FAQ – AppXite GDAP and CSP Microsoft Cloud Solutions

Appxite Updated by Appxite

Introduction

This article answers the most frequently asked questions about AppXite's Granular Delegated Admin Privileges (GDAP) migration solution for Microsoft Cloud Solution Provider partners. It covers application consents, relationship management, roles, security groups, Azure subscription access, compliance, and account setup. For step-by-step instructions, refer to the related articles listed at the end of this article.

In this article:

Application consent questions

What is the Graph application consent used for?

The Graph application consent grants AppXite access to Microsoft Graph API. This is used to read and manage directory objects — such as Platform users, groups, and security group memberships — within your Microsoft Partner Center tenant. It is required for security group provisioning and role assignment during the GDAP transition flow.

What is the Azure Management application consent used for?

The Azure Management application consent enables AppXite to interact with Azure Resource Manager on behalf of your organization. This is necessary to manage Customer Azure subscriptions, assign Owner access roles to newly provisioned subscriptions, and support the Admin Agent role functionality within GDAP relationships.

What is the Billing application consent used for?

The Billing application consent allows AppXite to retrieve billing and Reconciliation data from Microsoft Partner Center. This supports accurate Invoice generation and Billing cycle management within the Platform.

What is the NCE Price Sheets application consent used for?

The NCE Price Sheets application consent gives AppXite access to the latest New Commerce Experience pricing data from Microsoft Partner Center. This ensures that current Suggested retail price information is available when creating or managing Offers and Subscriptions for your Customers.

What is the Partner Center application consent used for?

The Partner Center application consent allows AppXite to perform key operations in Microsoft Partner Center on your behalf — including ordering Licenses, creating Customer profiles, and managing partner relationships. It is the foundational consent required for most Microsoft Cloud Solution Provider workflows.

What is the GDAP application consent used for?

The GDAP application consent specifically enables AppXite to create, manage, and monitor GDAP relationships with your Customers. Without this consent, the GDAP dashboard, relationship generation, and Customer transition flows cannot function.

Why is it recommended to use a dedicated service account for Microsoft Partner Center integration?

Using a dedicated service account ensures the integration remains stable and is not tied to an individual Platform user's credentials. If a personal account is modified, disabled, or the Platform user leaves the organization, the integration may break. A service account reduces this risk and is a security best practice.

 

General GDAP questions

What is GDAP and why is it being introduced?

GDAP (Granular Delegated Admin Privileges) is Microsoft's replacement for the traditional DAP (Delegated Admin Privileges) model. It allows Partners to service Customers with minimum required access rights, applying the least privilege principle. Unlike DAP, which grants broad and indiscriminate access, GDAP enables Partners to tailor access rights based on specific Customer security compliance requirements. It also includes granular activity logs with full relationship lifecycle visibility.

Will DAP be completely removed from Microsoft Partner Center?

No. DAP will continue to co-exist with GDAP but with limited scope. DAP privileges will be restricted to Microsoft Partner Center processes only — such as ordering Licenses and creating Customer profiles — and will no longer include Service Access management features.

Which Microsoft Partners are eligible for GDAP workflows?

GDAP is available to all Partners with Tier 1 – Direct model and Tier 2 – Indirect model status.

When did GDAP take precedence over DAP?

The transition deadline was September 30th, 2022. AppXite's migration solution became available on September 1st, 2022.

What happens if partners do not complete the GDAP transition?

Partners who do not enable GDAP on Customer Tenants will no longer receive Partner Earned Credits (PEC), Incentives, or Microsoft Cloud Solution Provider Support capabilities.

 

Relationship management questions

Do GDAP relationship links expire if customers do not take action?

Yes. Relationship requests expire after 90 days if Customers do not respond. A new relationship request must be sent after expiry.

What is the maximum term for a GDAP relationship?

GDAP relationships can be configured for a maximum Term duration of 2 years, unlike DAP which could be set as permanent.

Can an active GDAP relationship be extended before it expires?

No. Once a GDAP relationship reaches its Term limit, it cannot be extended. Customers must accept a new relationship request to re-establish access.

Is auto-renewal available for GDAP relationships?

No. GDAP does not support Auto-renewal. Customers must actively accept new relationship links when the existing Term expires.

Can partners create multiple GDAP relationships with different customers at the same time?

Yes, though this functionality requires AppXite's tools. The standard Microsoft Partner Center experience does not support creating multiple GDAP relationships simultaneously.

Can a single GDAP relationship link be used with multiple customers?

No. Each relationship link can only be associated with a single Customer, ensuring proper security boundaries between Customer organizations.

Who receives notifications when a GDAP relationship is terminated?

Within the Partner organization, Platform users with the Admin Agent role receive the notification. Within the Customer organization, Global administrator Platform users are notified.

What happens to customer subscriptions when a GDAP relationship expires?

