Microsoft’s Granular Delegated Admin Privileges (GDAP) greatly reduces risk for enterprises and CSP/Partners. Compare the new GDAP security standard to legacy DAP and use GDAP to strengthen your enterprise security and compliance.
Initiatives: Microsoft DART/Incident Response | Information Security, Cybersecurity, Compliance
Audience: CCO, CISO, CTO, CIO | IT Executives, Security Executives, Compliance Executives
Microsoft’s Granular Delegated Admin Privileges (GDAP) is designed to greatly reduce risk for Microsoft enterprise clients.
GDAP allows you to control the access level you give to your employees or providers (MSP, CSP, Partner) for your MSFT cloud services.
Enterprise Microsoft Access Controls |
Legacy DAP |
*New* GDAP |
---|---|---|
Level of Access/Roles | Global Admin + Helpdesk Agent | Custom |
Relationship Timeline | Indefinite | Custom (Max of 2 years) |
Invitation Link | Same for every customer | Custom for every customer |
Security Group Assignment | √ | |
Activity Logs | √ | |
Access to Security & Compliance Center | √ | |
Privileged Identity Management (PIM) Support | √ |
Level of Access/Roles: DAP relationships provide you the roles of Global Admin and Helpdesk admin by default without any ability to change. GDAP will allow you to select more granular level permissions and make that unique per customer. This is extremely important if you work with a provider today and do not want that 3rd party risk.
Relationship Timeline: DAP relationships last indefinitely. The customer accepts the delegated admin link and that relationship is permanent unless you go under Settings>Partner Relationships and remove the relationship. GDAP allows you to create custom timelines for how long the relationship will be in place and there is also a maximum timeframe of 2 years.
Invitation Link: DAP relationship links are universal per region. This means you use the same DAP link for every customer you onboard into Partner Center. GDAP changes that because you will most likely have different levels of access per customer. This means that each invitation will be unique to a specific customer.
Security Group Assignment: There are no layers of assignment when it comes to DAP relationships. The same level of access is given to all members within a Partner Center environment who have access to customers. GDAP allows you to have nested security groups with separate roles, in order to stratify permissions even further. Here is an example of that functionality:
Enterprises can create a Provider tier 1 support group and grant it service support admin and global reader roles, which means the Provider group can create tickets on behalf of the enterprise but cannot make any changes. Enterprises can create a Provider tier 2 support group and grant it high-privilege roles such as Intune admin, Exchange admin, and Dynamics 365 admin.
Activity Logs: With DAP, there are no granular activity logs that show you when delegated access permission are being leveraged from Partner Center and they also do not include any information around the lifecycle of a delegated admin relationship (when it was accepted, when it was removed, etc.). GDAP changes this by providing that visibility in the Azure AD Activity logs on both a Provider level and a customer level.
Access to the S&C Center: This has been a pain point for Providers for years in the fact that DAP does not allow you to enter certain admin portals on behalf of customers through partner centers. The Security and Compliance center (now splitting to two admin centers) has been a good example of this lack of access. GDAP is opening up more flexibly here.
PIM Support: Privilege Identity Management (PIM) is a Microsoft service that allows for “just in time” levels of access. Essentially it allows you to elevate your role for a temporary period of time to perform certain admin tasks. PIM will be coupled with GDAP to allow Providers to elevate privileges into certain security groups that have certain grants/roles into customer environments. This improves security even further.
All Microsoft Cloud services which support DAP will support GDAP and for new Microsoft Cloud workloads only GDAP will be supported.
Once GDAP is in place, enterprises should remove all DAP permissions to secure their tenants. Removing DAP doesn’t remove the Provider relationship, so it doesn’t affect any licensing contracts you may have. This does, however, remove all Provider access via PowerShell and APIs, including Microsoft 365 Lighthouse.
GDAP is the primary mechanism for enterprises to enforce the Principle of Least Privilege (POLP) in their Microsoft cloud environments.
POLP is a concept in computer security that limits users’ access rights to only what are strictly required to do their jobs.
Microsoft GDAP Least Privilege BenefitsUsers are granted permission to read, write or execute only the files or resources necessary to do their jobs. This principle is also known as the access control principle or the principle of minimal privilege.
POLP is one of the three guiding principles of Microsoft’s security strategy known as Zero Trust.
Verify Explicitly – Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use Least Privileged Access – Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
Assume Breach – Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Microsoft Granular Delegated Admin – Zero Trust
Fundamental to Microsoft’s approach for Zero Trust is not to disrupt end users, but work behind the scenes to keep users secure and in their flow as they work.
GDAP’s least privileged access gives enterprises the policy enforcement tool they need for compliant Microsoft cloud deployments.
GDAP makes it easier to achieve compliance and faster to prove during a compliance audit for:
HIPAA, GDPR, FDDC, FISMA, Government Connect, Federal EO 14028, SOX, ISO, SOC and others.
GDAP least privileged access is strongly recommended by CISA for 2022 and beyond.
Benefits of Least Privilege GDAP
According to the Microsoft Vulnerabilities Report 2021 by BeyondTrust, from the 5 year period of 2016 – 2020, 78% of Critical vulnerabilities on Windows systems could have been mitigated by removing admin rights. In fact, in 2020, 98% of Critical vulnerabilities in Internet Explorer & Edge would have been mitigated by removing admin rights! A similarly powerful risk-reducing power of least-privilege has also been demonstrated across third-party applications, such as for Oracle, Adobe, Google, Cisco, VMware, etc.
Unfettered privileged rights and access essentially equates to uncapped potential for damage. The more privileges a user, account, or process amasses, the greater the potential for abuse, exploit, or error. Implementing least privilege not only reduces the likelihood of a breach occurring in the first place, but it helps limit the scope of a breach should one happen.
Microsoft GDAP least privilege benefits include:
PCI DSS states that organizations that process or store credit card data must restrict access to cardholder data by business need to know, and specifically invokes the use of least privilege user accounts [ 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities; 7.2.2 Assignment of privileges to individuals based on job classification and function].
Granular delegated admin privileges, or GDAP, is available to Providers such as Microsoft CSPs, MSPs, and Partners in early 2022. These changes address supply chain attacks (like Nobelium) and shore up the least privilege pillar of Microsoft’s Zero Trust security model.
Formerly, both distributors (Microsoft Indirect Providers/CSP Tier 1s) and MSPs (Indirect Resellers) had established Delegated Admin Privileges (DAP) with all downstream customers. This allowed distributors to license customer tenants and provide support. It allowed MSPs and Partners the ability to provide support and perform day to day management tasks via Partner Center.
With granular delegated access:
Enterprise Provider Considerations for GDAP