customer admin is locked out of their account and can't accept a GDAP relationship request from a partner?
A partner must request the Privileged authentication administrator Microsoft Entra role when creating the first GDAP. This role enables a partner to reset a password and the authentication method for an admin or nonadmin user. The Privileged authentication administrator role is part of the roles set up by Microsoft Led Tool and is planned to be available with Default GDAP during Create Customer flow (planned for September).
Partner could have the customer admin try Reset password. As a precaution, partner must set up SSPR (Self-service password reset) for their customers. Refer to Let people reset their own passwords.
Who receives a GDAP relationship termination notification email?
Within a partner organization, people with the Admin agent role receive a termination notification.
Within a customer organization, people with the Global admin role receive a termination notification.
Can I see when a customer removes GDAP in the activity logs?
Yes. Partners can see when a customer removes GDAP in the Partner Center activity logs.
Do I need to create a GDAP relationship with all of my customers?
No. GDAP is an optional capability for partners who want to manage their customer's services in a more granular and time-bound way. You can choose which customers you want to create a GDAP relationship with.
If I have multiple customers, do I need to have multiple security groups for those customers?
The answer depends on how you want to manage your customers.
If you want your partner users to be able to manage all customers, you can put all of your partner users into one security group and that one group can manage all of your customers.
If you prefer to have various partner users managing various customers, assign those partner users to separate security groups for customer isolation.
Can indirect resellers create GDAP relationship requests at Partner Center?
Yes. Indirect resellers (and indirect providers and direct-bill partners) can create GDAP relationship requests at Partner Center.
Why can't a partner user with GDAP access a workload as AOBO (Admin On Behalf Of)?
As part of GDAP setup, ensure that security groups created in partner tenant with partner users are selected. Also ensure the desired Microsoft Entra roles are assigned to the security group. Refer Assign Microsoft Entra roles.
What is the recommended next step if the conditional access policy set by the customer blocks all external access including CSP's access (AOBO) to the customer's tenant?
Customers can now exclude CSPs from conditional access policy so that partners can transition to GDAP without getting blocked.
Include users - This list of users typically includes all of the users an organization is targeting in a Conditional Access policy.
The following options are available to include when creating a Conditional Access policy:
- Select users and groups
- Guest or external users (preview)
- This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
- Service provider users, for example a Cloud Solution Provider (CSP).
- One or more tenants can be specified for the selected user types, or you can specify all tenants.
- This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
- Guest or external users (preview)
External partner access - Conditional Access policies that target external users might interfere with service provider access, for example granular delegated admin privileges. For more information, see Introduction to granular delegated admin privileges (GDAP). For policies that are intended to target service provider tenants, use the Service provider user external user type available in the Guest or external users selection options.
Exclude users - When organizations both include and exclude a user or group, the user or group is excluded from the policy, as an exclude action overrides an include action in policy.
The following options are available to exclude when creating a Conditional Access policy:
- Guest or external users
- This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
- Service provider users, for example a Cloud Solution Provider (CSP)
- One or more tenants can be specified for the selected user types, or you can specify all tenants.
- This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
For more information, see:
- Graph API Experience: Beta API with the new external user type information
- Conditional access policy
- Conditional access external users
Do I need a GDAP relationship to create support tickets although I have Premier Support for Partners?
Yes, regardless of the support plan you have, the least privileged role for partner users to be able to create support tickets for their customer is Service support administrator.
Can GDAP in Approval Pending status be terminated by partner?
No, the partner can't currently terminate a GDAP in Approval Pending status. It would expire in 90 days if the customer takes no action.
After a GDAP relationship is terminated, can I reuse the same GDAP relationship name to create a new relationship?
Only after 365 days (clean-up) post the GDAP relationship is Terminated or Expired, you can reuse the same name to create a new GDAP relationship.
Can a partner in one region manage their customers in different regions?
Yes, a partner can manage their customers across regions without creating new partner tenants per customer region. It's applicable only to the customer management role provided by GDAP (Admin Relationships). Transaction role and capabilities are still limited to your authorized Territory.
Can a Service Provider be part of multitenant organization, what is Error-Action 103?
No, a service provider can't be part of multitenant organization, they're mutually exclusive.
What do I do if I see the error, "Can't get account information" when navigating to Microsoft Security Copilot from the Partner Center Service Management page?
- Ensure that GDAP is set up properly, including how you grant permissions for security groups.
