Share via

Expire granular relationships and extend granular delegated admin privileges (GDAP)

  • Article

Appropriate roles: Admin agent

Partners can identify granular delegated admin privileges (GDAP) relationships that are expired or are close to expiring and take action to automatically extend the privileges.

Prerequisites

To manage GDAP Autoextend, you must:

  • Have the role: Admin agent

Expiring granular relationships and filters

Use filters choose a timeframe to find GDAP relationships that are expiring in different timeframes and ones that are expired.

  • Partner Admin agents can view active GDAPs expiring within 30 days, 7 days, 1 day and after 30 days, and GDAPs that have expired within the last one year.
  • GDAP relationships going to expire tiles (first four) represents the count and percentage of Active GDAPs and GDAP relationships expired tile (last tile) represents the count and percentage of overall GDAPs.
  • Each tile represents a count and percentage of the overall GDAPs.
  • Each tile is represented as a filter to only display the respective GDAPs
  • Use Search to search by Customer Name, Admin Relationship Name
  • Use Download option to download GDAPs

Screenshot of the Customers page: Expiring Granular Relationships.

Manage GDAP Autoextend

Partners can now select one or more GDAPs to enable or disable Autoextend. When Autoextend is enabled against a GDAP, the Autoextended duration is set to Yes (six months). A GDAP with autoextend doesn't expire on the last day of the GDAP, it's rolled forward by six months, so that Partner doesn't need to request a new GDAP, get customer consent, or perform access assignments. When Autoextend is disabled against a GDAP, the partner is notified 30 days, seven days, and one day before expiry.

  • Partner can select a GDAP and choose Enable auto-extend to turn on autoextend.

  • Partner can select a GDAP and choose Disable auto-extend to turn off autoextend

  • Partner can select multiple GDAPs at a time to enable or disable autoextend.

Screenshot of the Expiring Granular Relationships. Multiple customers are selected at once.

GDAP with Global Administrator can't be autoextended

Aligning to Zero trust and least privilege access, a GDAP having Microsoft Entra role: Global Administrator can't be marked for autoextend.

  • GDAP with Global Administrator role would display NA under the column auto-extend Duration.

Removing Global Administrator role

Partners can use the new filter Having Global Administrator to display GDAPs that have the Global Administrator role.

To remove the Global Administrator role from a GDAP:

  1. Select one or more GDAP roles. The Remove Global Administrator Role button becomes active.

  2. Select Remove Global Administrator Role.

    Once the Global Administrator role is removed, the respective Admin Relationship becomes eligible for Auto extend.
    Access assignments associated with Global Administrator role are removed.

    Screenshot of the Expiring Granular Relationships. The button: Remove Global Administrator Role is highlighted.

Next steps