Microsoft is upping its security and compliance efforts by introducing granular delegated admin privileges (GDAP), and managed service providers (MSPs) need to be ready. In the following blog, we’ll discuss what GDAP is and how you can help your business and your clients stay compliant.
What is GDAP?
GDAP is an evolution of DAP (delegated admin privileges), which allowed an MSP to manage a client’s service or subscription on their behalf. GDAP offers partners extraordinary control through individual unique relationships that control who and how tenants are accessed by staff.
GDAP offers:
- Duration
- Supported Roles
- Security Groups
- Reporting
- Termination
It lowers security risks by enabling relationships that contain custom roles and access time limit constraints. By being able to assign users and groups to specific relationships, you can ensure that only those team members authorized to do so can access designated environments.
GDAP’s features include:
Duration
Partners can select a GDAP relationship duration lasting between one and 730 days.
Supported Roles
Partners can choose from any Azure Active Directory (AAD) roles supported by GDAP for granularity, which customers can approve at partner tenant scope.
Security Groups (SGs)
Partners can create SGs in their partner tenant to organize their employees so that they can restrict their access per customer and per Microsoft 365 workload level. They can also partition their employees’ access per customer, depending on the business need.
Reporting
Partners can use GDAP reporting analytics in the Partner Center to track:
- Invitations pending approval
- Which relationships are expiring
Termination
Either the partner or the customer can terminate access granted through GDAP.
GDAP for MSPs and Pax8
To achieve compliance with these new security measures, MSPs will need to undertake the following measures:
Pax8 to end customer
Pax8 will need to have a separate relationship created between us and each of your end customers. This will allow Pax8 to provide our white-glove experience with provisioning and support.
MSP to end customer
As an MSP, you must create a relationship with each of your end customers. This will allow you to have access to their tenant and provide your valued services. For more information on GDAP from MSP to end customer, see Microsoft’s documentation.
Important dates for the transition to GDAP
GDAP is now live in the Pax8 Marketplace. It’s available for all partners to enable relationships between Pax8 and end customer.
October 9, 2023:
Microsoft will no longer grant DAP creation and GDAP will become the standard protocol.
July 2023:
For any partners who adopted a GDAP relationship with a customer, Microsoft will remove the pre-existing DAP relationship by end of July.
June 2023:
Microsoft will pause the transition for the month of June to support the fiscal year closure.
May 22, 2023:
Microsoft will begin transitioning active and inactive DAP relationships to GDAP. For any relationships that Microsoft transitions to GDAP, DAP relationships will be removed 30 days later.
March 15, 2023:
Microsoft provided clarity on specific Azure Directory roles it will implement. We are still waiting on dates for the following:
- When they will no longer grant DAP for new tenants
- When they will grant default GDAP roles for new tenants
- When they will retire the bulk migration tool
February 15, 2023:
Microsoft announced a new GDAP timeline.
February 9, 2023:
GDAP tool goes live in Pax8 Marketplace. GDAP is available for all partners to enable relationships between Pax8 and end customer.
January 12, 2023:
Microsoft announced a delay in GDAP timeline.
For all Microsoft timeline updates, please see Microsoft’s announcement.
The Pax8 experience
Pax8 understands the responsibility we have to our partners as your provider, and we want to ensure we are doing our part to support these changes. Pax8 is committed to securing our ecosystem and will be adopting a least-privilege approach to GDAP.
Pax8 believes adopting a least-privilege approach will be fundamental for our partners in protecting high-value data and assets for your clients. It will also reduce the likelihood of cyberattacks and the spread of malware, while simultaneously streamlining compliance requirements and audit processes.
Pax8 GDAP role adoption
When you establish a GDAP relationship between Pax8 and the end customer through the Pax8 GDAP tool, the following roles are adopted and will remain active for two years:
Standard privilege
- Global Reader: This allows Pax8 support staff to read basic directory information. Global Reader can read everything a global administrator can but cannot make updates.
- Directory Reader: This allows Pax8 support staff to see Global Admin information but cannot make changes. Directory Reader can read basic directory information. It’s commonly used to grant directory read access to applications and guests.
- Directory Writer: It can read and write basic directory information. It’s for granting access to applications and is not intended for users. This allows Pax8 to read and write basic directory information.
- Service Support Admin: This can read service health information and manage support requests. It allows Pax8 support staff to read health service information and manage support requests on behalf of the partner.