- Ensure that your granular Security group permissions are correct.
- Refer to the Security Copilot FAQ for help.
GDAP API
Are APIs available to create a GDAP relationship with customers?
For information about APIs and GDAP, see the Partner Center developer documentation.
Can I use the beta GDAP APIs for production?
Yes. We recommend that partners use the beta GDAP APIs for production and later switch to APIs v.1 when they become available.
Although there's a warning, "Use of these APIs in production applications isn't supported," that generic guidance is for any beta API under Graph and isn't applicable to the beta GDAP Graph APIs.
Can I create multiple GDAP relationships with different customers at once?
Yes. GDAP relationships can be created using APIs, enabling partners to scale this process. Creating multiple GDAP relationships isn't available at Partner Center, however. For information about APIs and GDAP, see the Partner Center developer documentation.
Can multiple security groups be assigned in a GDAP relationship using one API call?
The API works for one security group at a time, but you can map multiple security groups to multiple roles at Partner Center.
How can I request multiple resources permissions for my application?
Make individual calls for each resource. When making a single POST request, pass only one resource and its corresponding scopes.
For example, to request permissions for both https://graph.windows.net/Directory.AccessAsUser.All
and https://graph.microsoft.com/Organization.Read.All
, make two different requests, one for each.
How can I find the Resource ID for a given resource?
Use the provided link to search for the Resource name: Verify first-party Microsoft applications in sign-in reports - Active Directory. Example:
To find the Resource ID (example: 00000003-0000-0000-c000-000000000000 for graph.microsoft.com):
What should I do if I encounter the error "Request_UnsupportedQuery" with the message: "Unsupported or invalid query filter clause specified for property 'appId' of resource 'ServicePrincipal'"?
This error usually occurs when an incorrect identifier is used in the query filter.
To resolve it, make sure you're using the enterpriseApplicationId property with the correct resource ID, not the resource name.
Incorrect request
For enterpriseApplicationId, don't use a resource name like graph.microsoft.com.
Correct request
Instead, for enterpriseApplicationId, use the resource ID, such as 00000003-0000-0000-c000-000000000000.
How can I add new scopes into the resource of an application that is already consented into Customer tenant?
Example: Earlier in graph.microsoft.com resource only "profile" scope was consented. Now we want to add profile and user.read also.
To add new scopes to a previously consented application:
Use the DELETE method to revoke the existing application consent from the customer's tenant.
Use the POST method to create new application consent with the extra scopes.
Note
If your application requires permissions for multiple resources, execute the POST method separately for each resource.
How do I specify multiple scopes for a single resource (enterpriseApplicationId)?
Concatenate the required scopes using a comma followed by a space. Example: "scope": "profile, User.Read"
What should I do if I receive a "400 Bad Request" error with the message "Unsupported token. Unable to initialize the authorization context"?
Confirm that the 'displayName' and 'applicationId' properties in the request body are accurate and match the application you're trying to consent into the customer tenant.
Ensure that you're using the same application to generate the access token that you're attempting to consent into the customer tenant.
Example: If the application ID is "12341234-1234-1234-12341234," the "appId" claim in the access token should also be "12341234-1234-1234-12341234."
Verify that one of the following conditions is met:
You have an active Delegated Admin Privilege (DAP), and the user is also a member of the Admin Agents Security group in the partner tenant.
You have an active Granular Delegated Admin Privilege (GDAP) relationship with the Customer tenant with at least one of the following three GDAP roles, and you completed the Access Assignment:
- Global Administrator, Application Administrator, or Cloud Application Administrator Role.
- The partner user is a member of the Security Group specified in the Access Assignment.
Roles
Which GDAP roles are needed to access an Azure subscription?
To manage Azure with per-customer access partitioning (which is the recommended best practice), create a security group (such as Azure Managers) and nest it under Admin agents.
To access an Azure subscription as an owner for a customer, you can assign any Microsoft Entra built-in role (such as Directory readers, the least privileged role) to the Azure Managers security group.
For steps to set up Azure GDAP, see Workloads supported by granular delegated admin privileges (GDAP).
Is there guidance about the least-privileged roles I can assign to users for specific tasks?
Yes. For information about how to restrict a user's administrator permissions by assigning least privileged roles in Microsoft Entra, see Least privileged roles by task in Microsoft Entra.
What is the least privileged role I can assign to a customer's tenant and still be able to create support tickets for the customer?
