Microsoft Security and Compliance: GDAP vs. DAP.

As the Zero Trust security model is implemented across all Microsoft products, services, and partner ecosystems, Microsoft is ending delegated admin privileges (DAP) in favor of the more secure granular delegated admin privileges (GDAP).

This impacts all Microsoft partners globally but is a change that benefits all Microsoft customers universally.

First and most importantly, keeping with the Zero Trust principle of verification and using least privileged access, GDAP offers more explicit roles and time-sensitive parameters for partner access to customer environments than DAP.

Access is restricted to customer tenants on a deeper level, reducing security risk between Microsoft partners and their clients. More specifically, GDAP details access at the customer, partner tenant, partner user, and workload levels for different Microsoft services.

GDAP is intended as a protective measure around access to customer data while also helping partners accommodate clients with regulatory requirements to allow only least privileged access to providers.

At the end of May 2023, Microsoft transitioned both active and inactive DAP relationships to GDAP relationships with limited Azure Active Directory (AAD) roles.

Over the next 60 days, corresponding DAP relationships were removed. Any relationships transitioned from DAP to GDAP before May were not affected, but Microsoft has disabled all remaining DAP access at the end of July.

Microsoft partners can assign their users to different security groups and associated roles.

These security groups are given access to customer workloads for a fixed duration, up to two years maximum. Once the duration is up, access is terminated automatically.

While DAP connections never expired, GDAP connections automatically do to create a more secure environment. When a GDAP relationship is about to expire, both the partner and customer will receive an email notification 30 days, seven days, and one day prior to termination. Partner users who were assigned to a security group for that customer will no longer have access or be able to administer services without a renewal. To renew the duration of access permission, a new GDAP request will have to be sent the customer.

Since GDAP is intended to significantly reduce risk for Microsoft enterprise clients, it offers more granulated security solutions than DAP.

These include:

Level of Access/Roles
DAP relationships provide you Global Admin and Helpdesk Admin roles by default, though you can’t change them. GDAP allows a deeper level of permission customization that can even be made unique per customer. This is important if you work with a provider currently and don’t want any third-party risks.

Relationship Timeline
DAP relationships last forever. The customer accepts the delegated admin link, and that relationship is permanent unless you go into the settings and remove the relationship manually. GDAP allows the creation of custom timelines for relationship length, with a maximum timeframe of two years.

Invitation Link
DAP relationship links are universal per region. This means you use the same DAP link for every customer that is onboarded into the Partner Center. GDAP offers differing levels of access per customer, meaning each invitation is unique to each customer.

Security Group Assignment
In DAP relationships, there are no layers of assignment. The same level of access is given to every member in a Partner Center environment who have access to customers. GDAP allows nested security groups within separate roles, offering a greater degree of diversified permissions.

Activity Logs
With DAP, there are no granular activity logs that show when delegated access permissions are being leveraged from the Partner Center. They also don’t include any information around lifecycle of a delegated admin relationship such as when it was accepted or removed. GDAP provides greater visibility in the AAD activity logs on both a provider and customer level.

Access to the S&C Center
DAP doesn’t allow you to enter certain admin portals on behalf of customers through partner centers. GDAP offers greater flexibility and is more intuitive than its predecessor.

PIM Support
Privilege Identity Management (PIM) is a Microsoft service that allows for “just in time” levels of access. It basically allows you to elevate your role temporarily to perform certain admin tasks. PIM is coupled with GDAP to allow providers to elevate privileges into some security groups that have certain roles into customer environments, improving security further by allowing rapid response for specific issues.

GDAP is available to all Microsoft partners including CSPs and MSPs.

These changes, as stated previously, have been in effect since May of 2023, with all users still using DAP fully transitioned to a GDAP relationship and the DAP relationship terminated by the end of July.

Previously, both distributors such as CSP Tier 1s and MSPs such as Indirect Resellers had established DAP with all downstream customers. This allowed distributors to license customer tenants and provide support while also allowing MSPs and Partners the ability to provide support and management through the Partner Center.

Now, Providers have greater control over granular and time-bound access for customer workloads, so they can address customers’ security concerns easier. CSPs, MSPs, and Partners now have greater help in addressing concerns about data security, reducing the chance of security incidents in the future. These entities can also report on how Provider teams are accessing Enterprise tenants.

Providers can restrict access of your employees who are managing your customers’ services and environments can also turn off or reduce unused GDAP or DAP connections to mitigate liability and improve security.