Partner Center APIs DAP-to-GDAP transition

Appropriate roles: All Partner Center users

APIs affected by the transition from delegated admin privileges (DAP) to granular delegated admin privileges (GDAP) are detailed on this page. Return to this document to see updates in impact and parity with GDAP.

Important

Azure Active Directory (Azure AD) Graph is deprecated as of June 30, 2023. Going forward, we're making no further investments in Azure AD Graph. Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.

We'll retire Azure AD Graph in incremental steps so that you have sufficient time to migrate your applications to Microsoft Graph APIs. At a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.

To learn more, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.

APIs affected by the transition

API	DAP removal impact	GDAP parity
GetAssignedLicensesAsync	Cloud Solution Provider (CSP) partners can't get licenses of the given customer user	Partners can use any one of the below roles. Directory Reader, Directory Writer, User Admin, License Admin
GetSubscribedSkus	CSP partners can't view the licenses available for a given customer tenant.	Partners can use any one of the below roles. Directory Reader, Global Reader, User Admin, License Admin
AssignUserLicensesAsync	CSP partners can't assign licenses to the customer users	Partners can use any one of the below roles. Directory Writer, User Admin, License Admin
Get DirectoryRoles	No impact	Directory Reader​
GetCustomerDirectoryRoleUserMembers	CSP partners can't get Directory roles User Members for a customer	Partners can use any one of the below roles. Directory Reader, Global Reader, Directory Writer, Privileged Role Admin
AddUserMember	CSP partner can't add a customer user to a given directory role	Privileged Role Admin
RemoveUserMember	CSP partner can't remove a customer user from a given directory role	Privileged Role Admin
GetCustomerUsersAsync	CSP partner user can't view/get the details of all the users in the customer tenant	Partners can use any one of the below roles. Directory Reader, Global reader, User Admin
GetCustomerUserDetailsAsync	CSP partner can't view/get the details about a user in customer tenant	Partners can use any one of the below roles. Directory Reader, Global reader, User Admin
GetUserDirectoryRolesAsync	CSP partner can't view/get the directory roles which the customer user is part of.	Partners can use any one of the below roles. Directory Reader, Global reader, User Admin
CreateCustomerUserAsync	CSP partner can't create new users in customer tenant	Partners can use any one of the below roles. Directory Writer, User Admin
DeleteCustomerUserAsync	CSP partner can't delete users in customer tenant	User Admin
UpdateCustomerUserAsync	CSP partner can't update properties of a user in customer tenant. (Don't use this API to reset passwords, look for the new ResetPassword API for GDAP)	Partners can use any one of the below roles. Directory Writer, User Admin
ResetPassword (no API docs available)	CSP partners can't reset the passwords of users in customer tenant	User Admin / Privileged Authentication Admin to reset password for license management users Privileged Authentication Admin to reset password for all other users
Get all service requests for a customer	Unable to view support tickets for the customer	Any role that supports microsoft.office365.supportTickets /allEntities/allTasks or microsoft.azure.supportTickets /allEntities/allTasks Permissions reference
Get the customer service requests by ID	Unable to view support tickets for the customer	Any role that supports microsoft.office365.supportTickets /allEntities/allTasks or microsoft.azure.supportTickets /allEntities/allTasks Permissions reference
GetSubscribedSku	Partner can't see all the available licenses on customer tenant across different channels.	Partners can use any one of the below roles. Directory Reader, Global reader
Update Qualification	DAP isn't required for accessing this API	No GDAP Role Required
Get Customer ID	The following attributes don't return: CustomDomain, CompanyProfileEmail, CompanyProfileAddress.	New APIs created that support GDAP GetCustomerDomains GetCustomerOrganization Directory Reader
GetCustomerCompanyProfile	The following attributes don't return: CustomDomain, CompanyProfileEmail, CompanyProfileAddress.	New APIs created that support GDAP GetCustomerDomains GetCustomerOrganization Directory Reader
Get Upgrades	CSP partners can't see if they're eligible for upgrades with license transfer.	Partners can use any one of the below roles. Directory Reader, Global reader
Get Transition Eligibilities	CSP partners can't see if they're eligible for transitions with license transfer.	Partners can use any one of the below roles. Directory Reader, Global reader Note: While this API is available for legacy and new commerce experience (NCE), GDAP is only required for legacy.
Upgrade	CSP partners can't conduct a license transfer during an upgrade.	Directory Reader or Global reader (upgrade only) Directory Writer (upgrade with license transfer)
Create Transition	CSP partners can't conduct a license transfer during transition.	Directory Reader or Global reader (transition only) Directory Writer (transition with license transfer) Note: While this API is available for legacy and NCE, GDAP is only required for legacy.
Get Provisioning Status by Subscription by ID	CSP partners can't see the provisioning status for their subscriptions.	Partners can use any one of the below roles. Directory Reader, Global reader
Get the managed services for a customer by ID	CSP partners are unauthorized.	Partners can use the new Graph API. List serviceManagementDetails

Next steps

• Partner security requirements
• Granular delegated admin privileges (GDAP) introduction
• Monitoring administrative relationships and self-service DAP removal
• GDAP role guidance