Introduction to AppXite GDAP and CSP Microsoft Cloud Solutions

Zendesk Agent Zendesk Agent

Introduction

This article guides Microsoft Partners through the transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP) using AppXite's migration solution. It covers the setup process, configuration steps, and addresses common questions about maintaining service continuity while enhancing security compliance. Partners must complete this transition to continue receiving Partner Earned Credits (PEC) and Incentives while providing CSP Support.

In this article:

Microsoft is reinforcing customer access control capabilities by introducing GDAP as a natural transformation of DAP. This change allows partners to service customers while reducing security risks through custom roles and access time limit constraints.

NOTE! Partners must enable GDAP on customer tenants by September 30th to continue receiving PEC, Incentives, and CSP Support capabilities.

Understanding GDAP Transition

GDAP represents a significant improvement over the traditional DAP model by providing granular control over partner access rights. Unlike DAP, which grants indiscriminate access, GDAP enables partners to implement the least privilege principle, tailoring access rights based on specific customer security compliance requirements.

Key Benefits of GDAP

GDAP provides several advantages over the traditional DAP model. Partners can now utilize minimum access rights that correspond with their scope of support, ensuring customers receive appropriate service levels without compromising security. The system includes extended visibility and granular activity logs that illustrate when GDAP permissions are being used along with the complete lifecycle of relationships.

Customers no longer need to grant broad admin permissions to partners. Instead, partners can tailor relationship access rights based on customer security compliance requirements, such as operating exclusively as CSP support and Teams or Dynamics Service Administrator roles.

GDAP vs DAP Comparison

The transition from DAP to GDAP involves several important changes in how partner relationships function. DAP will continue to co-exist with GDAP but with limited scope, focusing primarily on Partner Center processes for ordering licenses and creating customer profiles. DAP will also maintain federated Owner access to customer Azure subscriptions for assigning Owner access roles to newly provisioned subscriptions.

GDAP relationships can be configured for up to 2 years, unlike DAP which could be permanent. However, GDAP relationships cannot be auto-renewed, requiring customers to accept new relationship links when terms expire.

Step-by-Step Implementation

Step 1 - Initial Setup

The implementation process begins with installing the Granular Delegated Admin Privilege Enterprise Application using PowerShell commands. Partners must use the full version of PowerShell, not the (x86) version, as the AzureAD module does not support 32-bit runtime.

Execute the following PowerShell commands in sequence:

Install-Module AzureAD -scope CurrentUser;
Import-Module AzureAD;
Connect-AzureAD;
New-AzureADServicePrincipal -AppId 2832473f-ec63-45fb-976f-5d45a7d4bb91;

The global admin user from the partner's organization must accept consent for the following applications:

NOTE! It is recommended to have a special service account established for integration with the Microsoft Partner Center.

This step enables real-time monitoring and management dashboard functionality to illustrate partners' customers' GDAP relationship status.

Step 2 - Configuration

Once consents are signed, partners can request access to their GDAP dashboard. The dashboard allows selection of specific customers and generation of templates with desired access role definitions across selected customers with expiration terms of up to 2 years.

When selecting customers, partners can generate templates that include specific access role definitions tailored to their service requirements. These templates streamline the relationship creation process and ensure consistent access patterns across customer relationships.

Step 3 - GDAP Service Continuity

The dashboard maintains a live data stream of new relationships and provides a comprehensive customer list reflecting both newly added and removed customer organizations from the partner center. Customer contact emails associated with accounts can be used to dispatch newly generated relationship links based on previously configured templates.

The system automatically updates to reflect changes in the partner's customer base, ensuring that relationship management remains current and accurate. This continuous monitoring helps partners maintain visibility into their customer relationship portfolio.

Service Continuity Management

Relationship Management

GDAP relationships require active management to ensure service continuity. Relationship requests expire after 90 days if customers don't take action, and active relationships cannot be extended once they reach their term limit. New relationship requests must be accepted by customers when existing relationships expire.

Partners can create multiple GDAP relationships with different customers simultaneously using AppXite's tools, though this functionality isn't available through the standard Partner Center experience. Each relationship link can only be used with a single customer, ensuring proper security boundaries.

