GDAP Enablement
What is GDAP
Microsoft moves forward with the Zero Trust cybersecurity protocol and takes steps to protect access to end customer’s environment. The initiative that is now introduced to the CSP ecosystem offers the transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP).
GDAP is a security feature that provides partners with granular and time-bound access to their customers' workloads in production and sandbox environments. This access needs to be explicitly granted to partners by their customers. With GDAP, partners no longer have access to all customer tenants across Azure subscriptions through Admin agents by default.
Partners managing Azure no longer receive the Global Admin role on their customer’s tenant but rather, receive lower permissions to read a customer directory by default.
Partners can transition from DAP to GDAP and eventually remove DAP (Global Admin) on customers’ tenant without any effect to partner earned credit (PEC).
Transition Time plan
Microsoft will be replacing DAP with GDAP. During the transition period, both DAP and GDAP will coexist. GDAP permissions will be taking precedence over DAP permissions for Microsoft 365, Microsoft Dynamics 365 and Microsoft Azure workloads. However, GDAP will eventually replace DAP as Microsoft works toward providing greater security for partners and customers.
New GDAP milestone dates
Creating new customers - No DAP for new Customers: November 1, 2023
As of November 1, 2023, Microsoft will no longer grant DAP for new customer creation and will instead grant GDAP with default roles when a new customer tenant is created.
The default roles vary by partner type. The following table lists the respective roles:
How interworks.cloud helps you
Starting on the 1st of November 2023, Microsoft will no longer grant DAP for new customer creation and will instead grant GDAP with default roles when a new customer tenant is created.
Our GDAP enablement feature allows you to select the GDAP roles and the time (up to 730 days) you wish to automatically request for your newly synced Microsoft Tenants (existing Microsoft Tenants, but new customers of yours) who have no GDAP relationship with you.
This selection offers you the automation needed so that your requests are sent automatically and saves you a lot of time, because you won’t have to manually do it every time in MPC.
Our GDAP enablement tool is not creating a GDAP relationship for Microsoft Tenants that already have an active or expired GDAP relationship with you.
DAP to GDAP Bulk Migration Tool
The tool for bulk migration of delegated admin privileges (DAP) to granular delegated admin privileges (GDAP) enables partners to create new GDAP relationships with implied customer consent. Implied customer consent means there's a pre-existing, active (accessed) or inactive (not accessed in the last 90 days) DAP relationship between the Cloud Solution Provider (CSP) and a customer.
The bulk migration tool has the following features:
It's an open-source .NET console tool that uses an open-source .NET SDK.
It supports comma-separated (.csv) and JSON (.json) file formats for setting up data for migration.
No code changes are required, and it can be opened with a .NET command.
Code is extensible and can be enhanced if partners need it to be.
Extensive logging can help troubleshoot issues.
This tool is for direct bill partners, indirect providers, and indirect resellers transacting through the CSP program.
For more information, see FAQs related to the bulk migration.
Disabling DAP access won't stop partner earned credit (PEC) from accruing because accrual is based on role-based access control (RBAC) roles on the subscription. Partners can transition from DAP to GDAP and eventually remove DAP (Global Admin) on customers' tenant without any effect to partner earned credit (PEC).
Available Documentation from Microsoft
Please find here the collection documentation
This is the Partner Center Documentation
This is the FAQ documentation on GDAP
This is the Step-by-step Guide: Transitioning to GDAP
This is the Bulk Migration Tool and GDAP bulk migration tool FAQ
Here you can find and register on the topic related CSP calls
Please also read the Partner Center security requirements and the CSP security best practices.
This is the Partner Journey Map
To help partners address questions around DAP and GDAP, Microsoft created a set of FAQs.