We recommend assigning the Service support administrator role. To learn more, see Least privileged roles by task in Microsoft Entra.
Which Microsoft Entra roles were made available in Partner Center UI in July 2024?
To reduce the gap between Microsoft Entra roles available in Partner Center API versus UI, a list of nine roles are available in Partner Center UI in July 2024.
Under Collaboration:
- Microsoft Edge Administrator
- Virtual Visits Administrator
- Viva Goals Administrator
- Viva Pulse Administrator
- Yammer Administrator
Under Identity:
- Permissions Management Administrator
- Lifecycle Workflows Administrator
Under Other:
- Organizational Branding Administrator
- Organizational Messages Approver
Can I open support tickets for a customer in a GDAP relationship from which all Microsoft Entra roles are excluded?
No. The least privileged role for partner users to be able to create support tickets for their customer is the Service support administrator. Therefore, to be able to create support tickets for the customer, a partner user must be in a security group and assigned to that customer with that role.
Where can I find information about all the roles and workloads included in GDAP?
For information about all the roles, see Microsoft Entra built-in roles.
For information about workloads, see Workloads supported by granular delegated admin privileges (GDAP).
What GDAP role gives access to the Microsoft 365 Admin Center?
Many roles are used for Microsoft 365 Admin Center. For more information, see Commonly used Microsoft 365 admin center roles.
Can I create custom security groups for GDAP?
Yes. Create a security group, assign approved roles, and then assign partner tenant users to that security group.
Which GDAP roles give read-only access to the customer's subscriptions and so don't allow the user to manage them?
Read-only access to customer's subscriptions is provided by the Global reader, Directory reader, and Partner tier 2 support roles.
What role should I assign to my partner agents (currently Admin agents) if I would like them to manage the customer tenant but not modify the customer's subscriptions?
We recommend removing the partner agents from the Admin agent role and adding them to a GDAP security group only. That way, they can administer services (service management and log service requests, for example), but they can't purchase and manage subscriptions (change quantity, cancel, schedule changes, and so on).
What happens if a customer grants GDAP roles to partner and then removes roles or severs the GDAP relationship?
The security groups assigned to the relationship lose access to that customer. The same thing happens if a customer terminates a DAP relationship.
Can a partner continue to transact for a customer after removing all GDAP relationship with the customer?
Yes, removing the GDAP relationships with a customer doesn't terminate the partners' reseller relationship with the customer. Partners can still purchase products for the customer and manage Azure budget and other related activities.
Can some roles in my GDAP relationship with my customer have a longer time to expiration than others?
No. All roles in a GDAP relationship have the same time to expiration: the duration that was chosen when the relationship was created.
Do I need GDAP to fulfill orders for new and existing customers in Partner Center?
No. You don't need GDAP to fulfill orders for new and existing customers. You can continue to use the same process to fulfill customer orders in Partner Center.
Do I have to assign one partner agent role to all customers, or can I assign a partner agent role to one customer only?
GDAP relationships are per-customer. You can have multiple relationships per customer. Each GDAP relationship can have different roles and use different Microsoft Entra groups within your CSP Tenant.
In Partner Center, role assignment works at customer-to-GDAP relationship level. If you want to multicustomer role assignment, you can automate using APIs.
Can a partner user have GDAP roles and a Guest account?
Guest accounts don't work with GDAP. Customers must remove any guest accounts to get GDAP to work.
Do I need DAP/GDAP for Azure subscription provisioning?
No, you don't need DAP or GDAP to purchase Azure Plans and prepare Azure subscriptions for a customer. The process to create an Azure Subscription for a customer is documented at Create a subscription for a partner's customer - Microsoft Cost Management + Billing. By default, the Admin Agents group in the Partner's tenant becomes the owner of the Azure Subscriptions provisioned for the customer. Sign in to the Azure portal using your Partner Center ID.
To prepare access for the customer, you need a GDAP relationship. The GDAP relationship must include at minimum the Microsoft Entra role of Directory Readers. To prepare access in Azure, use the access control (IAM) page. For AOBO, sign in to Partner Center, and use the Service Management page to set up access to the customer.
Which Microsoft Entra roles does GDAP support?
GDAP currently only supports Microsoft Entra built-in roles. Custom Microsoft Entra roles aren't supported.
Why are GDAP admins + B2B users unable to add authentication methods in aka.ms/mysecurityinfo?
