Update: Microsoft has updated the timeline for GDAP. Microsoft will stop the creation of DAP relationship starting May 2023, and retire the bulk migration tool from July 2023. For more details, please refer to the announcement and technical release file.
Access to customer workloads is changing for Microsoft Partners. Tighter controls come into effect in 2023. Partners have to transition all customer relationships managed under existing Delegated Access Privileges to Granular Delegated Admin Privileges. Let’s get into the what, why, when and how of this important update.
What’s Changed and Why?
Microsoft takes the security of your customers data seriously. In line with this, the current Delegated Access Privilege access protocol in the Microsoft Partner Center has changed to adhere more closely to a Zero Trust model.
The key word here is ‘granular’. GDAP changes the broad ‘Full Administrator’ partner access to individual permissions based on the specifics of 66 new roles.
This means customers assume greater control over who gets access and why access is given to Microsoft cloud workloads, whether in production or sandbox. Under GDAP, relationships between Partner organisations and customers will be based on details like:
- What access an Admin or Agent needs to perform their work
- Which customer workloads will be accessed by the Admin or Agent and for what work product
- How long an Admin or Agent requires access
- Whether the access required is for the maximum term of two years or is time-bound and needs approval.
In short, customers assume greater control over who gets access and why access is given to Microsoft cloud workloads, whether in production or sandbox.
Who is affected?
Transitioning to GDAP is mandatory for Microsoft Direct Bill Partners, Indirect Providers and Indirect Resellers on CSP licensing programs for all Microsoft Azure, Microsoft 365, Microsoft 365 Dynamics and Microsoft Power Platform.
GDAP will apply to everyone in a Partner organisation performing any function as an administrator for customers, and anyone that currently has the ability to grant access to other users in the partner business.
When does GDAP kick in?
Help! We haven’t started, what should we do first?
Partners should immediately
- read the Step-by-Step Guide from Microsoft
- review and understand the 66 new roles created under GDAP.
- decide if the default security model for GDAP is suitable for your operational needs. In some cases, the least-privileged access that Microsoft will default to may be in line with the services you provide to customers.
- use the DAP Monitoring Tool in Partner Center to audit existing DAP connections
- map existing Admin and Agent access and work function requirements to the new roles
- begin communicating to customers about the impending changes and identifying the roles you intend to create under the new GDAP requirements.
IMPORTANT: In cases where the defaults are not adequate, you will need to decide your own GDAP policy considering the following:
- What Administration Roles are required and the staff they will apply to
- How long do you want to maintain these roles (up to 2 years)
- Will these policies be the same for all customers or will you have different policies for different customers?
- How do you plan to deploy these changes (Bulk migration Tool, M365 Lighthouse, etc.)
What can Crayon’s channel team do to help?
For existing customer tenants that Crayon already have Delegated Admin Privileges, they will be moved to GDAP soon using the GDAP migration tool that Microsoft provided. There is no additional action required from our resellers.
For existing customer tenants that Crayon do not have DAP privileges, we will need our partners to request GDAP relationships from their customers using the GDAP invitation request tool in PRISM portal.
For new tenants, moving forward partners will need to request GDAP relationships on our behalf using the manage GDAP feature in PRISM Portal. Please refer to the following documentation GDAP (Crayon.com) for more information on how managing GDAP between Crayon and your customer works.
Note that this is for GDAP relationship between us and your customers.
You will need to have a separate GDAP relationship between yourself and your customer to allow your support agents to access your customer’s Microsoft tenant.
What other tools are available to help with the transition?
- Lighthouse – GDAP Configuration Wizard
Set up GDAP for your customers – Microsoft 365 Lighthouse | Microsoft Learn - Partner Centre – Admin Relationship Request
Obtain granular admin permissions to manage a customer’s service – Partner Center | Microsoft Learn - Bulk Migration Tool
GDAP bulk migration tool – Partner Center | Microsoft Learn
Where else can I get information?
We encourage out partners to go to Microsoft as the source for the latest and most accurate information on the GDAP changes. Highly recommended immediate reading includes:
- Granular Delegated Admin Privileges (GDAP) section of the Microsoft Partner Center.
- GDAP Frequently Asked Questions section of the Microsoft Partner Center.
- Securing The Partner And Customer Ecosystem section of the Microsoft Partner Center for useful resources.
- Security update: Securing the partner and customer ecosystem—new timelines
Need to talk through your plans for the GDAP transition? Contact your account manager to set up a call with our Productivity Team for advice.
