Introduction to AppXite - GDAP and CSP Microsoft Cloud Solutions
Responding to the growing security & compliance concerns Microsoft is reinforcing the customer access control capabilities by introducing the Granular Delegated Admin Privileges (GDAP).
GDAP is a natural transformation of Delegated Admin Privileges (DAP) which allows partners to service customers, at the same time reducing security risks by enabling custom roles and access time limit constraints - as a result, the GDAP process will override the current DAP (DAP model has indiscriminate access, which cannot be controlled on a more granular level).
As a result, customers will no longer be required to grant admin permissions to partners, instead, acting partners will be able to tailor relationship access rights towards their customers based on their customer security compliance requirements in terms of access controls (e.g. Least privilege principle, which would only require a partner to operate as CSP support and Teams or Dynamics Service Administrator exclusively).
These changes will allow partners to utilize the minimum access rights needed that correspond with the scope of support that customers expect to receive.
In addition, GDAP comes with extended visibility and granular activity logs that illustrate when GDAP permissions are being used along with the lifecycle of that relationship.
What do I have to do to leverage AppXite's transitioning solution?
Step 1 - Initial Setup:
Install Granular Delegated Admin Privilege - Enterprise Application:
You can run the commands from the appropriate options below.
Do not use (x86), as the AzureAD module does not support 32-bit runtime.
Install-Module AzureAD -scope CurrentUser;
New-AzureADServicePrincipal -AppId 2832473f-ec63-45fb-976f-5d45a7d4bb91;
The global admin user from the partner's side has to accept the following links:
Partner Center: https://appxiteplatformconsent.azurewebsites.net
Azure Management: https://partnerconsentmanagement.azurewebsites.net
NCE Price Sheets: https://partnerconsentpartner.azurewebsites.net
This step is required in order to enable a real-time monitoring and management dashboard in order to illustrate partners' customers' GDAP relationship status.
Step 2 - Configuration:
Once the consents are signed, you will be able to request access to your GDAP dashboard.
When selecting customer(s), you will be able to generate a template with desired access role definitions across your selected customer(s) with an expiration term of up to 2 years.
Step 3 - GDAP Service Continuity:
Dashboard at all times will contain a live data stream of new relationships and a full customer list that will reflect both newly added or removed customer organizations in your partner center. The dashboard will provide customer contact email associated with their account, that can be used to dispatch newly generated relationship links based on the previously configured template.
Step 4 (Optional) - Partner Center Alerts:
In order to apply custom alerts targeting GDAP relationships, partners are able to configure these for their Microsoft Provider tenants at their own discretion.
Article Link: https://docs.microsoft.com/en-us/partner-center/develop/partner-center-webhooks
GDAP Endpoint: GET https://api.partnercenter.microsoft.com/webhooks/v1/registration/events
Frequently Asked Questions
- Will the DAP (Delegated Admin Privilege) model be fully removed from Microsoft Partner Center?
No, DAP will continue to co-exist with GDAP. However, if GDAP is not enabled on customer's tenant by 30th September partner will cease to receive PEC (Partner Earned Credits), and Incentives, and will not be able to provide CSP Support within the scope of the requirements from the Microsoft Partner Program.
- What functions will DAP maintain towards the customers?
DAP privileges will be scoped to Partner Center processes only for ordering licenses, and creating/managing customer profiles without Service Access management features. DAP will also be assigned with federated Owner access to the customer's Azure subscriptions - which is needed to assign customers with Owner access roles to recently provisioned Azure Subscriptions.
- When will GDAP take precedence over DAP Microsoft 365 Service and Azure AD Administration?
September 30th, 2022.
- Which Microsoft Partners are eligible for GDAP workflows?
GDAP is available to all partners having Tier 1 – Direct Reseller and Tier 2 - Indirect Provider status.
- How will AppXite help me to transition to GDAP?
AppXite is offering you as a partner, self-service tools which will allow you to dynamically migrate existing customers from DAP to GDAP setup in a seamless way.
- When will the AppXite GDAP migration solution be made available?
September 1st, 2022
- Will the GDAP migration tools require a custom setup?
Yes. In order to support the full scope of the GDAP workflows and properly scale the process on the tenant, the tools will require additional consents to be signed by your acting global admin:
- Do the GDAP relationship links expire if the customer doesn't take any action?
Yes, the relationship requests expire after 90 days.
- What is the maximum term for a relationship?
Can be configured for up to 2 years, unlike in the DAP model, the GDAP relationship cannot be permanent.
- Can the active relationship be extended?
No, once the relationship term is due, a new relationship request has to be accepted by the customer.
- Is it possible to auto-renew the GDAP relationship with the customer?
No, GDAP does not support auto-renewal features. Customers will have to accept new relationship links.
- If the GDAP relationship expires, will the customer’s existing subscriptions be affected?
There will be no change to the customer’s existing subscriptions if the GDAP relationship expires. Only the designated GDAP Service access roles will cease to work that are scoped in the relationship.
- How can I continue to administer services for my customers if DAP for inactive customers is removed?
No. Once the DAP access is no longer present on customer(s) tenant(s), service administration must be transitioned to GDAP model prior to 30th September.
- Who will receive the GDAP relationship termination notification email?
Within the Partner organization, users with the Admin Agent role will receive a notification.
Within the customer organization, the Global admin user(s) will receive the notification.
- Is it possible to see when the customer removes GDAP in activity logs?
Yes, partners can see when a customer terminates GDAP in the Partner Center activity logs.
If I have multiple customers, do I need to have multiple security groups for those customers?
Partners will be able to tailor their own setup for the GDAP access role distribution within their partner's tenant.
e.g. Scenarios -
A: Partner creates multiple Security Groups per every designated access role
B: Partners can assign all access roles for a single security group across all active relationships.
C: There are no restrictions that would keep partners from creating a designated Security group for each customer.
- Can I create multiple GDAP relationships with different customers at once?
Yes, however, this functionality isn't available through the Partner Center experience. It can be created using tools provided by AppXite, allowing partners to scale this process.
- Can a single relationship link be used with multiple customers?
No. Relationship links can only be locked on a single customer.
- Which GDAP roles are needed to access an Azure subscription?
Admin agent role is needed in order to manage customer's Azure subscriptions through Azure Management Portal.
Subsequent groups can be nested under the Admin Agent security group in order to enable more granular control over the Admin Agent role (e.g. Create a security group: Azure Managers - this group can be a member of the Admin Agent group and can be used for assignments on regular users that are managed outside the Partner Center).
- To read more about GDAP roles and least privileged access scenarios, please visit the following link:
- Are competencies affected when transitioning from DAP to GDAP?
Yes. Competencies that have prerequisites for partner associations, may be impacted if the proper level of access between customer and partner is not maintained through GDAP. (e.g. Competencies that have metrics towards customer monthly active usage (MAU), may experience degradation on the currently attained competence level).
- When do I need to remove DAP relationship when using AppXite bulk migration solution?
AppXite's bulk migration solution will include a template configuration where DAP setup will be created together with GDAP AzureAD and GDAP M365 roles, in order to maintain Azure Subscription access to customer(s) tenant(s).
- If I have customer(s) with Azure subscriptions without DAP and I move them to GDAP for Microsoft 365, will I lose access to the Azure Subscription?
Having Azure Subscriptions without DAP, by adding GDAP for M365 to the customer, you may lose access to the Azure subscriptions. In order to avoid that, the customer must be moved to Azure GDAP at the same time that you move the customer to M365 GDAP.