GDAP guest admins are unable to manage their own security information at My Security-Info. Instead, they need the assistance of the tenant admin they're a guest in for any security info registration, update, or deletion. Organizations can configure cross-tenant access policies to trust the MFA from the trusted CSP tenant. Otherwise GDAP guest admins are limited to only methods registerable by the tenants admin (which is SMS or Voice). To learn more, see Cross-tenant access policies.
What roles can a partner use to enable auto extend?
Aligning to the Guiding principle of Zero Trust: Use least privilege access:
- We recommend using a least-privileged role by task and workload tasks Workloads supported by granular delegated admin privileges (GDAP) supported by GDAP.
- When it's necessary to work around listed known issues, work with your customer to request a time-bound Global Administrator role.
- We don't recommend replacing the Global Administrator role with all possible Microsoft Entra roles.
DAP and GDAP
Is GDAP replacing DAP?
Yes. During the transition period, DAP and GDAP will coexist, with GDAP permissions taking precedence over DAP permissions for Microsoft 365, Dynamics 365, and Azure workloads.
Can I continue to use DAP, or do I have to transition all my customers to GDAP?
DAP and GDAP coexist during the transition period. However, eventually GDAP is replacing DAP to ensure that we provide a more secure solution for our partners and customers. We recommend that you transition your customers to GDAP as soon as possible to ensure continuity.
While DAP and GDAP coexist, are there any changes to the way a DAP relationship is created?
There are no changes to the existing DAP relationship flow while DAP and GDAP coexist.
What Microsoft Entra roles would be granted for default GDAP as part of Create customer?
DAP is currently granted when a new customer tenant is created. On September 25, 2023, Microsoft no longer grants DAP for new customer creation and instead grants Default GDAP with specific roles. The default roles vary by partner type, as shown in the following table:
Microsoft Entra roles Granted For Default GDAP | Direct Bill Partners | Indirect Providers | Indirect Resellers | Domain Partners | Control Panel Vendors (CPVs) | Advisor | Opted out of Default GDAP (No DAP) |
---|---|---|---|---|---|---|---|
1. Directory Readers. Can read basic directory information. Commonly used to grant directory read access to applications and guests. | x | x | x | x | x | ||
2. Directory writers. Can read and write basic directory information. For granting access to applications, not intended for users. | x | x | x | x | x | ||
3. License Administrator. Can manage product licenses on users and groups. | x | x | x | x | x | ||
4. Service Support Administrator. Can read service health information and manage support tickets. | x | x | x | x | x | ||
5. User Administrator. Can manage all aspects of users and groups, including resetting passwords for limited admins. | x | x | x | x | x | ||
6. Privileged Role Administrator. Can manage role assignments in Microsoft Entra, and all aspects of Privileged Identity Management. | x | x | x | x | x | ||
7. Helpdesk Administrator. Can reset passwords for nonadministrators and Help Desk administrators. | x | x | x | x | x | ||
8. Privileged Authentication Administrator. Can access to view, set, and reset authentication method information for any user (admin or nonadmin). | x | x | x | x | x | ||
9. Cloud Application Administrator. Can create and manage all aspects of app registrations and enterprise apps except App Proxy. | x | x | x | x | |||
10. Application Administrator. Can create and manage all aspects of app registrations and enterprise apps. | x | x | x | x | |||
11. Global Reader. Can read everything that a Global administrator can, but can't update anything. | x | x | x | x | x | ||
12. External Identity Provider Administrator. Can manage federation between Microsoft Entra organizations and external identity providers. | x | ||||||
13. Domain Name Administrator. Can manage domain names in cloud and on-premises. | x |
How does GDAP work with Privileged Identity Management in Microsoft Entra?
Partners can implement Privileged Identity Management (PIM) on a GDAP security group in the partner's tenant to elevate the access of a few high-privilege users, just in time (JIT) to grant them high-privilege roles like Password admins with automatic removal of access.
Until January 2023, it was required that every Privileged Access Group (former name for the PIM for Groups feature) had to be in a role-assignable group. This restriction is now removed. Given this change, it's possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
Summary:
Partners can use both role-assignable and non-role-assignable groups in PIM. This option effectively removes the limit on 500 groups/tenant in PIM.
With the latest updates, there are two ways to onboard group to PIM (UX-wise): from the PIM menu or from the Groups menu. Regardless of the way you choose, the net result is the same.
