Requesting a Granular Admin Relationship with Customers (GDAP)

Granular Delegated Admin Privileges (GDAP) is a Microsoft security feature that enables partners to access customer environments with least-privileged, time-bound permissions, in line with the Zero Trust cybersecurity model. GDAP replaces the older Delegated Admin Privileges (DAP) model, offering more control and transparency.

Key Benefits

• Granular access: Assign only the necessary Azure AD roles.

• Time-bound permissions: Admin relationships expire after a set period (maximum 730 days).

• Improved security: Aligns with Microsoft’s Zero Trust principles.

How to Request a GDAP Relationship

1. Make sure that the Microsoft Management Settings extension is installed.

2. Define the roles to include in the GDAP request using the Microsoft Management Settings extension.

   • Default GDAP Relationship

   • Custom GDAP Relationship

3. Create GDAP Email Templates for GDAP Requests.

   • Configuring a default email template for GDAP requests

   • Configuring a custom email template for GDAP requests per marketplace

4. Create and configure email notification rules.

   • Create and configure email notification rules

   • Link email notification rules to email templates

How Can a Customer Approve the GDAP Relationship Request?

• When a new Azure NCE order is approved in Connect, the customer receives a GDAP request via email.

• The customer must click the link in the email to approve the request.

  Note: This link is for customers only. If a provider clicks it, an error will appear—this is expected behavior.

• Alternative Approval Method: After subscription provisioning, customers can also approve roles via the UX1 control panel by clicking Approve Partner Roles. If roles are pending, they will be redirected to the Microsoft Admin Portal to complete the approval. This may be necessary if new roles have been added by the provider or if the admin relationship has expired, for example.

Important:
- The GDAP request is sent only once, during the first purchase by a new customer.
- The admin relationship duration is set to the maximum allowed (730 days). After expiration, a new request must be submitted. You can configure GDAP relationships to be auto-extended. For additional details see Extending the Custom GDAP Relationships with Customers.
- Ensure the Security Contact in Partner Center is up to date. Microsoft uses this contact for any security-related communication. Using an email distribution list is recommended.