Azure Subscription Access

Managing Azure subscriptions requires specific GDAP role configurations. The Admin Agent role is needed to manage customer Azure subscriptions through the Azure Management Portal. Security groups can be nested under the Admin Agent security group to enable more granular control over the Admin Agent role.

For example, partners can create a security group called "Azure Managers" as a member of the Admin Agent group, which can then be used for assignments on regular users managed outside the Partner Center.

mceclip0.png

WARNING! If customers have Azure subscriptions without DAP and partners move them to GDAP for Microsoft 365 only, access to Azure subscriptions may be lost. Customers must be moved to Azure GDAP simultaneously with M365 GDAP to maintain access.

Frequently Asked Questions

General GDAP Questions

Will DAP be completely removed from Microsoft Partner Center? DAP will continue to co-exist with GDAP but with limited functionality. DAP privileges will be scoped to Partner Center processes only for ordering licenses and creating customer profiles without Service Access management features.

Which Microsoft Partners are eligible for GDAP workflows? GDAP is available to all partners having Tier 1 – Direct Reseller and Tier 2 - Indirect Provider status.

When will GDAP take precedence over DAP for Microsoft 365 Service and Azure AD Administration? The transition deadline was September 30th, 2022, with AppXite's migration solution becoming available September 1st, 2022.

Relationship Management Questions

Do GDAP relationship links expire if customers don't take action? Yes, relationship requests expire after 90 days if customers don't respond.

What is the maximum term for a GDAP relationship? Relationships can be configured for up to 2 years, unlike DAP which could be permanent.

Can active relationships be extended? No, once the relationship term expires, customers must accept new relationship requests.

Is auto-renewal available for GDAP relationships? GDAP does not support auto-renewal features. Customers must accept new relationship links when terms expire.

Technical Implementation Questions

Can partners create multiple GDAP relationships with different customers simultaneously? Yes, though this functionality requires AppXite's tools rather than the standard Partner Center experience.

Can a single relationship link be used with multiple customers? No, relationship links can only be associated with a single customer.

Do partners need multiple security groups for multiple customers? Partners can tailor their setup for GDAP access role distribution within their tenant using various approaches, including multiple security groups per access role or single security groups across all relationships.

Impact and Compliance Questions

Are competencies affected when transitioning from DAP to GDAP? Yes, competencies with prerequisites for partner associations may be impacted if proper access levels aren't maintained through GDAP. Competencies with customer monthly active usage (MAU) metrics may experience degradation if access isn't properly configured.

What happens to customer subscriptions if GDAP relationships expire? Customer subscriptions remain unaffected. Only the designated GDAP Service access roles scoped in the relationship will cease to work.

Who receives GDAP relationship termination notifications? Within partner organizations, users with the Admin Agent role receive notifications. Within customer organizations, Global admin users receive the notifications.

Limitations

Partners using AppXite's GDAP migration solution must complete custom setup requirements including additional consents signed by the acting global admin. The migration tools require specific consent URLs to support the full scope of GDAP workflows and properly scale processes on the tenant.

GDAP relationships cannot be permanent like DAP relationships could be. All GDAP relationships must have defined expiration terms of up to 2 years, after which new relationships must be established.

The transition process requires careful timing, particularly for customers with Azure subscriptions. Partners must ensure simultaneous transition to both Azure GDAP and M365 GDAP to maintain access to all customer services.

Summary

The transition from DAP to GDAP represents a significant security enhancement for Microsoft Partner relationships while maintaining service delivery capabilities. AppXite's migration solution provides partners with self-service tools to dynamically migrate existing customers from DAP to GDAP setup seamlessly. Partners must complete this transition to continue receiving Partner Earned Credits and Incentives while providing CSP Support services. The implementation requires careful planning, proper consent management, and ongoing relationship maintenance to ensure service continuity and compliance with Microsoft Partner Program requirements.

Related Content

 

GDAP

Was this article helpful?

0 out of 0 found this helpful

Articles in this section

Add comment

Please sign in to leave a comment.