Ability to onboard role-assignable/non-role-assignable groups through PIM menu is already available.
Ability to onboard role-assignable/non-role-assignable groups through Groups menu is already available.
For more information, see Privileged Identity Management (PIM) for Groups (preview) - Microsoft Entra.
How do DAP and GDAP coexist if a customer buys Microsoft Azure and Microsoft 365 or Dynamics 365?
GDAP is generally available with support for all Microsoft commercial cloud services (Microsoft 365, Dynamics 365, Microsoft Azure, and Microsoft Power Platform workloads). For more information about how DAP and GDAP can coexist and how GDAP takes precedence, see How will GDAP take precedence over DAP.
I have a large customer base (10,000 customer accounts, for example). How do I transition from DAP to GDAP?
You can perform this action with APIs.
Are my partner earned credit (PEC) earnings affected when I transition from DAP to GDAP? Is there any effect on Partner Admin Link (PAL)?
No. Your PEC earnings aren't affected when you transition to GDAP. There are no changes to PAL with the transition, ensuring that you continue to earn PEC.
Is PEC affected when DAP/GDAP is removed?
- If a partner's customer has DAP only and DAP is removed, PEC isn't lost.
- If a partner's customer has DAP, and they move to GDAP for Microsoft 365 and Azure simultaneously, and DAP is removed, PEC isn't lost.
- If the partner's customer has DAP, and they move to GDAP for Microsoft 365 but keep Azure as-is (they don't move to GDAP) and DAP is removed, PEC isn't lost, but access to the Azure subscription is lost.
- If an RBAC role is removed, PEC is lost, but removing GDAP doesn't remove RBAC.
How do GDAP permissions take precedence over DAP permissions while DAP and GDAP coexist?
When the user is part of both the GDAP security group and the DAP Admin agents group and the customer has both DAP and GDAP relationships, GDAP access takes precedence at the partner, customer, and workload level.
For example, if a partner user signs in for a workload and there's DAP for the Global admin role and GDAP for the Global reader role, the partner user only gets Global reader permissions.
If there are three customers with GDAP roles assignments to only GDAP security group (not Admin agents):
Customer | Relationship with partner |
---|---|
Customer one | DAP (no GDAP) |
Customer two | DAP + GDAP both |
Customer three | GDAP (no DAP) |
The following table describes when a user signs in to a different customer tenant.
Example user | Example customer tenant | Behavior | Comments |
---|---|---|---|
User one | Customer one | DAP | This example is DAP as-is. |
User one | Customer two | DAP | There's no GDAP role assignment to the Admin agents group, which results in DAP behavior. |
User one | Customer three | No access | There's no DAP relationship, so the Admin agents group doesn't have access to customer three. |
User two | Customer one | DAP | This example is DAP as-is. |
User two | Customer two | GDAP | GDAP takes precedence over DAP because there's a GDAP role assigned to user two through the GDAP security group even if the user is part of the Admin agent group. |
User two | Customer three | GDAP | This example is a GDAP-only customer. |
User three | Customer one | No access | There's no GDAP role assignment to customer one. |
User three | Customer two | GDAP | User three isn't part of the Admin agent group, which results in GDAP-only behavior. |
User three | Customer three | GDAP | GDAP-only behavior |
Will disabling DAP or transitioning to GDAP affect my legacy competency benefits or Solutions Partner designations that I attained?
DAP and GDAP aren't eligible association types for Solutions Partner designations. aDisabling or transitioning from DAP to GDAP doesn't affect your attainment of Solutions Partner designations. Also, renewal of legacy competency benefits or Solutions Partner benefits isn't affected.
Go to Partner Center Solutions Partner designations to view the other partner association types eligible for Solutions Partner designations.
How does GDAP work with Azure Lighthouse? Do GDAP and Azure Lighthouse affect each other?
Regarding the relationship between Azure Lighthouse and DAP/GDAP, think of them as decoupled parallel paths to Azure resources. Severing one shouldn't affect the other.
In the Azure Lighthouse scenario, users from the partner tenant never sign-in to the customer tenant and don't have any Microsoft Entra permissions in the customer tenant. Their Azure RBAC role assignments are also kept in the partner tenant.
In the GDAP scenario, users from the partner tenant sign-in to the customer tenant. The Azure RBAC role assignment to the Admin agents group is also in the customer tenant. You can block the GDAP path (users can no longer sign in) while the Azure Lighthouse path is unaffected. Conversely, you can sever the Lighthouse relationship (projection) without affecting GDAP. For more information, see the Azure Lighthouse documentation.
