GDAP Key Features
Key Features
When creating a GDAP invitation:
Partners can select a GDAP relationship duration of between 1 and 730 days.
Partners can choose from any Azure AD roles that are supported by GDAP for granularity, which can be approved by customers at partner tenant scope.
Partners are discouraged from selecting a global administrator role for GDAP invitation requests.
Partners can send the invitation URL to their customers for approval. Only the global admin and billing admin on the customer's tenant can approve the GDAP request (which is the same as for DAP today).
Partners can use GDAP reporting analytics in Partner Center to track invitations pending approval from customers and export the data to follow up with the customers.
Partners can create security groups in their partner tenant to organize their employees, which allows them to restrict their access per customer per Microsoft 365 workload level and partition their employees' access per customer, depending on the business need.
Examples of security groups:
Partners can create a tier 1 support group and grant it service support admin and global reader roles, which means the group can create tickets on behalf of customers but cannot make any changes.
Partners can create a tier 2 support group and grant it high-privilege roles such as Intune admin, Exchange admin, and Dynamics 365 admin.
Partners can create a user and license manager group and grant it a directory reader role, which allows the group to view licenses but not create users or assign licenses. Granting it a [user administrator](/azure/active-directory/roles/permissions-reference #user-administrator) role allows the group to create users and assign licenses.
Partners can implement Privileged Identity Management (PIM) on a GDAP security group in the partner's tenant to elevate the access of a few high-privilege users, just in time (JIT) to grant them high-privilege roles like password admins with automatic removal of access. To enable this, Microsoft will be offering a free Azure AD Premium Plan 2 license that's currently required by PIM.
Partners can organize and make ongoing updates to Azure AD role assignments to security groups in their tenant without requiring customer reapproval (because access has already been approved at the partner tenant level).
Either the partner or the customer can terminate access granted through GDAP.
After the GDAP relationship duration has been reached, access automatically expires. Partners will no longer have access to the customer's tenant, and users can't administer services on behalf of the customer.
Partners can use GDAP reporting analytics in Partner Center to track which relationships across their customers are expiring and when and also download the data in an exportable format.
We recommend subscribing to email notifications to receive proactive email notifications one month, seven days, and one day before access expires so that you can create another GDAP relationship with the same permissions for the next term duration and get approval from your customer to ensure continuity of access.
Partners can track their user activity in the following ways:
Activity log in Partner Center
Azure AD sign-in logs in the partner's tenant
Azure AD audit logs in the partner's tenant
Azure AD sign-in logs in the customer's tenant
Azure AD audit logs in the customer's tenant
Customers can also track the partner user's activity in Azure AD sign-in logs in the customer's tenant.
GDAP will be enabled for all Microsoft 365 services beyond the ones that currently don't support DAP. All new Microsoft 365 workloads will support only GDAP in the future.