Last year, Microsoft announced that they are replacing Delegated Admin Privileges (DAP) with Granular Delegated Admin Privileges (GDAP), which will impact all Microsoft Partners.
Microsoft have announced that starting 22nd May 2023, they will begin transitioning active and inactive DAP relationships to GDAP with limited Azure Active Directory (AD) roles. They will provide clarity on the roles by 15th March 2023. To ensure that intY can fully support you and your customers, please do not deactivate GDAP or DAP relationships within Partner Centre.
What is GDAP?
GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It allows partners to configure granular and time-bound access to their customers’ workloads in production and sandbox environments.
The replacement GDAP capabilities will allow partners to control access to their customers’ workloads to address their security concerns better. Partners can go on to offer more services to customers who may be uncomfortable with their current levels of partner access. They can also offer services to customers with regulatory needs requiring least-privileged access to partners.
What should Microsoft Partners do to support their business?
All Microsoft Partners will need to review the level of access required to retain least-privileged access required to support their customers. It is important to understand and plan for this change to start DAP to GDAP transitions for customers as soon as possible. The below outlines some of the basic steps to consider.
It is important for partners to remove DAP relationships with any legacy customers that they no longer serve in preparation to request new GDAP relationships with existing customers.
To provide more granular permissions, Microsoft has vastly increased the number of roles available to review and select as appropriate both at the organisation level and security group level also.
Here’s what we think Partners should consider for Microsoft’s transition from DAP to GDAP
1. Audit current customer relationships and remove relationships and/or DAP from customers that no longer have a commercial relationship with you as a partner.
2. Once you have completed your audit of current customer relationships, remove any relationships and DAP where appropriate.
3. There are two ways to control Granular Delegated Admin Privileges (GDAP) access moving forwards: one at the organisation level and one using security groups.
- By organisation level: You should consider grouping individuals or departments and working with those groups to determine what least privileged access they require. Once complete, you can assign all required permissions to the tenant at an organisational level and assign the required permissions to the security groups. Here is an available list of permissions. You must understand these permissions and only request what is required to support your customers. To retain all permissions at the organisational level as they are today, you can request Global Admin at the organisational level; however, this goes against the premise of the change and means you are vulnerable in the event of a breach.
- By creating security groups: Consider a process to add new staff to security groups, remove staff as they leave, move staff between groups and who authorises this within your organisation. Also, consider how and who approves additional permissions and roles to an existing security group/newly created security group. Links can be sent to customers requesting permissions – this is important to include in your new customer onboarding process. Note: a link sent out to a customer will grant permission for your organisation; however, more granular permission control of individuals would be done through security groups. This means customers may see you are asking for multiple permissions; however, this doesn’t mean everyone in your organisation has these options.
4. Microsoft has developed a mass migration tool, allowing you to transition existing DAP to GDAP without needing your customer to accept the requested permissions.
5. Depending on the number of customers you serve, it might be easier to manually permission them via Partner Centre rather than using the mass migration tool; however, the tool is a useful resource for partners with many customer tenants in their estate.