How does GDAP work with Microsoft 365 Lighthouse?
Managed Service Providers (MSPs) enrolled in the Cloud Solution Provider (CSP) program as indirect resellers or direct bill partners can now use Microsoft 365 Lighthouse to set up GDAP for any customer tenant. Because there are a few ways that partners are managing their transition to GDAP already, this wizard lets Lighthouse partners adopt role recommendations specific to their business needs. It also lets them adopt security measures like just-in-time (JIT) access. MSPs can also create GDAP templates through Lighthouse to easily save and reapply settings that enable least-privileged customer access. For more information, and to view a demo, see the Lighthouse GDAP setup wizard.
MSPs can set up GDAP for any customer tenant in Lighthouse. To access customer's workload data in Lighthouse, a GDAP or DAP relationship is required. If GDAP and DAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. For more information on requirements for Microsoft 365 Lighthouse, see Requirements for Microsoft 365 Lighthouse.
What is the best way to move to GDAP and remove DAP without losing access to Azure subscriptions if I have customers with Azure?
The correct sequence to follow for this scenario is:
- Create a GDAP relationship for both Microsoft 365 and Azure.
- Assign Microsoft Entra roles to security groups for both Microsoft 365 and Azure.
- Configure GDAP to take precedence over DAP.
- Remove DAP.
Important
If you don't follow these steps, existing Admin agents managing Azure might lose access to Azure subscriptions for the customer.
The following sequence could result in losing access to Azure subscriptions:
Remove DAP.
You don't necessarily lose access to an Azure subscription by removing DAP. But at this time, you can't browse the customer's directory to do any Azure RBAC role assignments (such as assigning a new customer user as subscription RBAC contributor).
Create a GDAP relationship for both Microsoft 365 and Azure together.
You might lose access to the Azure subscription at this step as soon as GDAP is set up.
Assign Microsoft Entra roles to security groups for both Microsoft 365 and Azure
You'll regain access to Azure subscriptions after Azure GDAP setup is complete.
I have customers with Azure subscriptions without DAP. If I move them to GDAP for Microsoft 365, do I lose access to the Azure subscriptions?
If you have Azure subscriptions without DAP that you manage as an owner, when you add GDAP for Microsoft 365 to that customer, you might lose access to the Azure subscriptions. To avoid lost access, move the customer to Azure GDAP at the same time that you move the customer to Microsoft 365 GDAP.
Important
If these steps aren't followed, existing Admin agents managing Azure might lose access to Azure subscriptions for the customer.
Can a single relationship link be used with multiple customers?
No. Relationships, once accepted, aren't reusable.
If I have a reseller relationship with customers without DAP and who have no GDAP relationship, can I access their Azure subscription?
If you have an existing reseller relationship with the customer, you still need to establish a GDAP relationship in order to manage their Azure subscriptions.
- Create a security group (for example, Azure Managers) in Microsoft Entra.
- Create a GDAP relationship with the directory reader role.
- Make the security group a member of the Admin Agent group.
After you do these steps, you can manage your customer's Azure subscription by way of AOBO. You can't manage the subscription by way of CLI/Powershell.
Can I create an Azure plan for customers without DAP and who have no GDAP relationship?
Yes, you can create an Azure plan even if there's no DAP or GDAP with an existing reseller relationship. But in order to manage that subscription, you need DAP or GDAP.
Why is the Company details section in the Account page under Customers no longer displaying details when DAP is removed?
As partners transition from DAP to GDAP, they must ensure the following are in place to see Company details:
- An active GDAP relationship.
- Any of the following Microsoft Entra roles are assigned: Global Administrator, Directory Readers, Global Reader. Refer to grant granular permissions to security groups.
Why is my username replaced with "user_somenumber" in portal.azure.com when a GDAP relationship exists?
When a CSP logs into their customer's Azure portal (portal.azure.come) using their CSP credentials and a GDAP relationship exists, the CSP notices that their username is "user_" followed by some number. It doesn't display their actual username as in DAP. It's by design.
What are the timelines for Stop DAP and grant Default GDAP with creation of a new customer?
