GDAP frequently asked questions

Appropriate roles: All users interested in Partner Center

Granular delegated admin permissions (GDAP) give partners access to their customers' workloads in a way that is more granular and time-bound, which can help to address customer security concerns.

With GDAP, partners can provide more services to customers who may be uncomfortable with the high levels of partner access.

GDAP also helps with customers who have regulatory requirements to provide only least-privileged access to partners.

Setting up GDAP

Who can request a GDAP relationship?

Someone with the Admin agent role at a partner organization can create a GDAP relationship request.

Does a GDAP relationship request expire if the customer doesn't take any action?

Yes. GDAP relationship requests expire after 90 days.

How long does a GDAP relationship last?

The duration of a GDAP relationship is defined by the partner. Two years is the default duration. (Two years is also the maximum duration.) However, a partner can update the duration and reduce it to as little as one day.

Can I make a GDAP relationship with a customer permanent?

No. Permanent GDAP relationships with customers aren't possible for security reasons. The maximum duration of a GDAP relationship is two years.

Can a GDAP relationship with a customer autorenew?

No. A GDAP relationship can't autorenew for security reasons.

What do I do when the GDAP relationship with a customer expires? Is there an automatic renewal process?

If the GDAP relationship with your customer expires, you'll have to request a GDAP relationship again. There's no automatic renewal process.

You can use GDAP relationship analytics to track GDAP relationship expiration dates and prepare for their renewal.

How can a customer extend or renew a GDAP relationship?

To extend or renew a GDAP relationship, the customer should ask their partner to send a GDAP relationship request.

If a GDAP relationship expires, are the customer’s existing subscriptions affected?

No. There's no change to a customer’s existing subscriptions when a GDAP relationship expires.

How can I continue to administer services for my customers if DAP for inactive customers is removed?

While DAP and GDAP coexist, you can continue to administer services for your customers by establishing a GDAP relationship or by recreating a DAP relationship with them through Partner Center. We recommend establishing a GDAP relationship to ensure you have the most secure and least privileged access to your customer’s tenant.

When DAP is retired, you'll be required to have a GDAP relationship with any customers for whom you want to administer services.

Who receives a GDAP relationship termination notification email?

Within a partner organization, people with the Admin agent role receive a termination notification.

Within a customer organization, people with the Global admin role receive a termination notification.

Can I see when a customer removes GDAP in the activity logs?

Yes. Partners can see when a customer removes GDAP in the Partner Center activity logs.

Do I need to create a GDAP relationship with all of my customers?

No. GDAP is an optional capability for partners who want to manage their customer’s services in a more granular and time-bound way. You can choose which customers you want to create a GDAP relationship with.

If I have multiple customers, do I need to have multiple security groups for those customers?

The answer depends on how you want to manage your customers.

  • If you want your partner users to be able to manage all customers, you can put all of your partner users into one security group and that one group can manage all of your customers.

  • If you prefer to have various partner users managing various customers, assign those partner users to separate security groups for customer isolation.

Can indirect resellers create GDAP relationship requests at Partner Center?

Yes. Indirect resellers (and indirect providers and direct-bill partners) can create GDAP relationship requests at Partner Center.

Customers can now exclude CSPs from conditional access policy so that partners can run no consent GDAP bulk migration tool to transition to GDAP without getting blocked.

Include users

This list of users typically includes all of the users an organization is targeting in a Conditional Access policy.

The following options are available to include when creating a Conditional Access policy:

  • Select users and groups
    • Guest or external users (preview)
      • This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
        • Service provider users, for example a Cloud Solution Provider (CSP)
      • One or more tenants can be specified for the selected user type(s), or you can specify all tenants.

External partner access

Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges. For more information see Introduction to granular delegated admin privileges (GDAP). For policies that are intended to target service provider tenants, use the Service provider user external user type available in the Guest or external users selection options.

Screenshot of CA policy UX targeting guest and external user types from specific Azure AD organizations.

Exclude users

When organizations both include and exclude a user or group, the user or group is excluded from the policy, as an exclude action overrides an include in policy.

