CSP: Granular Delegated Admin Privileges (GDAP) explained
Microsoft has been working on improving security. In the last few years every CSP customer has had the request to grant Delegated Admin Privileges (DAP) at least once. Without it is hard for the CSP Partner to grant and assign licenses, however not impossible. Of course it is convenient for the partner, as DAP gives the partner Global Admin permissions.
DAP might have a possible drawback: they can give you access as Global Admin to your customer tenants and so if you are compromised (alias hacked) also your customers could be affected.
The new GDAP will allow partners to provision more granular and time bound access to their customers, allowing the partner to do their work, but addressing customer security concerns at the same time.
With DAP you just had two roles to help your customers, and the relationship is indefinite. (until the partner of customer revokes the trust).
With GDAP you can set-up custom access roles with custom relationship timelines, that have been limited to a maximum of 2 years, that needs to be renewed when done. All GDAP related operations are logged into the Azure AD Activity logs for traceability. You can create Azure AD Groups to grant permissions to a (set of) customer(s), with different permissions for each group.
With DAP, the same level of access is given to all members within a Partner Center environment for a specific customer, while with GDAP you can create security groups with specific roles.
Please be aware that GDAP will replace DAP in the near future.
How to setup GDAP relationship with a customer.
STEP 1: Go to the Partner Center and select customers. Click on Administer, and then on Request admin relationship
In the next window you will need to create a admin relationship name that must be unique in your tenant with a maximum duration of 730 days, but you can limit it to the customers request. This is also where you can select the Azure AD roles that will be included in the GDAP relationship.
Make sure that you select all roles that are needed, and click on Save at the bottom of the list before you can Finalize request.
Once finalized, you can then send the email to your customer to setup the relationship.
When your customer receives the email, it must click on the above link with a Global Admin account in order to accept the relationship.
When the relationship is accepted, the customer will see the new relationship in the Partner Relationships section for its customer tenant (marked as Granular admin access).
In the customer tenant it should like this, click approve all to confirm all roles.
STEP 2: When the relationship is established, you need to provision the roles to the user groups, in your Partner Center account select your customer, click on Admin Relationship and view the existing GDAP configuration.
Here you can select your established GDAP relationship and click on Add Security Group for modifying the role assignments available for the members:
Please take note before you start using GDAP:
- GDAP takes precedence over DAP on a customer tenant, so be careful on setting permissions.
- Microsoft has plans to provide an “automatic way” of moving from DAP to GDAP for existing relationships, without forcing partners to re-send relationship requests again. No ETA for this yet.
- The granular delegated admin privileges (GDAP) relationship will automatically expire when the duration requested in the invitation is passed. Before expiration, you will receive a notification email 30 days, seven days, and one day before the GDAP expiration date.
- To extend or renew the GDAP relationship, partners will need to resend the GDAP relationship request to the customer (auto-renewal process is not supported for security reasons).
- There will be available APIs for automating the GDAP relationship creation process with customers.
- GDAP and DAP coexists now, but in the future you will be required to have a GDAP relationship with any customers you wish to administer services to.