Transitioning from Delegated Admin Privileges to Granular Delegated Admin Privileges (GDAP)

Summary

Microsoft is taking steps to protect access to customer data as part of their commitment to increase the security of their ecosystem. A major part of this initiative is the transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP). This will be completed by January 2023.

This transition is part of Microsoft's "Zero Trust" approach. They are following the three principles of:

• Verify explicitly
• Use least privileged access
•  Assume breach

Legacy DAP has only one Role-Based Access Control (RBAC) available. It is a “Full Administrator” with permissions to everything for support, financials, security, operations, etc. Now with GDAP, it is actively discouraged to use Full Administration mode. Instead, there are many options to tailor the individual permissions to the specific job role defined by the customer.

The transition to GDAP will affect almost all partners who resell Microsoft products.

Scope of Impact

• Partners: All Microsoft Direct Bill Partners, Indirect Providers and Indirect Resellers
• Licensing: Cloud Solution Provider (CSP)
• Cloud: Microsoft Cloud International (MCI)
• Products: All Microsoft 365, Microsoft Dynamics 365, Microsoft Power Platform and Microsoft Azure
• Geography: Worldwide

What is DAP?

Delegated Admin Privileges (DAP) is the model of access where most users have wide access to perform administrative functions on behalf of their customers. That access is perpetual (does not auto-expire). Specific users and designated Admin Agents can access all customer tenants by default. In the DAP model, access cannot be partitioned according to employee, customer or workload.

What is GDAP?

Granular Delegated Admin Privileges (GDAP) is a security feature that allows partners to configure granular and time-bound access to their customers' workloads in production and sandbox environments.

Companies delegate individuals to be Partner Administrators. These Partner Administrators can specify access for a user to be able to perform functions for each customer. These users will have access based on what they do (workload) for each customer. Also, access is granted for up to two years, not "perpetual" as in DAP.

In other words, access will be "granular" or specific with over 66 roles and is time-based depending on the activities the user needs to perform.

What is Microsoft planning to do?

Microsoft will be replacing DAP with GDAP. During the transition period, both DAP and GDAP will coexist. GDAP permissions will be taking precedence over DAP permissions for Microsoft 365, Microsoft Dynamics 365 and Microsoft Azure workloads. However, GDAP will eventually replace DAP as Microsoft works toward providing greater security for partners and customers.

Starting at the end of Q3 2022, Microsoft is scheduled to remove access for users who have no activity that’s over 90 days.

Who is affected?

You will need to transition to GDAP if you:

• Perform any function as an administrator on behalf of your customers. (This may include people in support, operations, sales, etc.)
• Have the ability to provide access to other users

What do I need to do?

Microsoft is providing guidance and best practices for how to transition. Microsoft is also developing a DAP to GDAP bulk transition tool.

Our recommendation for partners is to start transitioning now and manually audit the existing DAP connections to enable the transition to GDAP. We suggest to not wait for the bulk transition tool to be live as this tool will not grant the user with the same legacy Global Admin role. Inherent roles set with the transition tool will be set to least privileged. This will reduce your level of access compared with the new 66 granular roles. Microsoft will be allowing all partners to transition until January 2023.

Microsoft has a recommended workflow for the transition:

1. Audit existing DAP connections.

Find out how partner agents within your organization are accessing customer tenants through DAP using the DAP monitoring tool: Partner Center > Account settings > Security Center > Administrative relationships

2. Remove inactive DAP connections.

Review the active and inactive DAP connections using the monitoring tool. Microsoft recommends removing any inactive DAP connections as soon as possible.

3. Begin planning for your transition.

Understand what administrative activities your partner agents perform in the customer tenant to determine which GDAP roles will be most applicable.

4. Transition to GDAP.

Begin your transition to GDAP by following the instructions in the Step-by-Step Guide: Transitioning to GDAP of the Microsoft Partner Center. This process will require your customer to approve the GDAP request.

5. Disable DAP.

After you’ve been granted GDAP by your customer, confirm you can still perform all necessary administrative activities on your customer's behalf. After that, you can disable your existing DAP connection.

Detailed information is provided in the Granular Delegated Admin Privileges (GDAP) section of the Microsoft Partner Center.

Partners who need to transition large numbers of customers from DAP to GDAP can use Microsoft APIs. See the FAQ on GDAP APIs section of the Microsoft Partner Center. As previously mentioned, Microsoft is also developing a DAP to GDAP bulk transition tool. The pilot is scheduled to begin on July 11, with general availability on July 25.

What are the key dates? *

• July 25: General availability of DAP to GDAP bulk transition tool
• End of Q3 CY22 (no earlier than Sept. 30): Disable 90-day inactive DAP relationships
• End of Q3 CY22 (no earlier than Sept. 30): Stop DAP creation for new customers and new reseller relationships
• Oct. 31 (no earlier than Oct. 31): End of no consent window for DAP to GDAP transition tool
• Q4 CY22 (no earlier than Oct. 31): Transition remaining active DAP to limited GDAP roles

*Please note that these dates are from Microsoft and are always subject to change. Dates with "no earlier than..." are targets. The exact dates will be supplied by Microsoft in the future.

How can I learn more?

• See the Granular Delegated Admin Privileges (GDAP) section of the Microsoft Partner Center.
• See the GDAP Frequently Asked Questions section of the Microsoft Partner Center.
• See the Securing The Partner And Customer Ecosystem section of the Microsoft Partner Center for useful resources.