Everything you need to know about Granular Delegated Admin Privileges (GDAP) plus why and how you should enable it!
Thursday, June 2, 2022
Reading time: 3 minutes
Why is GDAP relevant?
GDAP is a security feature of Microsoft Partner Center that provides partners with least-privileged, granular, and time-bound access to their customers’ workloads in production and sandbox environments. With this feature partners can better address their security concerns with regards to access to customer environments. It lets partners configure granular and time-bound access to their customers’ workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers.
Additional benefit for BC Delegated Admins
In the Microsoft 365 admin center and Microsoft Azure Management portal, both customers and partners can invite external users (guests) into their Active Directory. When a partner user is added as a guest to the customer’s Azure AD, they can no longer log in as a delegated admin into the customer’s Business Central. In order to log in, the local user (guests or native) must have a valid Business Central license assigned to them. If the partner user also has granular delegated admin privileges, they can access the customer’s Business Central administration center and manage the environments there. Microsoft recommends that customers do not invite partner users to their tenant as guests but ask them to set up granular delegated admin privileges, using the Dynamics 365 administrator role.
How to obtain GDAP (partner)
As a partner sign in to the Partner Center Dashboard as an Admin Agent.
- Choose customer
- Request admin relationship
- Give it a unique name and specify the duration in days*
- Select the Azure AD roles you want to request access to
- Finalize the request
- Review the request and send the email to your customer
*GDAP will automatically expire. After expiration, you will no longer have access and need to request it again.
How to approve (customer)
Customers can approve your GDAP request in their Microsoft 365 Admin Center as Global Admin. Important is that the customer first removes the Delegated Admin Priviliges (DAP) roles, so that they don’t override granular admin roles. This can be done on the Partner relationships page.
After you have requested GDAP access, the customer can approve your request. They simply click on the link in the GDAP invitation mail and will be directed to the Approve partner roles page in their Microsoft 365 Admin Center, where they need to Approve all.
Both you as a partner and the customer will get a confirmation mail about the GDAP request being approved which contains the Approver, Expiration date, Partner name and Partner roles.