This article explains what GDAP (Granular Delegated Admin Privileges) is and what it means for Microsoft CSP partners.
- A complete guide to Granular Delegated Admin Privileges for Microsoft CSP partners, covering how GDAP replaced DAP, how GDAP relationships work in Partner Center, which Microsoft Entra roles are used, and how to manage relationship expiry and auto-extend at scale. Intended for Direct Bill partners, Indirect Resellers, and Indirect Providers managing customer tenants.
What Is GDAP and What Does It Mean for You?
By CloudCockpit Team | Published: December 15, 2022 | Last updated: May 12, 2026
GDAP (Granular Delegated Admin Privileges) is the security model Microsoft now requires for all CSP partner access to customer tenants. It replaced DAP (Delegated Admin Privileges) starting in 2023, and understanding how it works is not optional: every customer relationship you manage today runs on GDAP.
What Is GDAP?
GDAP stands for Granular Delegated Admin Privileges. It is a security feature in Microsoft Partner Center that gives CSP partners granular, time-bound access control to their customers' workloads by granting permissions through specific Microsoft Entra roles.
Customers must explicitly approve each GDAP relationship request through the Microsoft 365 admin center. There is no implied consent and no automatic access when you onboard a new customer: access must be requested, scoped to specific roles, and approved before you can administer any service on a customer's behalf.
The design follows Microsoft's Zero Trust cybersecurity protocol: verify explicitly, use least privilege, and assume breach. Under GDAP, partners receive only the administrator roles they need, for the specific duration required, rather than broad administrative access by default.
DAP vs GDAP: What Changed and Why
Under DAP (Delegated Admin Privileges), creating a new customer relationship in Partner Center automatically granted the partner the Global Administrator role on the customer's tenant. That access had no expiry date and no role restriction: the partner could do anything a global admin could do, for as long as the relationship existed.
That model created a significant security exposure. In 2021, the NOBELIUM nation-state threat actor exploited DAP relationships to move laterally through CSP-managed tenants, compromising end-customer environments through partner access. Microsoft's response was to design GDAP as a replacement.
The transition happened in stages. On September 25, 2023, Microsoft stopped granting DAP for any new customer relationship. New customers now receive a Default GDAP with a defined set of Microsoft Entra roles instead of a Global Administrator connection. Existing DAP relationships were migrated to GDAP through a Microsoft-led transition, after which DAP was removed.
| Feature | DAP | GDAP |
|---|---|---|
| Access type | Global Administrator (all permissions) | Specific Microsoft Entra roles, selected per task |
| Duration | No expiry | 1 day to 2 years maximum |
| Customer approval | Implicit, at reseller relationship creation | Explicit, per relationship request |
| Auto-extend | Not applicable | Yes, by 6 months (blocked if Global Administrator role is included) |
| Access scope | All services, all customers | Per-relationship, per-customer, per-role |
CloudCockpit note: The NOBELIUM attack demonstrated that broad, permanent admin access across hundreds of customer tenants creates a systemic risk: compromise one partner account and you have access to every customer that partner manages. That is the operational reality DAP created at scale. GDAP closes the exposure by scoping access per customer and per task, but it creates a different operational challenge: partners now have dozens or hundreds of individual GDAP relationships to track, each with its own expiry date, role set, and approval state.
How GDAP Works: Relationships, Security Groups, and Role Assignment
A GDAP relationship connects three components:
- the partner's Microsoft Entra tenant,
- a security group and,
- a set of Microsoft Entra roles scoped to the customer's tenant.
When you create a GDAP relationship, you select the Microsoft Entra roles the relationship covers and the duration in days (from 1 day up to a maximum of 730). The customer receives an email with a personalized link and approves the request in the Microsoft 365 admin center. Once approved, you assign the granted roles to one or more security groups in your own tenant. Members of those security groups can then sign in to administer the customer's services.
Partners can hold multiple GDAP relationships with the same customer, each covering different roles and durations. A partner managing Azure, Microsoft 365, and Dynamics 365 for a customer would typically set up separate relationships for each workload, aligned to the teams responsible for each service.