Tenant type | Availability date | Partner Center API behavior (POST /v1/customers) enableGDAPByDefault: true |
Partner Center API behavior (POST /v1/customers) enableGDAPByDefault: false |
Partner Center API behavior (POST /v1/customers) No change to request or payload |
Partner Center UI behavior |
---|---|---|---|---|---|
Sandbox | September 25, 2023 (API Only) | DAP = No. Default GDAP = Yes | DAP = No. Default GDAP = No | DAP = Yes. Default GDAP = No | Default GDAP = Yes |
Production | October 10, 2023 (API + UI) | DAP = No. Default GDAP = Yes | DAP = No. Default GDAP = No | DAP = Yes. Default GDAP = No | Opt-in/out available: Default GDAP |
Production | November 27, 2023 (GA rollout completed on December 2) | DAP = No. Default GDAP = Yes | DAP = No. Default GDAP = No | DAP = No. Default GDAP = Yes | Opt-in/out available: Default GDAP |
Partners must explicitly grant granular permissions to security groups in the Default GDAP.
As of October 10, 2023, DAP is no longer available with reseller relationships. The updated Request Reseller Relationship link is available in Partner Center UI, and the API contract "/v1/customers/relationship requests" property URL returns the invitation URL to be sent to the admin of the customer tenant.
Should a partner grant granular permissions to security groups in the Default GDAP?
Yes, partners must explicitly grant granular permissions to security groups in the Default GDAP to manage customer.
What actions can a partner with Reseller relationship but no DAP and no GDAP perform in Partner Center?
Partners with reseller relationship only without DAP or GDAP can create customers, place & manage orders, download software keys, manage Azure RI. They can't view customer company details, can't view users or assign licenses to users, can't log tickets on behalf of customers, and can't access & administer product specific admin centers (For example, Teams admin center.)
What action must a partner perform moving from DAP to GDAP regarding consent?
For a partner or CPV to access and manage a customer tenant, their app's service principal must be consented in customer tenant. When DAP is active, they must add the app's service principal to the Admin Agents SG in the partner tenant. With GDAP, partner must ensure their app is consented in customer tenant. If the app uses delegated permissions (App + User) and an active GDAP exists with any of the three roles (Cloud Application Administrator, Application Administrator, Global Administrator) consent API can be used. If the app uses application only permissions, it must be manually consented to, either by the partner or customer having any of the three roles (Cloud Application Administrator, Application Administrator, Global Administrator), using tenant-wide admin consent URL.
What action must a partner perform for a 715-123220 error or anonymous connections aren't allowed for this service?
If you're seeing the following error:
"We're unable to validate your 'Create new GDAP relationship' request at this time. Be advised anonymous connections aren't allowed for this service. If you believe you received this message in error, try your request again. Select to learn about actions you can take. If the issue persists, contact support and reference message code 715-123220 and Transaction ID: guid."
Change how you connect to Microsoft to let the identity verification service run properly. It helps ensure that your account isn't compromised and is compliant with regulations to which Microsoft must adhere.
Things you can do:
- Clear your browser cache.
- Turn off tracking prevention on your browser or add our site to your exception/safe list.
- Turn off any Virtual Private Network (VPN) program or service that you might be using.
- Connect directly from your local device rather than through a virtual machine (VM).
After trying these steps, you're still unable to connect, we suggest consulting with your IT Help Desk to check your settings to see if they can help identify what is causing the issue. Sometimes the issue is in your company's network settings, in which case your IT administrator would need to address the problem for instance, by safe listing our site or other network setting adjustments.
What GDAP actions are allowed for a partner that is offboarding (restricted, suspended) and offboarded?
- Restricted (Direct Bill): New GDAP (Admin Relationships) CANNOT be created. Existing GDAPs and their role assignments CAN be updated.
- Suspended (Direct Bill/Indirect Provider/Indirect Reseller): New GDAP CANNOT be created. Existing GDAPs and their role assignments CANNOT be updated.
- Restricted (Direct Bill) + Active (Indirect Reseller): For Restricted Direct Bill: New GDAP (Admin Relationships) CANNOT be created. Existing GDAPs and their role assignments CAN be updated. For Active Indirect Reseller: New GDAP CAN be created, existing GDAPs and their role assignments CAN be updated.
When offboarded new GDAP can't be created, existing GDAP and their role assignments can't be updated.
Offers
Is management of Azure subscriptions included in this release of GDAP?
Yes. The current release of GDAP supports all products: Microsoft 365, Dynamics 365, Microsoft Power Platform, and Microsoft Azure.