GDAP role guidance
Appropriate roles: Admin agent
This article gives guidance about which least-privileged Microsoft Entra built-in role can be used for each granular delegated admin privileges (GDAP) capability. For example, to submit support requests on behalf of a customer requires the Service support administrator role, which is the least-privileged Microsoft Entra built-in role on your customer's tenant.
Creating support requests
Indirect resellers can't create support requests for Azure. Instead, they must work with their indirect providers.
| To create a support request for: | Direct-bill partners and indirect providers must have the following least privileged role: |
|---|---|
| Microsoft 365 in the Microsoft 365 admin center | GDAP role assignment to a role that has Microsoft.office365.supportTickets/allEntities/allTasks permissions, such as Service support administrator |
| Dynamics 365 in Power Platform Admin Center | GDAP role assignment to a role that has Microsoft.office365.supportTickets/allEntities/allTasks permissions, such as Service support administrator |
| Azure subscription resource in the Azure portal | Prerequisite: To create requests on behalf of customers using a customer's Azure subscription, partners must have a reseller relationship with the customer as explained in CSP regional authorization. For more information, see Steps to setup Azure GDAP. Any GDAP assignment to a Microsoft Entra role, such as Directory readers, - AND - Azure role-based access control (RBAC) role assignment to a role with Microsoft.Support/supportTickets/write permissions, such as Support request contributor |
| Microsoft Entra ID in the Azure portal | Alternative 1: If a customer doesn't have Microsoft Entra ID P1 or P2 Prerequisite: To create requests on behalf of customers using a customer's Azure subscription, partners must have a reseller relationship with the customer per CSP regional authorization. For more information, see Steps to setup Azure GDAP. Any GDAP assignment to a Microsoft Entra role, such as Directory readers, - AND - Azure RBAC role assignment to a role with Microsoft.Support/supportTickets/write permissions, such as Support request contributor Alternative 2: If customer has Microsoft Entra ID P1 or P2 Any GDAP assignment to a Microsoft Entra role that has: microsoft.azure.supportTickets/allEntities/allTasks permissions, such as Service support administrator |
GDAP roles by partner types
Indirect providers
The following roles are recommended for indirect providers to transact and manage:
- New customer tenant creation
- Reseller relationship setup
- Purchase
- Subscription management
- Upgrades
- Conversions
- Customer user creation and license assignment
- Customer service requests (requests creation on behalf of customer)
| Role | Description |
|---|---|
| Reader roles: | |
| Directory readers | Can read basic directory information. Commonly used to grant directory read access to applications and guests |
| Directory writers | Can read and write basic directory information. For granting access to applications, not intended for users. |
| Global reader | Can read everything that a Global administrator can, but can't update anything |
| User management and license management: | |
| User administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins |
| License administrator | Can manage product licenses on users and groups |
| Service support administrator | Can read service health information and manage support requests |
| Help Desk: | |
| Help Desk administrator | Can reset passwords for non-administrators and Help Desk administrators |
Direct-bill partners, indirect resellers, and advisors
The following roles are recommended for indirect resellers, advisors, and direct-bill partners who also play the role of MSPs. They're all categorized as specialized managed service providers (MSPs) who completely manage customer's environment as outsourced IT department. This section is categorized roles required by tasks and functions.
Typical tasks of a tier-1 technician in managed services
| Role | Task | Function |
|---|---|---|
| Service support administrator | Submit support requests on behalf of the customer. | Help Desk creates and manages support requests. |
| Security reader | View security-related policies across Microsoft 365 services. | Help Desk collects discovery on customer tenant to troubleshoot or update security and compliance portal policies, such as data loss prevention policies. |
| Intune administrator | Can manage all aspects of the Intune product. | Help Desk handles customer device enrollment and troubleshooting. |
| SharePoint administrator | Can manage all aspects of the SharePoint service. | Help Desk manages SharePoint site permissions. |
| Teams communications support specialist | Can manage the Microsoft Teams service. | Help Desk troubleshoots call quality issues. |
| Help Desk administrator | Can reset passwords for non-administrators and these admins: Directory Readers Guest Inviter Help Desk administrator Message Center Reader Password administrator Reports Reader. | Help Desk resets passwords. |
| Desktop analytics administrator | Can access and manage desktop management tools and services. | Help Desk can manage the desktop analytics service by viewing asset inventory and reading standard properties of authorization policies. |
| Authentication administrator | Has access to view, set, and reset authentication method information for any non-admin user. | Help Desk can access to view, set, and reset authentication method information for any non-admin user (for example, MFA and conditional access). |
| Exchange administrator | Users with this role have global permissions within Microsoft Exchange Online when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support requests, and monitor service health; can send OBO and manage inboxes. | Help Desk manages shared mailboxes, helps solve mailbox quota issues, and creates and manages transport rules. |
| License administrator | Can assign, remove, and update license assignments. | During troubleshooting, Help Desk assesses and remediates if there's a licensing issue with the support request. |
| User administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins; can block user sign-in. | Help Desk manages all aspects of users and groups, including resetting passwords for limited admins and blocking a former customer employee's access to Microsoft 365 services. |
| Groups administrator | Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | Help Desk adds owners to groups and adds members to groups. |
| Directory reader | Users in this role can read basic directory information. | Help Desk can read basic directory information as part of troubleshooting. |
| Message center reader | Can read messages and updates for their organization in Office 365 Message Center only. | Help Desk reads Message Center to troubleshoot support issues. |
| Printer administration | Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer administrators also have access to print reports. | Help Desk would manage printer configurations and troubleshoot printer issues. |
| Guest inviter | Users in this role can manage Microsoft Entra B2B guest user invitations. | Help Desk can invite guest users independent of the Members can invite guests setting. |
Least-privileged role by task
The following table displays tasks within each GDAP capability, along with the least-privileged role required to perform each task.
| GDAP capability | Task | Least-privileged role |
|---|---|---|
| Support | Submit support ticket | Service support administrator |
| Users | Add user to directory role | Privileged role administrator |
| Add user to group | User administrator | |
| Assign license | License administrator | |
| Create guest user | Guest inviter | |
| Reset guest user invitation | User administrator | |
| Create user | User administrator | |
| Delete user | User administrator | |
| Invalidate refresh tokens of limited admin | User administrator | |
| Invalidate refresh tokens of nonadmin | Password administrator | |
| Invalidate refresh tokens of privileged admin | Privileged authentication administrator | |
| Read basic configuration | Default user role | |
| Reset password for limited admin | User administrator | |
| Reset password for nonadmin | Password administrator | |
| Reset password for privileged admin | Privileged authentication administrator | |
| Revoke license | License administrator | |
| Update all properties except user principal name | User administrator | |
| Update user principal name for limited admin | User administrator | |
| Update user principal name for privileged admin | Global administrator | |
| Update user settings | Global administrator | |
| Update authentication methods | Authentication administrator | |
| Groups | Assign license | User administrator |
| Create group | Groups administrator | |
| Create, update, or delete access review of a group or app | User administrator | |
| Manage group expiration | User administrator | |
| Manage group settings | Groups administrator | |
| Read all configuration (except hidden membership) | Directory readers | |
| Read hidden membership | Group member | |
| Read membership of groups with hidden membership | Help Desk administrator | |
| Revoke license | License administrator | |
| Update group membership | Group owner | |
| Update group owners | Group owner | |
| Update group properties | Group owner | |
| Delete group | Groups administrator | |
| Licenses | Assign license | License administrator |
| Read all configuration | Directory readers | |
| Revoke license | License administrator |