The following options are available to exclude when creating a Conditional Access policy:

  • Guest or external users
    • This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are several different types of guest or external users that can be selected, and multiple selections can be made:
      • Service provider users, for example a Cloud Solution Provider (CSP)
    • One or more tenants can be specified for the selected user type(s), or you can specify all tenants.

Screenshot of CA policy.

For more information see the following:

GDAP API

Are APIs available to create a GDAP relationship with customers?

For information about APIs and GDAP, see the Partner Center developer documentation

Can I use the beta GDAP APIs for production?

Yes. It's recommended that partners use the beta GDAP APIs for production and later switch to APIs v.1 when they become available.

Although there's a warning, “Use of these APIs in production applications isn't supported,” that generic guidance is for any beta API under Graph and isn't applicable to the beta GDAP Graph APIs.

Can I create multiple GDAP relationships with different customers at once?

Yes. GDAP relationships can be created using APIs, enabling partners to scale this process. Creating multiple GDAP relationships isn't available at Partner Center, however. For information about APIs and GDAP, see the Partner Center developer documentation.

Can I bulk migrate customers from DAP to GDAP?

Yes. You can bulk migrate customers from DAP to GDAP using APIs. Using multiple APIs, you can automate the process of creating GDAP relationships with your customers. For information about APIs and GDAP, see the Partner Center developer documentation.

Can multiple security groups be assigned in a GDAP relationship using one API call?

The API works for one security group at a time, but you can map multiple security groups to multiple roles at Partner Center.

Roles

Which GDAP roles are needed to access an Azure subscription?
Is there guidance about the least-privileged roles I can assign to users for specific tasks?

Yes. For information about how to restrict a user's administrator permissions by assigning least privileged roles in Azure Active Directory (Azure AD), see Least privileged roles by task in Azure Active Directory.

What is the least privileged role I can assign to a customer’s tenant and still be able to create support tickets for the customer?

We recommend assigning the Service support administrator role. To learn more, see Least privileged roles by task in Azure Active Directory.

Can I open support tickets for a customer in a GDAP relationship from which all Azure AD roles have been excluded?

No. The least privileged role for partner users to be able to create support tickets for their customer is the Service support administrator. Therefore, to be able to create support tickets for the customer, a partner user must be in a security group and assigned to that customer with that role.

Where can I find information about all the roles and workloads included in GDAP?

For information about all the roles, see Azure AD built-in roles.

For information about workloads, see Workloads supported by granular delegated admin privileges (GDAP).

What GDAP role gives access to the Microsoft 365 Admin Center?

Many roles are used for Microsoft 365 Admin Center. For more information, see Commonly used Microsoft 365 admin center roles.

Can I create custom security groups for GDAP?

Yes. Create a security group, assign approved roles, and then assign partner tenant users to that security group.

Which GDAP roles give read-only access to the customer’s subscriptions and so don't allow the user to manage them?

Read-only access to customer’s subscriptions is provided by the Global reader, Directory reader and Partner tier 2 support roles.

What role should I assign to my partner agents (currently Admin agents) if I would like them to manage the customer tenant but not modify the customer’s subscriptions?

We recommend removing the partner agents from the Admin agent role and adding them to a GDAP security group only. That way, they can administer services (service management and log service requests, for example), but they can't purchase and manage subscriptions (change quantity, cancel, schedule changes, and so on).

What happens if a customer grants GDAP roles to partner and then removes roles or severs the GDAP relationship?

The security groups assigned to the relationship lose access to that customer. The same thing happens if a customer terminates a DAP relationship.

Can some roles in my GDAP relationship with my customer have a longer time to expiration than others?

No. All roles in a GDAP relationship have the same time to expiration: the duration that was chosen when the relationship was created.

Do I need GDAP to fulfill orders for new and existing customers in Partner Center?

No. You don't need GDAP to fulfill orders for new and existing customers. You can continue to use the same process to fulfill customer orders in Partner Center.