Advanced privilege
- Privilege Authentication Admin: It provides access to view, set, and reset authentication method information for any user (admin or non admin). This allows Pax8 support leadership to reset credentials for elevated accounts inside the tenant.
- Privileged Role Administrator: This can manage role assignments in Microsoft Entra ID and all aspects of Privileged Identity Management (PIM). This allows Pax8 to reset global administrator passwords if a partner needs it.
GDAP for new customer relationships at Pax8
Starting February 9, Pax8 implemented GDAP in the checkout flow. This offers partners the ability to establish GDAP for all new customer relationships, if desired.
Partners can establish GDAP between Pax8 and their new customer in the provisioning tasks after they validate the customer tenant with Pax8. Only Partner Admin and Primary Partner Admin can generate GDAP relationship requests. If establishing GDAP between Pax8 and your end customer is bypassed, Pax8 will require a GDAP relationship before providing technical support in the end customer tenant.
During the customer tenant validation process, the validation will fail if there is not a reseller relationship established with Pax8. The reseller relationship establishment is included in the provisioning flow before reaching the GDAP section. Partners will need to establish the reseller relationship first, and then the partner will be asked to create the GDAP relationship and accept our default roles. To establish the GDAP relationship, partners will be redirected to the GDAP tool in a web browser, where they will see the customer they are validating appear. Partners will copy the link and accept the relationship.
Once completed, the partner can then navigate back to the checkout page in the Pax8 Marketplace to finish their purchase.
GDAP for existing relationships
Starting February 9, Pax8 will highly encourage GDAP to be established for all existing customer relationships. Partners can establish GDAP between Pax8 and their existing customers by utilizing the Pax8 GDAP Tool located under the Tools section in the Pax8 Marketplace.
Partners will be able to generate links for their customer’s Global Admin to approve and monitor which ones have not been established, are pending, or have been established.
Microsoft-led GDAP Transition
Microsoft Partner Spotlight: Pax8
In Microsoft’s September 2023 Partner Center Technical Corner, Pax8 was recognized for diligent work in implementing GDAP with partners and end customers.
It is critical for CSP partners to embrace the principles of Zero Trust to protect their assets, as well as their partners and customers’ assets from threats.
Pax8 has embraced the “least privilege” Zero Trust principle by completing the migration to GDAP from DAP. The use of GDAP ensures that the right people are accessing the right things for the right duration. Pax8 is also embracing the “assume breach” Zero Trust principle by leading the adoption and codesign of the Microsoft Azure Resource Manager (ARM) Security Alerts as well as anomaly detection, including Azure cost and spending management. Pax8 closely monitors the consumption of Azure services across our user base for variances, anomalies, and indicators that may signal unplanned spending in customer environments or unauthorized third parties provisioning resources.
As a best practice, we also encourage our partners and their customers to leverage tools like Azure Cost Management to proactively guard against unexpected expenses and deploy prevention solutions, such as multi-factor authentication and conditional access, that will safeguard their environments against compromise.
Microsoft led transition to GDAP
In May 2023, Microsoft began transitioning active DAP relationships to GDAP. For any relationships that Microsoft transitions to GDAP, DAP relationships will be removed 30 days later. Microsoft’s transition will assign the following Azure AD roles and will remain active for 365 days:
- Directory Readers: Can read basic directory information. Commonly used to grant directory read access to applications and guests.
- Directory Writers: Can read and write basic directory information. Commonly used to grant access to applications. This role isn’t intended for users.
- Global Reader: Can read everything that a Global Administrator can, but not update anything.
- License Administrator: Can manage product licenses on users and groups.
- Service Support Administrator: Can read service health information and manage support tickets.
- User Administrator: Can manage all aspects of users and groups, including resetting passwords for limited admins.
- Privileged Role Administrator: Can manage role assignments in Azure AD and all aspects of Privileged Identity Management (PIM).
- Helpdesk Administrator: Can reset passwords for non-administrators and helpdesk administrators.
- Privileged Authentication Administrator: Can access, view, set, and reset authentication method information for any user (admin or non-admin).
We’re here to help
If you have any questions about GDAP and the workflow for establishing GDAP, please reach out to your CAM (Channel Account Manager). If you’re a Pax8 partner and would like to learn more about the process, sign in to the Pax8 Platform to check out our resources on moving to GDAP.