One constraint to plan for: Microsoft limits partners to 100 security groups per customer. Partners with complex access partitioning across many workloads should audit their group structure before approaching that limit.
Setting Up a GDAP Relationship in Partner Center
Setting up a GDAP relationship requires the Admin Agent role in Partner Center. Here is the exact sequence:
- Sign in to Partner Center and open the Customers workspace.
- Select the customer account, then go to Admin relationships > Request for new relationship.
- Enter a relationship name. It must be unique and is visible to the customer in the Microsoft 365 admin center.
- Set the duration in days (between 1 and 730).
- Select the Microsoft Entra roles to include. Use Microsoft's least-privileged roles by task reference to request only what the task requires.
- Set Auto Extend to Yes if you want the relationship to renew automatically.
- Select Finalize request. Partner Center generates a personalized approval link and sends it to the customer.
- The customer approves the request in the Microsoft 365 admin center. Once approved, assign the granted roles to the appropriate security groups in your tenant.
A GDAP request in "Approval Pending" status expires automatically after 90 days if the customer takes no action. Partners cannot terminate a request while it is in that state.
GDAP Relationship Lifecycle: Duration, Expiry, and Auto-Extend
GDAP relationships have a defined end date from the moment they are approved. The maximum duration is 2 years (730 days). When a relationship expires, users in the associated security groups immediately lose access to administer the customer's services. Expired relationships cannot be restored: you must request a new relationship and get fresh customer approval.
Partner Center surfaces expiry warnings at 30 days, 7 days, and 1 day before the end date. Both partners and customers receive email notifications at each threshold.
Auto-Extend removes most of the manual renewal work. When enabled on an active GDAP relationship, it extends the relationship by 6 months automatically. Customer approval is not required to enable Auto-Extend on an existing active relationship. Partners can enable or disable Auto-Extend on up to 25 relationships at a time from the Expiring Granular Relationships page in Partner Center.
There is one critical exception:
GDAP relationships that include the Global Administrator role cannot be auto-extended. Microsoft designed this deliberately to prevent permanent high-privilege access from persisting indefinitely. Partners relying on Global Administrator for specific customer relationships must manage those renewals manually, every cycle.
CloudCockpit note: The Auto-Extend exception for Global Administrator relationships is easy to overlook during GDAP setup. A partner who enables Auto-Extend across their entire customer base will find, at some point, that a subset of relationships failed to renew because they include Global Administrator. Partner Center does not flag this proactively at setup: it becomes apparent when the relationship expires and access is lost. The operational fix is to audit which GDAP relationships include Global Administrator, decide whether that level of access is genuinely required or whether a lower-privilege role covers the task, and set a manual renewal calendar for the ones you keep.
The Microsoft Entra Roles Available Under GDAP
Since September 25, 2023, every new customer relationship in Partner Center creates a Default GDAP with a specific set of Microsoft Entra roles assigned automatically. The default set for Direct Bill partners and Indirect Providers includes 11 roles: Directory Readers, Directory Writers, Global Reader, License Administrator, Service Support Administrator, User Administrator, Privileged Role Administrator, Helpdesk Administrator, Privileged Authentication Administrator, Cloud Application Administrator, and Application Administrator.
Indirect Resellers receive the same set minus Cloud Application Administrator and Application Administrator (9 roles total).
For custom GDAP relationships, partners can select any Microsoft Entra built-in role. Microsoft's guidance is to request the lowest-privilege role that covers the task. The full least-privileged roles by task reference maps each common administrative action to its minimum required role: submitting a support ticket requires Service Support Administrator; assigning a license requires License Administrator; resetting a non-admin password requires Password Administrator.
As of December 2024, Microsoft added 17 additional Microsoft Entra roles to the Partner Center UI, expanding what partners can configure without requiring API access.
CloudCockpit note: Selecting the correct Microsoft Entra roles for each GDAP relationship is manageable at onboarding. It becomes a real operational challenge at scale, across 50 or 200 customers with different service configurations and different support scope. The practical pattern at scale is that partners request the full default role set for every customer and never revisit it: over-provisioning is operationally easier than maintaining granular configurations per customer. That works until a customer's compliance or security team audits their partner access. A customer running only Microsoft 365 Business Basic who discovers their partner holds Privileged Role Administrator access will have legitimate concerns.