Customer Subscriptions remain fully active and unaffected. Only the GDAP service access roles scoped within the expired relationship will cease to function.

 

Roles and security group questions

Which GDAP roles are assigned by default when a new customer is created from the platform?

The following roles are assigned to the Seller by default for new Customers created from the Platform: Application administrator, Cloud application administrator, Directory readers, Directory writers, Global reader, Helpdesk administrator, License administrator, Privileged authentication administrator, Privileged role administrator, Service support administrator, and User administrator.

Which roles are mandatory to ensure GDAP takes precedence over DAP?

Certain roles are critical for proper GDAP precedence and Microsoft Cloud Solution Provider compliance. These are highlighted in the CSP template and must always be present. Refer to the full role list with IDs in the related article GDAP – Read before transition!

Can partners use a single security group across multiple GDAP relationships?

Yes. Partners can structure their setup to use a single security group across all relationships, or create multiple security groups per access role — depending on their access control requirements. AppXite's tooling supports both approaches.

What happens if the security groups created through the AppXite GDAP flow are deleted?

Deleting security groups provisioned through the AppXite GDAP flow will break relationship data mapping for any new GDAP relationships created afterward. It is strongly recommended not to delete these groups. If they have already been deleted, they must be re-provisioned before initiating further Customer transitions.

Can Service Principal IDs be used as the owner when creating security groups?

No. Microsoft requires that security groups have a designated Platform user account as the owner. Service Principal IDs are not accepted in this field. A valid Platform user account ID that will administer Microsoft Cloud Solution Provider Agent permissions must be provided.

What duration format must be used when creating a GDAP template?

The duration field must follow a strict ISO 8601 period format. For example, "P2Y" sets a 2-year Term and "P15D" sets a 15-day Term.

 

Azure subscription questions

What happens to customer Azure subscriptions during the GDAP transition?

If a Customer has Azure subscriptions and is transitioned to GDAP for Microsoft 365 only — without simultaneously migrating Azure access — access to those Azure subscriptions may be lost. Customers must be moved to Azure GDAP and M365 GDAP at the same time to maintain uninterrupted access.

Which role is required to manage customer Azure subscriptions through GDAP?

The Admin Agent role is required to manage Customer Azure subscriptions through the Azure Management Portal. Partners can also nest additional security groups — such as an "Azure Managers" group — under the Admin Agent security group to enable more granular access control for specific Platform users.

 

Compliance and impact questions

Will Microsoft competencies be affected by transitioning from DAP to GDAP?

Yes. Competencies with prerequisites tied to Partner associations may be affected if the correct access levels are not maintained through GDAP. In particular, competencies based on Customer monthly active usage (MAU) metrics may experience degradation if GDAP access is not properly configured.

Are there any specific limitations partners should be aware of when using AppXite's GDAP migration solution?

Yes. Partners must complete custom setup steps, including obtaining all required application consents signed by the acting global administrator. GDAP relationships also cannot be permanent — all relationships must have a defined expiration Term of up to 2 years, after which new relationships must be established. For Customers with Azure subscriptions, the timing of the transition must be carefully managed to avoid losing access.

 

Account and access questions

Who is eligible to register for the AppXite GDAP solution?

The Platform must be connected to a Microsoft Partner Center tenant (Tier 1 or Tier 2). For Tier 2 access, only Tier 2 Distributor administrators are eligible for registration. Seller admins under Indirect model Sellers are not eligible.

What are the prerequisites for registering a user account in the GDAP solution?

The following conditions must be met: the Platform must be connected to a Microsoft Partner Center tenant (Tier 1 or Tier 2), the account must be in an Active state on the Platform, the account must use Azure Active Directory authentication, and the account must have email receiving capability through Exchange.

How does account activation and credential recovery work?

Account activation is a two-step process. First, submit your email address without entering a security code — this triggers a one-time security code sent to your email. Then, submit your email and the received security code to obtain new credentials. Process details are also available in the Logs tab of the application.

What operating system is required to install the GDAP software client?

The GDAP software client supports Windows 10 and Windows 11. The device must also have access to the Microsoft Store for installation.

Where can I download the GDAP software client?

The application is available in the Microsoft Store under the name "AppXite – Partner Management Solution," published by Sia AppXite. It can be found by searching in the Microsoft Store or using the direct link provided in the related article GDAP software client setup.

 

Summary

This article consolidates the most frequently asked questions across AppXite's GDAP documentation. It covers the purpose of each required application consent, the mechanics of GDAP relationship management, mandatory role and security group requirements, Azure Subscription transition risks, compliance impact, and account registration prerequisites. For detailed step-by-step instructions, refer to the related content below.

 

Related content

CSP GDAP compliant GDAP FAQ

Was this article helpful?

0 out of 0 found this helpful

Articles in this section

Add comment

Please sign in to leave a comment.