Do I have to assign one partner agent role to all customers, or can I assign a partner agent role to one customer only?

GDAP relationships are per-customer. You can have multiple relationships per customer. Each GDAP relationship can have different roles and use different Azure AD Groups within your CSP Tenant.

In Partner Center, role assignment works at customer-to-GDAP relationship level. If you want to multicustomer role assignment, you can automate using APIs.

Can a partner user have GDAP roles and a Guest account?

Guest accounts don't work with GDAP and DAP. Customers must remove any Guest accounts to get GDAP and DAP to work.

DAP and GDAP

Is GDAP replacing DAP?

Yes. During the transition period, DAP and GDAP will coexist, with GDAP permissions taking precedence over DAP permissions for Microsoft 365, Dynamics 365, and Azure workloads.

Can I continue to use DAP, or do I have to transition all my customers to GDAP?

DAP and GDAP will coexist during the transition period. However, GDAP will eventually replace DAP to ensure that we provide a more secure solution for our partners and customers. It's advised that you transition your customers to GDAP as soon as possible to ensure continuity.

While DAP and GDAP coexist, will there be any changes to the way a DAP relationship is created?

There are no changes to the existing DAP relationship flow while DAP and GDAP coexist.

How will GDAP work with Privileged Identity Management in Azure AD?

Partners can implement Privileged Identity Management (PIM) on a GDAP security group in the partner's tenant to elevate the access of a few high-privilege users, just in time (JIT) to grant them high-privilege roles like Password admins with automatic removal of access.

To enable this implementation, the subscription to Azure AD Premium Plan 2 that is required by PIM is available for free. Microsoft partners can sign in to get the details.

How do DAP and GDAP coexist if a customer buys Microsoft Azure and Microsoft 365 or Dynamics 365?

GDAP is generally available with support for all Microsoft commercial cloud services (Microsoft 365, Dynamics 365, Microsoft Azure, and Microsoft Power Platform workloads). For more information about how DAP and GDAP can co-exist and how GDAP takes precedence, see How will GDAP take precedence over DAP.

I have a large customer base (10,000 customer accounts, for example). How do I transition from DAP to GDAP?

This action can be carried out by APIs.

No. Your PEC earnings won't be affected when you transition to GDAP. There are no changes to PAL with the transition, ensuring that you continue to earn PEC.

Is PEC affected when DAP/GDAP is removed?
  • If a partner's customer has DAP only and DAP is removed, PEC isn't lost.
  • If a partner's customer has DAP, and they move to GDAP for Office and Azure simultaneously, and DAP is removed, PEC isn't lost.
  • If the partner's customer has DAP, and they move to GDAP for Office but keep Azure as-is (they don't move to GDAP) and DAP is removed, PEC won't be lost, but Azure subscription access will be lost.
  • If an RBAC role is removed, PEC is lost, but removing GDAP won't remove RBAC.
How do GDAP permissions take precedence over DAP permissions while DAP and GDAP coexist?

When the user is part of both the GDAP security group and the DAP Admin agents group and the customer has both DAP and GDAP relationships, GDAP access takes precedence at the partner, customer, and workload level.

For example, if a partner user signs in for a given workload and there's DAP for the Global admin role and GDAP for the Global reader role, the partner user only gets Global reader permissions.

If there are three customers with GDAP roles assignments to only GDAP security group (not Admin agents):

Diagram showing the relationship between different users as members of *Admin agent* and GDAP security groups.

Customer Relationship with partner
Customer 1 DAP (no GDAP)
Customer 2 DAP + GDAP both
Customer 3 GDAP (no DAP)

The following table describes when a user signs in to a different customer tenant.

