GDAP is the new security model for Microsoft partners to be granted administrative access to tenants. You will need to take action to avoid losing access to your customer tenants. Read this short article to get up to speed.
Update 3/3/23
New GDAP milestone dates
- Transition active and inactive DAPs: Starting May 22, 2023
- Microsoft will begin transitioning active and inactive DAP relationships to GDAP with limited Azure Active Directory (AD) roles. We will provide clarity on the roles by March 15, 2023.
- For relationships that have been transitioned from DAP to GDAP, we will proceed to remove the corresponding DAP relationships 30 days later.
- We will pause the transition for the month of June to support the fiscal year closure.
Note
If a partner has a GDAP relationship with a specific customer, Microsoft will not transition that customers DAP to GDAP. Microsoft will disable that customer’s DAP by the end of July.
- The dates for the following milestones will be communicated on March 15, 2023:
- Stop new DAPs—DAP is currently granted when a new customer tenant is created. Microsoft will no longer grant DAP for new customer creation.
- Grant GDAP default roles for new customers—GDAP with certain default roles will be granted when a new customer tenant is created.
- Retire the bulk migration tool—The bulk migration tool will be retired.
What is GDAP (and DAP) ?
DAP is Dead, Long live the GDAP!
DAP : Delegated Admin Privileges in Microsoft Cloud, provide the mechanism for a Microsoft Partner (CSP) to manage a customers service or subscription on their behalf. It’s been around for a while and if you’re a CSP, it’s granted through your reseller relationship and allows you to Admin on behalf of your customers.
The problem with DAP is that it gives the CSP partner all permissions, vs the permissions they might actually need to do their job.
GDAP : The “G” adds “Granular” to DAP, It’s a different administrative model and it has some distinct changes from DAP.
- The Partner requests access to a set of roles within the customer tenant, it’s not “All Access” by default.
- Customers (Tenant Global Administrators) have to approve the GDAP request.
- Each request has a duration, after which it expires – i.e. it is not permanent. The maximum duration is 2 years.
- The administrative relationship is independent of the Reseller relationship – at present you still need the Reseller relationship in place, to form the administrative relationship.
- Once the GDAP relationship is in place, you can delegate roles to your staff via Azure AD security groups.
Key Microsoft Deadlines
In the recent Microsoft announcement on GDAP the timelines for transition were moved back, this will be a welcome relief, but you still need to plan for this over the next few months.
| Deadline | Purpose |
| 17-Jan-23 | DAP relationships no longer created by Microsoft |
| DAP relationships unused in 90 days will be removed by Microsoft | |
| 1-Mar-23 | Migration tool to transition DAP to GDAP without needing customer approval, will no longer be available |
| Remaining DAP relationships will be transitioned to minimal GDAP roles * |
*The limited GDAP roles (Directory reader, Global reader, User administrator, License administrator, Service support administrator, and Helpdesk administrator) granted by Microsoft during the transition will only allow you to perform least-privilege activities. All other access permissions (for example, access to Exchange workloads) will be lost
The key message from Microsoft “take action now” as there is work to be done to get this in place.
Benefits of GDAP
This is a better model than the current system, it gives more control over access to customer data.
- Customers have more control over who is accessing their systems and data.
- Service Providers have more fine-grained control over:
- Who can support/maintain individual customers
- The functions a team/individual can perform for customers
- Because security groups now control access, Partners using Azure AD Premium P2 for their staff can now use PIM to control administrative access to tenants.
The Transition process from DAP to GDAP
The main issue is the operational overhead of the transition – I break this down into the following areas for consideration:
- Comprehension of GDAP structure and how it works
- Deciding how to use the new GDAP permissions within your organization
- Transitioning existing customer relationships from DAP to GDAP
- Changing your process for onboarding new customers
- Adding a process for handling expiry of customer GDAP relationships
Short term – you need to focus on items 1 to 3, and standardize your processes wherever possible,
A key time constraint is around migration. The ability to create GDAP relationships for your existing customers without consent, is possible up until 1 March 2023. The migration window is an important one, as it will be very time-consuming to handle manually for many customers.
The Migration Toolkit:
Microsoft have kindly created an opensource toolkit for migrating your DAPs to GDAPs. The downside is that
- It needs some work to get your head around it
- It requires you to download some .NET code, compile it and then execute it in multiple stages.
It’s not bad, we just know not everyone has spare hours to build tools to do migrations of things which are not really BAU.
Atria GDAP Migration Tool
We are working to build a simplified version of the GDAP migration tool for anyone who wants help with this process. If you are interested, please email support@getatria.com, or inquire here – this will be a free tool for anyone to use.
