A few months ago, Microsoft announced they're replacing Delegated Admin Permissions (DAP) with Granular Delegated Admin Permissions (GDAP), impacting all Microsoft 365 and Azure partners - you can view their full announcement here.
As a reminder, Microsoft are replacing DAP with GDAP to give you more specific access to your customers services, reducing the potential threat landscape. This is an enforced change by Microsoft requiring you to assign GDAP to your customers in Partner Centre, and we strongly advise you do so ASAP.
DAP to GDAP FAQs
We have created a video to provide an overview of the changes, the steps that you have to take, and the resources that are available to you;
Click here to download the slides (PDF 1.5Mb)
What is GDAP?
Granular Delegated Admin Permissions (GDAP) gives you more granular access to your customers' Microsoft 365/Azure workloads.
Why are Microsoft introducing GDAP?
GDAP enables you to provide more granular services to customers who may be uncomfortable with the high levels of access you currently have, giving them increased security and peace of mind. GDAP also helps your customers who have regulatory requirements give you selected access.
Do I have to move to GDAP?
Yes, this is something that is being enforced by Microsoft.
Key Milestones/Deadlines
22nd May 2023: Microsoft will begin to transition DAP roles to GDAP. See FAQs related to this milestone.
25th September 2023: Microsoft will no longer automatically grant DAP to Giacom for new customer creations. To avoid delays it's important you agree to the GDAP request, enabling Giacom to support you and your customers from this date.
Microsoft have a GDAP Bulk Migration Tool, which is available until November 2023. Partners who do not use the GDAP Bulk Migration Tool will need to use the standard GDAP processes (detailed in the 'Introduction to GDAP' resource below). However this method requires consent from all your customers, so we strongly advise taking advantage of Microsoft's GDAP Bulk Migration Tool while it's available.
There are two ways you can move end customers from DAP to GDAP: Bulk migration or Manual 1-1.
Bulk Migration
- Click here to review Microsoft FAQs, instructions and to access this tool
Manually 1-1
Alternatively you can add GDAP to customer tenants manually by following the steps below:
- Add a GDAP a template (click here for more info)
- Confirm it meets your requirements
- Cancel DAP (click here for more info)
What do I need to do now?
We advise you move all your customer subscriptions from DAP to GDAP as soon as possible using Microsoft's GDAP Bulk Migration Tool. After this date, you'll need to have permission from all your customers before you can implement GDAP. We've included links to several resources that will help below.
DAP to GDAP resources
Here's a selection of the most useful GDAP Microsoft resources to help you.
Article explaining what GDAP is, with links to additional guidance and resources
Microsoft's FAQ page covering the most frequently asked questions about GDAP
Guidance around which least-privileged Azure AD built-in roles can be used for each GDAP capability
Assigning roles & user permissions
View Microsoft's step-by-step guide to assigning GDAP roles and user permissions to your customers
Details on creating user accounts for employees needing access to Partner Center
List of Azure AD built-in roles you can assign to allow management of Azure AD resources
DAP to GDAP bulk migration tool
Details and information about Microsoft's GDAP bulk migration tool
As always if you'd like more info our team are on hand - 0333 305 4847.