As a Microsoft Partner that wants to safely operate with your customer´s workloads it is imperative that you know all about Granular Delegated Admin Privileges (GDAP). Whether you're new to GDAP or seeking to enhance your understanding, this article is your compass to navigate the ever-evolving landscape of security and access control.
GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers.
Users with admin agent role at a partner organization can create a GDAP relationship request. Please find below the list of possible relationships roles:
Managed Service Providers (MSPs) enrolled in the Cloud Solution Provider (CSP) program as indirect resellers or direct bill partners can use Microsoft 365 Lighthouse to set up GDAP for any customer tenant. It also let Microsoft Partners to adopt security measures like just-in-time (JIT) access.
Partners define the duration of a GDAP relationship. The default duration is two years (The maximum duration is two years.) However, a partner can update the duration and reduce it to as little as one day.
Who receives a GDAP relationship termination notification email?
Within a partner organization, people with the Admin agent role receive a termination notification. Within a customer organization, people with the Global admin role receive a termination notification.
To manage Azure with per-customer access partitioning (which is the recommended best practice), create a security group (such as Azure Managers) and nest it under Admin agents.
To access an Azure subscription as an owner for a customer, you can assign any Azure Active Directory (Azure AD) built-in role (such as Directory readers, the least privileged role) to the Azure Managers security group.
In conclusion, GDAP empowers partners with enhanced security and access control capabilities. By understanding GDAP's features and roles, partners can better address customer concerns and compliance requirements.