In alignment with its mission to implement a Zero Trust security model across its products, services and entire partner ecosystem, Microsoft is putting an end to delegated admin privileges (DAP) in favour of more secure granular delegated admin privileges (GDAP). Admin privileges are essentially security measures that detail accesses between Microsoft partners—whether they’re indirect providers, indirect resellers or direct bill partners—and their clients. In other words, they affect how Microsoft partners interact with customer workloads in Microsoft 365, Dynamics 365 and Microsoft Azure. These changes therefore have an impact on any partners who transact in Microsoft’s CSP program.
Beginning May 22, 2023, Microsoft will transition both active and inactive DAP relationships to GDAP ones with limited Azure Active Directory (AAD) roles. Once this transition takes place, Microsoft will then remove corresponding DAP relationships 30 days later. Relationships that have already been transitioned from DAP to GDAP by Microsoft partners prior to May will not be affected, however Microsoft will officially disable any remaining DAP access by the end of July.
While increased security is undoubtedly a good thing, it’s understandable that many partners and their clients have questions about the move from DAP to GDAP, how it will affect them and how to transition clients themselves prior to Microsoft taking action.
What are granular delegated admin privileges (GDAP)?
Keeping with the Zero Trust principle of explicit verification and using least privileged access, GDAP provides more explicit roles and time-bound parameters for partner access to customer environments than DAP. They restrict access to customer tenants on a deeper level, thereby reducing security risk between Microsoft partners and their clients. More specifically, GDAP details access at the customer, partner tenant, partner user and workload levels for different Microsoft services.
The point of GDAP is ultimately to protect access to customer data. GDAP also helps partners accommodate clients with regulatory requirements to allow only least privileged access to providers.
How does GDAP work?
Once enabled (which we’ll cover in greater detail below), Microsoft partners can assign their users to different security groups and associated roles. These security groups are then given access to customer workloads for a fixed duration of time, up to a maximum of two years. Afterwards, the access automatically expires.
Security groups are created in partner tenants using Azure Active Directory (AAD). Some examples of different admin privileges include:
- Exchange admin
- SharePoint admin
- Intune admin
- Help desk admin
- Teams admin
Source: Microsoft
Transitioning from DAP to GDAP
At some point, Microsoft will stop creating new DAP relationships between providers, resellers and end-clients, and start removing inactive ones. This will turn off partners’ ability to manage various capabilities for customer tenants, such as creating support tickets for Microsoft on customers’ behalf. any existing Microsoft discounts they currently have with Sherweb will not be affected.
Nevertheless, partners, providers and resellers are strongly encouraged to start transitioning tenants from DAP to GDAP as soon as possible. To begin the transition, Microsoft has shared a number of steps for partners in the CSP program to follow.
Audit your existing DAP connections
To begin the move to GDAP, partners should first determine how users within their organization currently access customer tenants. This can be done using the DAP monitoring report in the Microsoft Partner Center. The report can also be used to remove inactive DAP connections. To access it, navigate to Partner Center, Account settings, Security center, and then Administrative relationships.
Source: Microsoft
Remove inactive DAP connections
Next, partners can go about removing DAP relationships. Make sure you notify customers before doing so, as users within your organization won’t be able to access customers’ online services once the connection is removed.
Start planning your transition
Before establishing GDAP connections with all your tenants, a certain degree of planning is advised. Think about what activities different people within your organization execute for customers to help figure out what kind of role they should have. As an example, here are some recommended roles for indirect providers and resellers to assign in order to transact and manage clients:
- New customer tenant creation
- Reseller relationship setup
- Purchase
- Subscription management
- Upgrades
- Conversions
- Customer user creation and license assignment
- Customer service requests
Initiate the move to GDAP
Once you have an idea of what roles you want to assign for your customers, it’s time to start the transition. Please note that this process will require customers to approve your request for a GDAP connection, so communicating with tenants about this change beforehand is probably a good idea. However, if you use Microsoft’s GDAP bulk migration tool to help with the process of facilitating the change for large groups of clients, no customer action is required. Partners can use Microsoft 365 Lighthouse to complete the transition as well.
Note about Microsoft 365 Lighthouse
To onboard customers to Lighthouse in the first place, either GDAP (in addition to an indirect reseller relationship) or DAP is required. If DAP and GDAP are both in effect for a tenant, GDAP permissions take precedence for MSP users in GDAP security groups. Soon, tenants with GDAP-only relationships (and no indirect reseller relationships) will be able to onboard to Lighthouse.
Source: Microsoft
Disable DAP for good
After completing the transition to GDAP, it’s recommended that partners disable DAP connections. This is done using the same DAP monitoring report in the Partner Center. Simply select the customer you want to turn off DAP for, then select Disable DAP.
How to create GDAP relationships with new customers
For new customer organizations, partners can adhere to the following steps for establishing GDAP relationships.
- In Microsoft’s Partner Center, select Customers, followed by a specific customer.
- Select Admin relationships, followed by Request admin relationship.
- Enter relevant details for the Admin relationship name and Duration.
- Select specific AAD roles, keeping in mind that least-privileged roles are recommended.
- Select Save for the selected roles.
- Selected roles will then appear in the Requested AAD roles section.
- Select Finalize request, which will then prompt an email send to the customer.
- Review your message to the affected customer with the GDAP invitation link.
- Send the email.
- You’re done!
What happens when GDAP connections expire
Whereas DAP connections had no expiration after a certain amount of time, GDAP connections do automatically in order to facilitate a more secure environment. When a GDAP relationship is about to expire, both the partner and customer will receive a notification by email 30 days, seven days and one day prior. Afterwards, partner users who were assigned to a security group for that customer will no longer have access or be able to administer services. To renew the duration of access permission, a new GDAP request will have to be sent to the customer.
Requirements for Sherweb partners
For indirect resellers who manage customers through Sherweb’s partner program, there are a few requirements to be aware of. In order to provision and assign Microsoft and Dynamics 365 licenses, provide customer support, and send data for PSA integrations, Sherweb needs to establish GDAP connections to end-client tenants. While there will only be limited changes in Sherweb’s partner portal, partners will be notified via email once GDAP has been enabled.
New Sherweb partners and their customer tenants will need to accept a GDAP relationship request. This process will be initiated whenever Sherweb partners add new clients through the partner portal.
For more information about the DAP to GDAP transition and actions for existing Sherweb partners, watch this informative webinar:
Both Sherweb and Microsoft partners in general should be advised that some dates regarding this transition are still in flux. These include when DAP relationships will stop being issued for newly created customer tenants, when default GDAP accesses for newly created tenants will be granted, and when the bulk migration tool for transitioning large numbers of clients from DAP to GDAP will be retired. For our part, we’ll update relevant information in this blog as well as inform partners through applicable channels such as email and Sherweb’s partner portal.
Not a Sherweb partner? Join our program for expert guidance navigating the Microsoft ecosystem
From implementing multi-factor authentication (MFA), to securing endpoints, to establishing adequate monitoring and alerts for suspicious activity, increasing security is crucial for technology providers and the various industries they serve. As such, it’s not surprising to see major tech players develop new ways to secure both their own enterprises and the customers they interact with. It goes without saying that Microsoft is among these players, and is regularly rolling out new improvements and changes to its products, services and partner network. Unfortunately, however, these changes are not always easy to keep track of.
Sherweb can help! As an award-winning Microsoft indirect cloud provider, our experts are well-versed in helping partners navigate the Microsoft ecosystem and stay on top of the multitude of developments that affect their business. Check out our Partner Guide to learn more about how Sherweb can help your business grow.