Managing Role Assignment for GDAP Relationship Requests

Understanding Permissions and Roles

In Microsoft’s GDAP (Granular Delegated Admin Privileges) model, the most basic unit of access control is a permission. Since users often need multiple permissions to perform their duties, Microsoft allows assigning multiple permissions to a single user.

Given the vast number of available permissions, it can be difficult for administrators to determine which ones are necessary for specific roles or users. Applying these permissions consistently across users can also be error-prone.

To address this, Microsoft introduced roles—predefined collections of related permissions grouped by function (e.g., Customer Care, Billing, Invoicing, Operations, Security). Assigning roles instead of individual permissions simplifies administration and ensures users receive all the access they need to perform their jobs effectively.

Since users may need to operate across different functional areas, Microsoft allows assigning multiple roles to a single user.

GDAP Relationship Types

Provider-to-Customer GDAP Relationship

When a Microsoft direct provider partner (Tier 1 or Tier 2) initiates a GDAP relationship with a customer, the request must include the specific roles the provider is requesting. Once the customer accepts the relationship, these roles—and the permissions they contain—are approved for the provider’s use.

Reseller-to-Customer GDAP Relationship

An indirect (Tier 2) reseller must establish a separate GDAP relationship with the customer, independent of any provider relationship. Importantly, resellers do not inherit permissions from the provider’s GDAP relationship. Each relationship is managed and approved independently.

CloudBlue Context

User Journey

When a provider uses the Microsoft Management Extension to initiate a GDAP relationship with a customer, they must select and encode the desired roles into the request.

In automated marketplaces like CloudBlue, provider associates typically do not manually configure roles for each transaction. Instead, providers define default roles once, which are stored in Connect. For each subsequent transaction, Connect automatically applies these default roles to the GDAP request, streamlining the process and reducing the risk of error.

Roadmap

As Microsoft uses a Multi-Partner model, customers may have multiple independent relationships with competing providers and with competing resellers. Each relationship requires its own set of approved permissions.