Set up GDAP for your customers in Microsoft 365 Lighthouse

You can now set up all your customers with granular delegated admin privileges (GDAP) through Microsoft 365 Lighthouse, regardless of their licenses or size. By setting up your organization with GDAP for the customer tenants you manage, users in your organization have the permissions necessary to do their work while keeping customer tenants secure. Lighthouse lets you quickly transition your organization to GDAP and begin the journey to least-privilege for your delegated access to customers.

Delegated access via delegated admin privileges (DAP) or GDAP is a prerequisite for customer tenants to be fully onboarded to Lighthouse. Therefore, creating GDAP relationships with your customers may be the first step in managing your customer tenants in Lighthouse.

During the GDAP setup process, you create GDAP templates by configuring what support roles and security groups are needed for your organization. Then, you assign customer tenants to GDAP templates. GDAP roles are scoped to Microsoft Entra built-in roles, and when you set up GDAP, you see recommendations for a set of roles needed for different job functions.

Watch: Set up GDAP

Check out the other Microsoft 365 Lighthouse videos on our YouTube channel.

Before you begin

• You need to have specific permissions in the partner tenant:

  • To establish GDAP security groups, add users, and create GDAP templates, you must be a Global Administrator in the partner tenant. This role can be assigned in Microsoft Entra ID.

  • To create and complete GDAP relationships, you must be a member of the Admin Agents group in Partner Center.

• The customers you manage in Lighthouse need to be set up in Partner Center with either a reseller relationship or an existing delegated relationship (DAP or GDAP).

Note

Lighthouse GDAP templates use role-assignable security groups. A Microsoft Entra ID P1 license is required to add users to these groups. To enable Just-in-Time (JIT) roles, Microsoft Entra IDE Governance or a Microsoft Entra ID P2 license is required.

Set up GDAP for the first time

When you set up GDAP for the first time, you must complete the following sections in order. Once completed, you can come back and edit any section as needed.

If you encounter any problems during GDAP setup, see Troubleshoot error messages and problems in Microsoft 365 Lighthouse: GDAP setup and management for guidance.

To get started:

1. In the left navigation pane in Lighthouse, select Home.

2. On the Set up GDAP card, select Set up GDAP.

3. Complete the following sections in order.

   Step 1: Roles and permissions

   Step 2: GDAP templates

   Step 3: Security groups

   Step 4: Tenant assignments

   Step 5: Review and finish

Step 1: Roles and permissions

Choose the Microsoft Entra roles needed based on your employees' job functions.

1. On the Roles and permissions page, select the Microsoft Entra roles needed based on your employees' job functions. Do one of the following:

   • Adopt recommended roles
   • Edit Microsoft Entra role selections

   By default, Lighthouse includes five support roles: Account manager, Service desk agent, Specialist, Escalation engineer, and JIT agent. You can rename support roles to match your organization's preferences by selecting Edit support roles. Certain Microsoft Entra roles can't be added to different support roles—for example, the Microsoft Entra roles in the JIT agent support role can't be added to any other support role.

   If not all support roles are needed for your GDAP setup, you can exclude one or more from your GDAP templates in the next step.

2. Select Next.

3. Select Save and close to save your settings and exit GDAP Setup.

Step 2: GDAP templates

A GDAP template is a collection of:

• Support roles
• Security groups
• Users in each security group

To create a GDAP template:

1. On the GDAP templates page, select Create template.

2. In the template pane, enter the template name and description into the appropriate fields.

3. Select one or more support roles from the list.

4. Select Save.

5. Select Next.

6. Select Save and close to save your settings and exit GDAP Setup.

Step 3: Security groups

You need at least one security group per support role for each template. For the first template, you'll create a new security group, but for subsequent templates, you may reuse groups if desired.

1. On the Security groups page, select Create security group.

2. In the security group pane, enter a name and description.

3. Select Add users.

4. From the Add users list, select the users you want to include in this security group.

5. Select Save.

6. Select Save again.

7. Select Next.

8. Select Save and close to save your settings and exit GDAP Setup.

JIT agent security group users are eligible to request access to highly privileged GDAP roles; they're not given access to them automatically. As part of GDAP Setup, select a JIT approver security group from your tenant to approve access requests from JIT agents.

The JIT approver security group must be role-assignable. If you're not seeing a security group appear in GDAP Setup, confirm that the security group is role-assignable. For more information on how to manage role assignments, see Use Microsoft Entra groups to manage role assignments.

After completing GDAP setup, a JIT access policy is created for JIT agents to request access. You can review the policy created in the Microsoft Entra ID Governance portal, and JIT agents can request access to their roles from the My Access portal. For more information on how JIT agents can request access, see Manage access to resources. For more information on how approvers can approve requests, see Approve or deny request.

Step 4: Tenant assignments

Assign groups of customers to each template. Each customer can only be assigned to one template. Once selected, that customer tenant won't be displayed as an option on subsequent templates. If you rerun GDAP Setup, your tenant assignments per GDAP template will be saved.

• To add new tenants to a GDAP template, rerun GDAP Setup. Keep saved tenant assignments and select new tenants to assign to the GDAP template. New GDAP relationships will only be created for the newly assigned tenants.

• To remove tenants from a GDAP template, rerun GDAP Setup. Remove the tenant assignment. Removing the tenant assignment won't remove the GDAP relationship created from a previous assignment, but it allows you to reassign the customer tenant to a different GDAP template if needed.

Make sure that all tenants you want assigned to a GDAP template are selected before selecting Next. You can filter the list of tenants using the search box in the upper right corner.

1. On the Tenant assignments page, select the tenants you want to assign to GDAP templated you created.

2. Select Next to go to the next section or select Save and close to save your settings and exit GDAP Setup.

Step 5: Review and finish

1. On the Review settings page, review the settings you created to confirm they're correct.

2. Select Finish.

It may take a minute or two for the settings you've configured to apply. If you need to refresh the data, follow the prompts. Setup will be incomplete if you exit GDAP Setup without selecting Finish.

Note

For customers with an existing DAP relationship, these settings are automatically applied. Customers with an Active status on the last page of GDAP Setup are assigned to roles and security groups as defined in the GDAP template.

Note

For customers without an existing DAP relationship, an admin relationship request link is generated for each customer on the last page of GDAP Setup. From there, you can send the link to your customer's Global Administrator so they can approve the admin relationship. Once the relationship is approved, the GDAP template settings will be applied. It may take up to an hour after relationship approval for changes to appear in Lighthouse.

Once you've completed GDAP Setup, you can navigate to different steps to update or change roles, security groups, or templates. GDAP relationships are now visible in Partner Center and the security groups are now visible in Microsoft Entra ID.

Related content

Overview of permissions (article)
Troubleshoot error messages and problems (article)
Configure portal security (article)
Introduction to granular delegated admin privileges (GDAP) (article)
Microsoft Entra built-in roles (article)
Learn about groups and access rights in Microsoft Entra ID (article)
What is Microsoft Entra entitlement management? (article)