Deadlines Loom For Microsoft Security Partners’ Granular Delegated Administrator Priveleges Transition

Starting Jan. 17, Microsoft will no longer create DAP when a new customer or reseller relationship is created, according to a post by the tech giant. To manage customers, partners will need to request GDAP roles from customers.


As Microsoft partners enter the new year, two important dates are on the horizon for the vendor’s rollout of granular delegated administrator privileges, which are billed as a more secure model for administering customer tenants in products including Microsoft 365, Dynamics 365 and Azure. 

Starting Jan. 17, Microsoft will no longer create delegated administrative privileges (DAP) when a new customer or reseller relationship is created, according to a post by the tech giant. 

To manage customers, partners will need to request granular delegated admin privileges (GDAP) roles from customers. Starting Jan. 17, Microsoft will also remove inactive DAP relationships unused for at least 90 days. 

Microsoft GDAP Update

CRN has reached out to Microsoft for comment. 

Zac Paulson, CEO of Fargo, N.D.-based Microsoft partner TrueIT—a member of CRN’s 2022 Managed Service Provider 500—told CRN that security enhancements such as GDAP might mean more work for partners, but “they are the right thing to do” for customers and designating responsibility for information security. 

“Customers may need this level of security to meet regulatory compliance, but they also should just be cautious in general about who has access to their systems,” Paulson said. 

Microsoft also reminds partners to remove DAP relationships once a GDAP transition is completed. 

On March 1, Microsoft’s bulk migration tool for upgrading DAP connections to GDAP will go away, according to the vendor. Microsoft will also start moving active DAP relationships to GDAP with limited Azure Active Directory (AD) roles. 

Those limited roles—including directory reader, global reader, user administrator, license administrator, service support administrator and help desk administrator—will only allow least-privileged customer management activities. 

All other access permissions including Exchange workloads access will be lost unless customers grant additional GDAP roles. 

Although GDAP relationships are two years long by default—the maximum length—partners can reduce the period to as little as one day, according to Microsoft. Permanent relationships and automatic renewals aren’t possible for security. 

Indirect resellers, including distributors (or indirect providers, as Microsoft calls them), and direct-bill partners can also create GDAP relationships. 

Azure users can implement privileged identity management on GDAP security groups to elevate high-privilege users’ access.

Leave a Reply

Your email address will not be published.