GDAP bulk migration tool FAQ

Appropriate roles: Global admin | User management admin | Admin agent | Sales agent

Where can I find another source that describes the latest known issues and their status?

See GitHub - PartnerCenter-GDAPTransition · GitHub Issues

Who can perform the operations in the partner organization?

The write operations can be performed by AdminAgents.

There are two one-time consents to be provided by the Global Admin of the partner tenant in order to allow the GDAP bulk migration tool client app to be able to request access tokens to perform a set of operations.

In both the cases, check “Consent on behalf of your organization”.

  • Consent for permissions for partner center APIs

    Screenshot of consent form for APIs.

  • To be able to read security groups from the partner’s tenant using Graph API

    Screenshot of consent form for Graph.

Will partners be required to provide the name of the relationship for each of the customers?

Yes, partners will need to provide a unique name for each relationship with the customers who are going to be part of the list. The maximum length is 50 characters, and it must be unique for that partner otherwise the relationship won't be created.

For relationship creation and security group-role assignment operations, how much time do I have to wait before they get activated?

Typically, it may take up to five minutes before getting updated from ‘Approved’ to ‘Active’ for creating relationships and assignment operations.

Where can I see the complete list of roles that can be set up in a GDAP relationship?

You can refer to permissions reference for a complete list of role templates that can be used in the setup file ADRoles.csv during relationship creation and security group assignments.

How can I get more details about errors before contacting for support?

If you need to contact support for anything related to the tool, send the log file found at GBM\Logs.

Why are the security group-role assignments failing and the error log shows bad request?

Either the role configured in the GDAP relationship is not an active role in the customer tenant or the roles specified in the securitygroups.csv mappings aren't part of the GDAP relationship request because they weren't configured in the ADRoles.csv file.

What is the data that will be shown in the audit logs when the tool runs?

Along with existing attributes of the partner user, there's a new attribute introduced ‘ApprovedBy’ in ‘Granular Admin Relationship Approved’ whose value will be ‘Partner’ for partner-led approval. For regular customer approval, the value will be ‘Customer’.

What is the maximum number of relationships this tool can support for upgrade?

The tool has been tested with up to 1,000 relationships at a time. It has also been tested with about 4,000 security group assignment requests. After completing the assignments, the background process will take a few minutes to refresh from Approved to Active.

I made an incorrect GDAP role assignment by mistake. Can I update my GDAP relationships?

The tool doesn't support updating GDAP role assignments. To update the assignments, you need to go to the Microsoft Partner Center > Customers > Administer, find the customer, terminate the incorrect relationships and then run the tool again with updated role assignments.

Can I remove DAP relationship after I am done upgrading all my relationships to GDAP?

  • If you're using Partner Center’s Transact API, then no. These APIs won’t work with GDAP relationship only. We'll notify you when to remove DAP relationship.
  • If you aren't using any of the Partner Center APIs, then you may go ahead and retire the DAP relationship.

I don't want my relationships to expire in the next three years. Can I provide expiration up to three years as an exception?

Currently, the GDAP relationship tenure is set at a maximum up to 730 days (two years). It can't be extended beyond this period.

Customers can now exclude CSPs from conditional access policy so that partners can run no consent GDAP bulk migration tool to transition to GDAP without getting blocked.

Include users

This list of users typically includes all of the users an organization is targeting in a Conditional Access policy.

The following options are available to include when creating a Conditional Access policy:

  • Select users and groups
    • Guest or external users (preview)
      • This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
        • Service provider users, for example a Cloud Solution Provider (CSP)
      • One or more tenants can be specified for the selected user type(s), or you can specify all tenants.

External partner access

Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges. For more information see Introduction to granular delegated admin privileges (GDAP). For policies that are intended to target service provider tenants, use the Service provider user external user type available in the Guest or external users selection options.

Screenshot of CA policy UX targeting guest and external user types from specific Azure AD organizations.

Exclude users

When organizations both include and exclude a user or group, the user or group is excluded from the policy, as an exclude action overrides an include in policy.

The following options are available to exclude when creating a Conditional Access policy:

  • Guest or external users
    • This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
      • Service provider users, for example a Cloud Solution Provider (CSP)
    • One or more tenants can be specified for the selected user type(s), or you can specify all tenants.

Screenshot of CA policy.

For more information see the following:

Will running the GDAP Bulk migration tool cause a new Service Principal to be added on the customer’s tenant?

Yes, “Partner Customer Delegated Admin Offline Processor” creation is necessary for the GDAP access assignment to go through in the GDAP workflow. This creation occurs after the acceptance of the GDAP Relationship goes into the ”approved” state. This offline processor is created while using the bulk migration tool and during the normal GDAP flow where the service principal access assignment gets mapped between partner security group and customer roles. For more details see Verify first-party Microsoft applications in sign-in reports.

Troubleshooting guidance

The process cannot access the file 'C:\Users\masidd\Desktop\DemoJul11\GBM\GDAPBulkMigration\operations\customers.csv' because it is being used by another process.

During any operation if the process is reading or writing to a specific file, and the file is open, you'll see this error. Close the csv/json file and retry the operation.

GDAP relationship name already exits.

This error means that the relationship name specified for that customer in GBM\GDAPBulkMigration\operations\customers.csv already exists for either the given customer or another customer’s relationship. This error means that the name is not globally unique. You must retry with a new name after the current operation is completed for other customer relationships.

Access assignment already exists.

This error can be displayed when executing the option to “Create Security Group-Role Assignment(s)” if a security group has already been added to the GDAP relationship with a given set of roles.

Please make sure your sign-in credentials are MFA enabled.

The error message means that the logged in user doesn't have MFA (Azure multifactor authentication) enabled. It's necessary to enable this because all GDAP API's enforce MFA.

Please check input setup for customers and ADRoles.

This error message means that one or more inputs in the input files under the ‘operations’ folders (ADRoles.csv or securitygroups.csv) haven't been configured properly.

It can also occur if the Azure AD role configured in the relationship isn't activated in the customer tenant.

Failed to create. The customer does not exist, or DAP relationship is missing.

This error message means that the customer isn't mapped to the partner or the DAP relationship is missing or has been removed.

GDAP relationship is already created but User does not have permissions to approve a relationship.

The GDAP relationship already exists but there are no active relationships and the partner user hasn't been assigned to a role that can approve the relationship for the customer.

Proxy Server: Your organization has a proxy server which prevents internet access without authorization.

The build might fail due to failure accessing the NuGet server. Update the nuget.config file as follows:

  1. Identify the proxy server setting for their organization and update the nuget.config under working folder with the following.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
      <packageSources>
            <clear />
            <add key="nuget" value="https://api.nuget.org/v3/index.json" />
      </packageSources>
      <config>
      <add key="http_proxy" value="http://YOUR_PROXY URL " />
      </config>
      <activePackageSource>
            <add key="All" value="(Aggregate source)" />
      </activePackageSource>
</configuration>
  1. If the GDAP API access is blocked by the proxy server add the following line to GBM/AppSettings.cs:
HttpClient.DefaultProxy = new WebProxy("your proxy server url", true, null, System.Net.CredentialCache.DefaultNetworkCredentials);

Screenshot of app console proxy settings.

Next steps