Introduction to AppXite GDAP and CSP Microsoft Cloud Solutions

Introduction

This article guides Microsoft Partners through the transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP) using AppXite's migration solution. It covers the setup process, configuration steps, and addresses common questions about maintaining service continuity while enhancing security compliance. Partners must complete this transition to continue receiving Partner Earned Credits (PEC) and Incentives while providing CSP Support.

In this article:

• Understanding GDAP Transition
• Step-by-Step Implementation
• Service Continuity Management
• Frequently Asked Questions

Microsoft is reinforcing customer access control capabilities by introducing GDAP as a natural transformation of DAP. This change allows partners to service customers while reducing security risks through custom roles and access time limit constraints.

Understanding GDAP Transition

GDAP represents a significant improvement over the traditional DAP model by providing granular control over partner access rights. Unlike DAP, which grants indiscriminate access, GDAP enables partners to implement the least privilege principle, tailoring access rights based on specific customer security compliance requirements.

Key Benefits of GDAP

GDAP provides several advantages over the traditional DAP model. Partners can now utilize minimum access rights that correspond with their scope of support, ensuring customers receive appropriate service levels without compromising security. The system includes extended visibility and granular activity logs that illustrate when GDAP permissions are being used along with the complete lifecycle of relationships.

Customers no longer need to grant broad admin permissions to partners. Instead, partners can tailor relationship access rights based on customer security compliance requirements, such as operating exclusively as CSP support and Teams or Dynamics Service Administrator roles.

GDAP vs DAP Comparison

The transition from DAP to GDAP involves several important changes in how partner relationships function. DAP will continue to co-exist with GDAP but with limited scope, focusing primarily on Partner Center processes for ordering licenses and creating customer profiles. DAP will also maintain federated Owner access to customer Azure subscriptions for assigning Owner access roles to newly provisioned subscriptions.

GDAP relationships can be configured for up to 2 years, unlike DAP which could be permanent. However, GDAP relationships cannot be auto-renewed, requiring customers to accept new relationship links when terms expire.

Step-by-Step Implementation

Step 1 - Initial Setup

The implementation process begins with installing the Granular Delegated Admin Privilege Enterprise Application using PowerShell commands.

Execute the following PowerShell commands in sequence:

Install-Module Microsoft.Graph -Scope CurrentUser -Force; 
Import-Module Microsoft.Graph.Applications; 
Connect-MgGraph -Scopes "Application.ReadWrite.All"; 
New-MgServicePrincipal -AppId "2832473f-ec63-45fb-976f-5d45a7d4bb91"; 
New-MgServicePrincipal -AppId "4990cffe-04e8-4e8b-808a-1175604b879f";

The global admin user from the partner's organization must accept consent for the following applications:

• Partner Center: https://appxiteplatformconsent.azurewebsites.net
• Graph: https://partnerconsentgraph.azurewebsites.net
• Billing: https://partnerconsentbilling.azurewebsites.net
• Azure Management: https://partnerconsentmanagement.azurewebsites.net
• NCE Price Sheets: https://partnerconsentpartner.azurewebsites.net
• GDAP: https://partnerconsentgdap.azurewebsites.net

This step enables real-time monitoring and management dashboard functionality to illustrate partners' customers' GDAP relationship status.

Step 2 - Configuration

Once consents are signed, partners can request access to their GDAP dashboard. The dashboard allows selection of specific customers and generation of templates with desired access role definitions across selected customers with expiration terms of up to 2 years.

When selecting customers, partners can generate templates that include specific access role definitions tailored to their service requirements. These templates streamline the relationship creation process and ensure consistent access patterns across customer relationships.

Standard GDAP Roles Assigned to the Reseller for the New Customer Created From the Platform

Find below the list of GDAP roles assigned to the reseller for the new customer created from the Platform:

• Application administrator
• Cloud application administrator
• Directory readers
• Directory writers
• Global reader
• Helpdesk administrator
• License administrator
• Privileged authentication administrator
• Privileged role administrator
• Service support administrator
• User administrator

Step 3 - GDAP Service Continuity

The dashboard maintains a live data stream of new relationships and provides a comprehensive customer list reflecting both newly added and removed customer organizations from the partner center. Customer contact emails associated with accounts can be used to dispatch newly generated relationship links based on previously configured templates.

The system automatically updates to reflect changes in the partner's customer base, ensuring that relationship management remains current and accurate. This continuous monitoring helps partners maintain visibility into their customer relationship portfolio.

Service Continuity Management

Relationship Management

GDAP relationships require active management to ensure service continuity. Relationship requests expire after 90 days if customers don't take action, and active relationships cannot be extended once they reach their term limit. New relationship requests must be accepted by customers when existing relationships expire.

Partners can create multiple GDAP relationships with different customers simultaneously using AppXite's tools, though this functionality isn't available through the standard Partner Center experience. Each relationship link can only be used with a single customer, ensuring proper security boundaries.

Azure Subscription Access

Managing Azure subscriptions requires specific GDAP role configurations. The Admin Agent role is needed to manage customer Azure subscriptions through the Azure Management Portal. Security groups can be nested under the Admin Agent security group to enable more granular control over the Admin Agent role.

For example, partners can create a security group called "Azure Managers" as a member of the Admin Agent group, which can then be used for assignments on regular users managed outside the Partner Center.

Frequently Asked Questions

See this article: FAQ – AppXite GDAP and CSP Microsoft Cloud Solutions

Limitations

Partners using AppXite's GDAP migration solution must complete custom setup requirements including additional consents signed by the acting global admin. The migration tools require specific consent URLs to support the full scope of GDAP workflows and properly scale processes on the tenant.

GDAP relationships cannot be permanent like DAP relationships could be. All GDAP relationships must have defined expiration terms of up to 2 years, after which new relationships must be established.

The transition process requires careful timing, particularly for customers with Azure subscriptions. Partners must ensure simultaneous transition to both Azure GDAP and M365 GDAP to maintain access to all customer services.

Summary

The transition from DAP to GDAP represents a significant security enhancement for Microsoft Partner relationships while maintaining service delivery capabilities. AppXite's migration solution provides partners with self-service tools to dynamically migrate existing customers from DAP to GDAP setup seamlessly. Partners must complete this transition to continue receiving Partner Earned Credits and Incentives while providing CSP Support services. The implementation requires careful planning, proper consent management, and ongoing relationship maintenance to ensure service continuity and compliance with Microsoft Partner Program requirements.

Related Content

• User Permissions and Roles: A Guide for Distributors, Sellers, and Customers
• GDAP - User Account Registration & Activation
• FAQ – AppXite GDAP and CSP Microsoft Cloud Solutions