Microsoft is introducing granular delegated admin privileges

Pax8 Microsoft Experts

What GDAP means for MSPs.

Microsoft is upping its security and compliance efforts by introducing granular delegated admin privileges (GDAP), and managed service providers (MSPs) need to be ready. In the following blog, we’ll discuss what GDAP is and how you can help your business and your clients stay compliant.

What is GDAP?

GDAP is an evolution of DAP (delegated admin privileges), which allowed an MSP to manage a client’s service or subscription on their behalf. GDAP offers partners extraordinary control through individual unique relationships that control who and how tenants are accessed by staff.

GDAP offers:

  • Duration
  • Supported Roles
  • Security Groups
  • Reporting
  • Termination

It lowers security risks by enabling relationships that contain custom roles and access time limit constraints. By being able to assign users and groups to specific relationships, you can ensure that only those team members authorized to do so can access designated environments.

GDAP’s features include:

  • Duration: Partners can select a GDAP relationship duration lasting between one and 730 days.
  • Supported Roles: Partners can choose from any Azure Active Directory (AAD) roles supported by GDAP for granularity, which customers can approve at partner tenant scope.
  • Security Groups (SGs): Partners can create SGs in their partner tenant to organize their employees so that they can restrict their access per customer and per Microsoft 365 workload level. They can also partition their employees’ access per customer, depending on the business need.
  • Reporting: Partners can use GDAP reporting analytics in the Partner Center to track:
    • Invitations pending approval
    • Which relationships are expiring
  • Termination: Either the partner or the customer can terminate access granted through GDAP.

GDAP for MSPs and Pax8

To achieve compliance with these new security measures, MSPs will need to undertake the following measures:

Pax8 to end customer

Pax8 will need to have a separate relationship created between us and each of your end customers. This will allow Pax8 to provide our white-glove experience with provisioning and support.

MSP to end customer

As an MSP, you must create a relationship with each of your end customers. This will allow you to have access to their tenant and provide your valued services. For more information on GDAP from MSP to end customer, see Microsoft’s documentation.

Important dates for the transition to GDAP

GDAP is now live in the Pax8 Marketplace. It’s available for all partners to enable relationships between Pax8 and end customer. This month, Microsoft will provide clarity on specific Azure Directory roles it will implement and provide dates for the following:

July 2023:

For any partners who adopted a GDAP relationship with a customer, Microsoft will remove the pre-existing DAP relationship by end of July.

June 2023:

Microsoft will pause the transition for the month of June to support the fiscal year closure.

May 22, 2023:

Microsoft will begin transitioning active and inactive DAP relationships to GDAP. For any relationships that Microsoft transitions to GDAP, DAP relationships will be removed 30 days later.

March 15, 2023:

Microsoft provided clarity on specific Azure Directory roles it will implement. We are still waiting on dates for the following:

  • When they will no longer grant DAP for new tenants
  • When they will grant default GDAP roles for new tenants
  • When they will retire the bulk migration tool

February 15, 2023:

Microsoft announced a new GDAP timeline.

February 9, 2023:

GDAP tool goes live in Pax8 Marketplace. GDAP is available for all partners to enable relationships between Pax8 and end customer.

January 12, 2023:

Microsoft announced a delay in GDAP timeline.

For all Microsoft timeline updates, please see Microsoft’s announcement.

The Pax8 experience

Pax8 understands the responsibility we have to our partners as your provider, and we want to ensure we are doing our part to support these changes. Pax8 is committed to securing our ecosystem and will be adopting a least-privilege approach to GDAP.

Pax8 believes adopting a least-privilege approach will be fundamental for our partners in protecting high-value data and assets for your clients. It will also reduce the likelihood of cyberattacks and the spread of malware, while simultaneously streamlining compliance requirements and audit processes.

Pax8 GDAP role adoption

When you establish a GDAP relationship between Pax8 and the end customer, the following roles are adopted:

Standard privilege

  • Global Reader: This allows Pax8 support staff to read basic directory information. Global Reader can read everything a global administrator can but cannot make updates.
  • Directory Reader: This allows Pax8 support staff to see Global Admin information but cannot make changes. Directory Reader can read basic directory information. It’s commonly used to grant directory read access to applications and guests.
  • Directory Writer: It can read and write basic directory information. It’s for granting access to applications and is not intended for users. This allows Pax8 to read and write basic directory information and provision or modify licenses.
  • Service Support Admin: This can read service health information and manage support requests. It allows Pax8 support staff to read health service information and manage support requests on behalf of the partner.

Advanced privilege

Privilege Authentication Admin: It provides access to view, set, and reset authentication method information for any user (admin or non admin). This allows Pax8 support leadership to reset credentials for elevated accounts inside the tenant.

GDAP for new customer relationships at Pax8

Starting February 9, Pax8 implemented GDAP in the checkout flow. This offers partners the ability to establish GDAP for all new customer relationships, if desired.

Partners can establish GDAP between Pax8 and their new customer in the provisioning tasks after they validate the customer tenant with Pax8. Only Partner Admin and Primary Partner Admin can generate GDAP relationship requests. If establishing GDAP between Pax8 and your end customer is bypassed, Pax8 will require a GDAP relationship before providing technical support in the end customer tenant.

During the customer tenant validation process, the validation will fail if there is not a reseller relationship established with Pax8. The reseller relationship establishment is included in the provisioning flow before reaching the GDAP section. Partners will need to establish the reseller relationship first, and then the partner will be asked to create the GDAP relationship and accept our default roles. To establish the GDAP relationship, partners will be redirected to the GDAP tool in a web browser, where they will see the customer they are validating appear. Partners will copy the link and accept the relationship.

Once completed, the partner can then navigate back to the checkout page in the Pax8 Marketplace to finish their purchase.

GDAP for existing relationships

Starting February 9, Pax8 will highly encourage GDAP to be established for all existing customer relationships. Partners can establish GDAP between Pax8 and their existing customers by utilizing the Pax8 GDAP Tool located under the Tools section in the Pax8 Marketplace.

Partners will be able to generate links for their customer’s Global Admin to approve and monitor which ones have not been established, are pending, or have been established.

We’re here to help

If you have any questions about GDAP and the workflow for establishing GDAP, please reach out to your CAM (Channel Account Manager). If you’re a Pax8 partner and would like to learn more about the process, check out our resources on moving to GDAP.

Schedule a call