Example user Example customer tenant Behavior Comments
User 1 Customer 1 DAP This example is DAP as-is.
User 1 Customer 2 DAP There's no GDAP role assignment to the Admin agents group, which results in DAP behavior.
User 1 Customer 3 No access There's no DAP relationship, so the Admin agents group doesn't have access to customer 3.
User 2 Customer 1 DAP This example is DAP as-is
User 2 Customer 2 GDAP GDAP takes precedence over DAP because there's a GDAP role assigned to user 2 through the GDAP security group even if the user is part of the Admin agent group.
User 2 Customer 3 GDAP This example is a GDAP-only customer.
User 3 Customer 1 No access There's no GDAP role assignment to customer 1.
User 3 Customer 2 GDAP User 3 isn't part of the Admin agent group, which results in GDAP-only behavior.
User 3 Customer 3 GDAP GDAP-only behavior
Will disabling DAP or transitioning to GDAP affect my legacy competency benefits or Solutions Partner designations I've attained?

DAP and GDAP are not eligible association types for Solutions Partner designations and disabling or transitioning from DAP to GDAP will not impact your attainment of Solutions Partner designations. Your renewal of legacy competency benefits or Solutions Partner benefits will also not be impacted.

Go to Partner Center Solutions Partner designations to view what other partner association types are eligible for Solutions Partner designations.

How does GDAP work with Azure Lighthouse? Do GDAP and Azure Lighthouse affect each other?

With respect to the relationship between Azure Lighthouse and DAP/GDAP, think of them as decoupled parallel paths to Azure resources, so severing one shouldn't affect the other.

  • In the Azure Lighthouse scenario, users from the partner tenant never sign in to the customer tenant and don't have any Azure AD permissions in the customer tenant. Their Azure RBAC role assignments are also kept in the partner tenant.

  • In the GDAP scenario, users from the partner tenant sign in to the customer tenant, and the Azure RBAC role assignment to the Admin agents group is also in the customer tenant. You can block the GDAP path (users can no longer sign in) while the Azure Lighthouse path is unaffected. Conversely, you can sever the Lighthouse relationship (projection) without affecting GDAP. For more information, see the Azure Lighthouse documentation.

How does GDAP work with Microsoft 365 Lighthouse?

Either granular delegated admin privileges (GDAP) plus an indirect reseller relationship or a delegated admin privileges (DAP) relationship is required to onboard customers to Lighthouse.

If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups.

Soon, customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse. For more information on requirements for Microsoft 365 Lighthouse, see Requirements for Microsoft 365 Lighthouse.

What is the best way to move to GDAP and remove DAP without losing access to Azure subscriptions if I have customers with Azure?

The correct sequence to follow for this scenario is:

  1. Create a GDAP relationship for both Microsoft 365 and Azure.
  2. Assign Azure AD roles to security groups for both Microsoft 365 and Azure.
  3. Configure GDAP to take precedence over DAP.
  4. Remove DAP.

Important

If you don't follow these steps, existing Admin agents managing Azure may lose access to Azure subscriptions for the customer.

The following sequence could result in losing access to Azure subscriptions:

  1. Remove DAP.

    You won't necessarily lose access to an Azure subscription by removing DAP. But at this time you can't browse the customer’s directory to do any Azure RBAC role assignments (such as assigning a new customer user as subscription RBAC contributor).

  2. Create a GDAP relationship for both Microsoft 365 and Azure together.

    You may lose access to the Azure subscription at this step as soon as GDAP is set up.

  3. Assign Azure AD roles to security groups for both Microsoft 365 and Azure

    You'll regain access to Azure subscriptions after Azure GDAP setup is complete.

I have customers with Azure subscriptions without DAP. If I move them to GDAP for Microsoft 365, will I lose access to the Azure subscriptions?

If you have Azure subscriptions without DAP that you manage as owner, by adding GDAP for Microsoft 365 to that customer, you may lose access to the Azure subscriptions. To avoid that, move the customer to Azure GDAP at the same time that you move the customer to Microsoft 365 GDAP.

Important

If these steps aren't followed, existing Admin agents managing Azure may lose access to Azure subscriptions for the customer.

No. Relationships, once accepted, aren't reusable.

Offers

Is management of Azure subscriptions included in this release of GDAP?

Yes. The current release of GDAP supports all products: Microsoft 365, Dynamics 365, Microsoft Power Platform, and Microsoft Azure.