Mastering GDAP Relationships

Securely Managing Customer Workloads
GDAP Roles CloudCockpit

As a Microsoft Partner that wants to safely operate with your customer´s workloads it is imperative that you know all about Granular Delegated Admin Privileges (GDAP). Whether you're new to GDAP or seeking to enhance your understanding, this article is your compass to navigate the ever-evolving landscape of security and access control.


What is GDAP in Partner Center?

GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers.


What Azure AD roles does Microsoft allows you to assign when a establishing a GDAP relationship?

Users with admin agent role at a partner organization can create a GDAP relationship request. Please find below the list of possible relationships roles:

  • Directory readers: Can read basic directory information. Commonly used to grant directory read access to applications and guests.
  • Directory writers: Can read and write basic directory information. Commonly used to grant access to applications. This role isn't intended for users.
  • Global Reader: Can read everything that a Global Administrator can, but not update anything.
  • License administrator: Can manage product licenses on users and groups.
  • Service support administrator: Can read service health information and manage support tickets.
  • User administrator: Can manage all aspects of users and groups, including resetting passwords for limited admins.
  • Privileged role administrator: Can manage role assignments in Azure AD and all aspects of Privileged Identity Management (PIM).
  • Helpdesk administrator: Can reset passwords for non administrators and helpdesk administrators.
  • Privileged authentication administrator: Can access, view, set, and reset authentication method information for any user (admin or non admin).


How does GDAP work with Microsoft 365 Lighthouse?

Managed Service Providers (MSPs) enrolled in the Cloud Solution Provider (CSP) program as indirect resellers or direct bill partners can use Microsoft 365 Lighthouse to set up GDAP for any customer tenant. It also let Microsoft Partners to adopt security measures like just-in-time (JIT) access.


How long does a GDAP relationship last?

Partners define the duration of a GDAP relationship. The default duration is two years (The maximum duration is two years.) However, a partner can update the duration and reduce it to as little as one day.

Who receives a GDAP relationship termination notification email?

Within a partner organization, people with the Admin agent role receive a termination notification. Within a customer organization, people with the Global admin role receive a termination notification.


Which GDAP roles are needed to access an Azure subscription?

To manage Azure with per-customer access partitioning (which is the recommended best practice), create a security group (such as Azure Managers) and nest it under Admin agents.
To access an Azure subscription as an owner for a customer, you can assign any Azure Active Directory (Azure AD) built-in role (such as Directory readers, the least privileged role) to the Azure Managers security group.



In conclusion, GDAP empowers partners with enhanced security and access control capabilities. By understanding GDAP's features and roles, partners can better address customer concerns and compliance requirements.


How can Cloudcockpit help you? 

  1. Effortless Onboarding: When it comes to onboarding new customers and establishing GDAP relationships, Cloudcockpit simplifies the process. We automate email generation, complete with the necessary links, making it a breeze for your customers to accept GDAP relationships effortlessly.
  2. GDAP Management Made Easy: For each customer, Cloudcockpit provides a dedicated GDAP manager section. Here, you can efficiently oversee GDAP relationships, ensuring they are up-to-date and valid. Past information is readily accessible, offering a comprehensive view of your GDAP history.
  3. Streamlined Role Allocation: Cloudcockpit allows you to easily determine the most suitable roles for each customer. With our platform, you can directly access and consult role information, ensuring that your customers have the perfect roles tailored to their needs.