Endpoint Security vs. Antivirus

Last Updated on March 4, 2024 by Arnav Sharma

Microsoft is committed to providing enhanced security practices across its platforms. As part of this effort, the company is facilitating a transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP) for the management of Azure, Microsoft 365, and other cloud resources, marking a shift in how DAP permissions are assigned and managed. This change offers benefits for all involved—Microsoft, different Microsoft partners, and customers, fostering a more secure and manageable environment. partners, and customers.

DAP and GDAP: An Overview

  • DAP (Delegated Admin Privileges): Traditionally, Cloud Solution Providers (CSPs), indirect resellers, and other Microsoft partners used DAP to manage their customers’ services. DAP provided partners with global administrator access across a customer’s entire tenant.
  • GDAP (Granular Delegated Admin Privileges): GDAP is a more refined permissions model. Instead of broad administrative access, GDAP allows partners to assign specific roles and permissions for precise tasks required to manage customer environments.

Why is Microsoft Transitioning from DAP to GDAP?

The move from DAP to GDAP is fundamentally about security. DAP’s extensive permissions posed unnecessary security risks. With GDAP, monitoring is enhanced, including default GDAP reporting. partners and Microsoft work together to establish a “least privilege” model, minimizing potential attack surfaces and vulnerabilities.

Key Points:

  • Transition to GDAP as Soon as Possible: It’s imperative for partners to proactively transition their existing DAP relationships to GDAP. Microsoft is phasing out support for DAP.
  • Create GDAP Relationships: Microsoft Partners should prioritize using GDAP for all new customer relationships. The process is straightforward via the Microsoft Partner Center.
  • Use Microsoft 365 Lighthouse: For multi-tenant management, use Microsoft 365 Lighthouse to leverage GDAP relationships effectively.
  • GDAP Security: GDAP is inherently more secure due to its granular permissions model compared to the widespread privileges of DAP.

The DAP to GDAP Transition Process

  • Create a GDAP Relationship: Partners initiate the process in the Partner Center. The customer receives a request to accept a GDAP relationship request.
  • GDAP Takes Precedence Over DAP: Once a GDAP relationship is established, new DAP relationships are also considered for future adjustments. GDAP permissions take precedence, enhancing security controls.
  • Remove DAP: Microsoft recommends that partners remove DAP relationships after moving customers from DAP to GDAP. This can be done in the Partner Center or with the GDAP bulk migration tool.
    • Microsoft will remove the DAP relationship if no additional activity takes place within 30 days after the partner has established a new GDAP relationship.

GDAP’s Advantages

  • Enhanced Security: Limits potential cyber-attack surfaces while still providing partners with the necessary level of access.
  • Improved Role Assignment: GDAP simplifies role management, using the principle of least privilege to prevent inadvertent security compromises.
  • Customer Trust: GDAP ensures customers that partners only have the permissions required to perform authorized tasks, relying on the stringent application of new DAP relationships and permissions.

Important Considerations

  • Microsoft will stop granting DAP for new customer environments. Existing DAP relationships may be subject to additional Microsoft service restrictions.
  • Microsoft’s transition from DAP to GDAP includes Azure, Microsoft 365, Dynamics 365, and Microsoft Power Platform.

The Shift from DAP to GDAP: Conclusion

The move to GDAP aligns with Microsoft’s commitment to securing its cloud solutions. While requiring adjustment for partners, GDAP provides significantly improved security compared to DAP. Here’s what Microsoft partners need to do:

  • Create GDAP relationships whenever possible and migrate from DAP
  • Use GDAP as the default administration model for customer tenants.
  • Enable a ‘least privilege’ security model to better protect customer resources.

FAQ: Granular Delegated Admin Privileges

Q: What is the relationship between CSP and GDAP in Microsoft’s partner ecosystem?

In Microsoft’s partner ecosystem, CSP (Cloud Solution Provider) and GDAP (Granular Delegated Admin Privileges) have a significant relationship. CSP is a program that allows Microsoft partners to sell Microsoft products and services, while GDAP is a security feature within this ecosystem, showcasing how different Microsoft aspects interrelate. GDAP allows partners to manage role assignments in Microsoft services, specifically in Microsoft Entra, where roles are assigned with more precision compared to DAP (Delegated Admin Privileges). This relationship enhances security in customer environments, as GDAP provides more granular control than DAP.

Q: How does the migration from DAP to GDAP enhance security for Microsoft partners and customers?

The migration from DAP (Delegated Admin Privileges) to GDAP (Granular Delegated Admin Privileges) enhances security for Microsoft partners and customers by offering more specific and limited permissions. While DAP allows broad access rights across customer tenants, GDAP offers more controlled and granular access. This means that partner users can manage role assignments in Microsoft environments with better precision, reducing the risk of unauthorized access. GDAP also helps monitor both active and inactive DAP relationships, transitioning inactive DAP connections to GDAP and disabling DAP where necessary.

Q: How does a Microsoft partner create a new GDAP relationship in the Partner Center?

