GDAP - CSP Roles / Template Management / Security Group Provisioning


This article will cover instructions on how to operate with templates and will include details on what has to be prepared before Security groups are provisioned and where to get the necessary information from. There will be different case scenarios presented and what should be the structure of the template and which roles must be present at all times in order to maintain or/and renew your CSP access to customers that will comply with CSP Support requirements from Microsoft.




NB! In order to complete some of the steps for the template flow, the acting partner's user will require read access to Azure Active Directory - Users.

  • Read Access to Azure Active Directory - Users Section


Template Creation


  1. The field that is used to name your template for identifying it during the process of creating security groups or/and transitioning customers.
  2. The duration field must follow a strict pattern. e.g. "P2Y" 2 Year duration, "P15D" 15 Day duration
  3. This is a grid view for the roles that you have selected in the current template - Avoid duplicates.
  4. This is a list view of all currently available roles that can be used for GDAP relationships within the CSP - selecting an item here, will move the data to the grid view (3.) 
  5. Before you publish the template, make sure you have selected the correct Tenant. This is your partner's Microsoft Tenant id and will be used to identify the template tenant ownership (different tenants can have different templates)
  6. Once you are satisfied with the accuracy of the roles/duration and naming convention for your template, click "Publish Template"

Security Group Provisioning


  1. Click on - "Get Templates" - this will return you to a view where you will get a list of the template(s), that you have configured for the currently selected tenant - check the right top corner.

  2. Click on the desired template and the data from the API will populate the UI elements with the role definitions that were published under this template.

  3. The user Id field is mandatory- Microsoft mandates that security groups must be created with a designated owner. You can supply here a user account id that is going to administer CSP Agent permissions in the future for your company. Service Principal IDs cannot be used here.


  4. Verify that the data is accurate and click on "Create Security Groups". What will happen next, the service will attempt to create security groups for every role definition within the Template. If you have created security groups prior to this through this tool, it will have references for these groups and skip creating security groups that have been created from a different template on the same tenant. The result should look like this. Note that the security group description is also matched with the role description it is going to use for the GDAP flows.


    Security Group Detail view from AAD:


    Important Note: 
    If you happen to have deleted the security groups that have been created through this flow, the relationship data mapping will not work when new GDAP relationships will be created. 



Was this article helpful?

1 out of 1 found this helpful

Add comment

Please sign in to leave a comment.