The Bottom Line
GDAP is now the standard for every customer relationship a CSP partner manages. DAP is no longer available for new customers, and existing DAP connections have been replaced. The access model has fundamentally changed: instead of a single, open-ended admin connection per customer, each relationship is scoped to specific Microsoft Entra roles and a defined time window, with a maximum duration of 2 years.
The security case for GDAP is clear. The operational challenge is managing that complexity at scale: dozens or hundreds of relationships, each with its own expiry date, role set, and approval state. Partners who rely on the Global Administrator role will find they cannot use Auto-Extend on those relationships and must plan manual renewals each cycle.
Partners who set up GDAP correctly from the start, use least-privileged roles per Microsoft's task guidance, and have a consolidated view of relationship status across their customer base will not feel that complexity. The ones who will feel it are the ones managing GDAP through email notifications and Partner Center's per-relationship dashboard, at scale.
Sources
- Introduction to granular delegated admin privileges (GDAP)
- Obtain granular admin permissions to manage a customer's service
- GDAP frequently asked questions
- GDAP Migration FAQ for customers
- Microsoft-led transition from DAP to GDAP
- Extend granular delegated admin privileges
- Expiration of GDAP relationships
- GDAP least-privileged roles by task
- Workloads supported by GDAP
Frequently Asked Questions
What is GDAP (Granular Delegated Admin Privileges)?
GDAP is a Microsoft security feature in Partner Center that gives CSP partners least-privileged, time-bound access to customer tenants. Instead of the broad Global Administrator access that DAP provided, GDAP lets partners request specific Microsoft Entra roles for a defined period of up to 2 years. Customers must explicitly approve each relationship request through the Microsoft 365 admin center. GDAP follows the Zero Trust cybersecurity principle: partners receive only the roles they need, for as long as they need them, rather than broad administrative access by default.
What is the difference between GDAP and DAP?
DAP (Delegated Admin Privileges) granted CSP partners automatic Global Administrator access to customer tenants when a reseller relationship was created, with no expiry date. GDAP replaced that model: partners request specific Microsoft Entra roles and set an access duration of up to 2 years. Customers must approve each relationship explicitly. Since September 25, 2023, Microsoft no longer grants DAP for new customer relationships. All new customers now receive a Default GDAP with a defined set of Microsoft Entra roles.
How does a CSP partner set up a GDAP relationship in Partner Center?
An Admin Agent signs in to Partner Center, selects the customer account, and goes to Admin relationships > Request for new relationship. The partner sets the duration in days (maximum 730), selects the required Microsoft Entra roles, and optionally enables Auto Extend. Partner Center sends the customer an invitation email with a personalized approval link. The customer approves in the Microsoft 365 admin center. Once approved, the partner assigns the granted roles to security groups in their own tenant, and members of those groups can administer the customer's services.
What Microsoft Entra roles are included in a Default GDAP relationship?
Since September 25, 2023, new customer relationships receive a Default GDAP with roles assigned automatically. Direct Bill partners and Indirect Providers receive 11 roles: Directory Readers, Directory Writers, Global Reader, License Administrator, Service Support Administrator, User Administrator, Privileged Role Administrator, Helpdesk Administrator, Privileged Authentication Administrator, Cloud Application Administrator, and Application Administrator. Indirect Resellers receive 9 of those roles (the same set minus Cloud Application Administrator and Application Administrator). Partners can request additional Microsoft Entra roles for custom GDAP relationships, following Microsoft's least-privileged roles by task reference.
What happens when a GDAP relationship expires?
When a GDAP relationship reaches its end date, members of the associated security groups immediately lose access to administer the customer's services. Expired GDAP relationships cannot be restored. A new relationship request must be submitted and approved by the customer. To avoid disruption, enable Auto-Extend on active relationships: it extends them by 6 months automatically without requiring customer approval. One exception: relationships that include the Global Administrator role cannot use Auto-Extend and must be renewed manually each cycle.