A Microsoft partner can create a new GDAP (Granular Delegated Admin Privileges) relationship in the Partner Center by establishing GDAP connections with customer tenants. This involves selecting the specific roles in a GDAP relationship that the partner needs to manage the customer’s Microsoft services. The process begins by submitting a new GDAP request through the Partner Center. Once the customer approves, the partner can manage their Microsoft applications and cloud services with the granular permissions granted through GDAP.

Q: What are the steps involved to move from DAP to GDAP for Microsoft partners?

Migrating from DAP (Delegated Admin Privileges) to GDAP (Granular Delegated Admin Privileges) involves several key steps for Microsoft partners. First, they must assess their current DAP relationships and identify which ones are active or inactive. Then, they initiate the GDAP migration by establishing new GDAP relationships with their customers, which typically involves sending requests through the Partner Center, ensuring dap is removed systematically. After establishing GDAP, the corresponding DAP relationships are phased out, typically within 30 days. This process ensures that partners transition to the more secure and granular access model of GDAP.

Q: What happens to existing DAP relationships when a new GDAP relationship is created?

When a new GDAP (Granular Delegated Admin Privileges) relationship is created, the existing DAP (Delegated Admin Privileges) relationships are affected in several ways. Microsoft gradually phases out DAP in favor of GDAP, which offers more granular control. Typically, existing DAP relationships become inactive 30 days after the establishment of a GDAP relationship. Microsoft encourages partners to migrate to GDAP, as it no longer grants DAP for new customer creations. This transition ensures enhanced security and better management of Microsoft cloud services.

Q: Can a partner use both GDAP and DAP simultaneously in Microsoft’s Azure environment?

In Microsoft’s cloud environment, it’s possible for a partner to use both GDAP (Granular Delegated Admin Privileges) and DAP (Delegated Admin Privileges) simultaneously, but only for a transitional period. As Microsoft moves towards a more secure and granular access model with GDAP, DAP will eventually be phased out. Initially, partners may have both active and inactive DAP relationships alongside their new GDAP connections. However, Microsoft’s long-term goal is to fully transition to GDAP, emphasizing the need for partners to adapt to this new system for managing customer environments.

Q: What are the security benefits of using Microsoft GDAP compared to DAP in cloud services?

GDAP (Granular Delegated Admin Privileges) offers enhanced security benefits compared to DAP (Delegated Admin Privileges) in Microsoft’s cloud services. GDAP allows for more precise control over permissions, enabling partner users to establish relationships with limited Azure Active Directory rights. This targeted access reduces the risk of security breaches. Additionally, Microsoft GDAP includes a monitoring report feature for both active and inactive DAP connections, ensuring that any security issues are quickly identified and addressed.

Q: What is the process for removing DAP and creating a new GDAP in Microsoft 365 environments?

To remove DAP (Delegated Admin Privileges) and create a new GDAP (Granular Delegated Admin Privileges) in Microsoft 365 environments, partners must first initiate the GDAP migration. This involves disabling inactive DAP connections and establishing a GDAP relationship with the customer tenant. The process includes choosing default roles and setting up the necessary security groups in the Partner Center. After creating the new GDAP relationship, Microsoft will no longer grant DAP for new customer environments, making GDAP the default method for delegated administration in Microsoft 365.

Q: How does Microsoft ensure the smooth transition from DAP to GDAP for partners?

Microsoft ensures a smooth transition from DAP (Delegated Admin Privileges) to GDAP (Granular Delegated Admin Privileges) for partners by providing comprehensive support and resources for the migration process. This includes detailed guidelines on how to establish a GDAP relationship, manage role assignments in Microsoft Entra, and utilize GDAP’s limited Azure Active Directory rights. Microsoft also allows a transitional period where both GDAP and DAP can be part of the partner’s access model, gradually phasing out DAP 30 days after the establishment of GDAP. This approach helps partners adapt to the new system without disrupting their operations.

Q: What are the differences between Microsoft’s GDAP and DAP in terms of access to customer environments?

The primary difference between Microsoft’s GDAP (Granular Delegated Admin Privileges) and DAP (Delegated Admin Privileges) lies in the level of access granted to customer environments. GDAP provides more granular and controlled access, allowing partners to assign specific roles and permissions for managing customer tenants. This contrasts with DAP, which grants broader and less specific access. GDAP’s approach enhances security by minimizing unnecessary access rights, thereby reducing the potential for unauthorized or accidental changes in customer environments.

Q: What implications does the introduction of GDAP have for new Microsoft partners?

The introduction of GDAP (Granular Delegated Admin Privileges) has significant implications for new Microsoft partners. These partners must now use GDAP instead of DAP (Delegated Admin Privileges) for delegated administration in customer environments. This change requires them to familiarize themselves with the GDAP process, including establishing GDAP relationships, choosing appropriate roles, and managing access through Microsoft Entra. The shift to GDAP underscores Microsoft’s commitment to enhanced security and more precise administrative control in its cloud services.

keywords: microsoft azure inactive dap relationships to gdap

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Toggle Dark Mode