Requesting a Granular Admin Relationship with Customers (GDAP)

Granular Delegated Admin Privileges (GDAP) is a Microsoft security feature that enables partners to access customer workloads with least-privileged, time-bound permissions—aligned with the Zero Trust cybersecurity model. GDAP replaces the older Delegated Admin Privileges (DAP) model, offering more precise control over administrative access.

With NCE Microsoft 365 and Software, providers can request a granular admin relationship with both new customers and existing customers who do not yet have an established admin relationship. As a provider, you can select specific Azure AD roles to include in the request, which the customer must approve.

Process Overview

  1. Install the Microsoft Management Settings Extension.

    This extension must be installed in the Connect Distributor portal to:

    • Configure the GDAP request email template.

    • View GDAP request history.

    • Resend GDAP rquests.

    Note: Refer to the User Guide for setup and usage details.

  2. Configure Azure AD Roles.

    Define the Azure AD roles to be included in the GDAP request using the Microsoft Management Settings extension. For detailed instructions, refer to the Microsoft Management Settings User Guide.

  3. Customer Approval Process.

    • When a new customer places an order for an NCE Microsoft 365 or Software product, they will receive a GDAP request via email once the purchase is approved in Connect.

    • The customer must accept the request using the link provided in the email.

    Note: This link is intended for customers only. If a provider clicks the link, an error will appear—this is expected behavior.

  4. Ongoing Role Approval. After the subscription is provisioned, customers can also approve pending roles by clicking the Approve Partner Roles button in their control panel. If roles are pending, they will be redirected to the Microsoft Admin Portal to complete the approval. This may be necessary if:

    • New roles have been added by the provider.

    • The previous admin relationship has expired.

Important:
- The GDAP request is sent only once, during the first purchase made by a new customer.
- The admin relationship duration is set to the maximum allowed by Microsoft: 730 days. After this period, a new GDAP request must be initiated. You can also configure GDAP relationships to be extended when they expire.
- MEnsure the Security Contact is up to date in Partner Center. Microsoft will use this contact in case of security concerns.Using an email distribution list is recommended.

© 2025 CloudBlue, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept