GDAP STATUS

Granular Delegated Admin Privileges (GDAP) is a security feature that allows Cloud Solution Provider (CSP) partners to gain least-privileged access to a customer's Microsoft environment. It is based on the Zero Trust security model, ensuring that access is limited only to necessary permissions.

In MSP Hub, GDAP enhances security by allowing CSP partners to request only the necessary administrative roles instead of full access to a customer's Microsoft environment. This ensures compliance with role-based access control, reducing security risks and aligning with modern cybersecurity principles. By implementing GDAP, MSP Hub enables more secure and controlled management of customer environments, protecting sensitive data while maintaining operational efficiency.

GDAP Status Overview

The Status field tracks the GDAP for all customers associated with a partner.

• The system captures tenants whose GDAP is expiring within 30 days based on regional settings.
  
• Admin relationships can be defined and included in the request. Once finalized, the request is sent to the customer for approval.
  

Approval Process

• The customer receives the request and approves it through the Microsoft 365 Admin Center using the provided link.
  
• Only customers with Global Administrator permissions can approve the request.
  
• Once approved, access is granted, enabling actions such as user management, license assignment, admin relationship management, and password resets.
  
• If the request is not approved, access is restricted, and an error message appears.
  
• Multiple requests can be created if access is denied or expires, allowing partners to reinitiate the process as needed.
  

Expiry and Auto-Extension

Expiring in 30 Days: Displays tenants whose GDAP will expire soon.
Inactive Status: Lists expired GDAP records.

730-Day Expiry:

• If a Global Administrator role is assigned, it does not auto-extend and expires after 730 days. A new request must be created.
• Other roles may have the option for auto-extension.

Once expired, the role becomes invalid, and a new GDAP request must be made to regain access.

Navigate to GDAP Status:

Login to Partner Tenant → Customer → GDAP Status

GDAP Status Grid Page

• GDAP Status Overview

  • Active: Displays the number of customers with an active GDAP setup.
  • Pending: Indicates the number of customers whose GDAP requests are pending approval.
  • Expiring (Next 30 Days): Highlights GDAP accounts that will expire within the next 30 days.
  • Expiring (Next 60 Days): Lists GDAP accounts that will expire within the next 60 days.

• Action Buttons

  • New Request: Allows users to initiate a new GDAP request.
  • Refresh: Updates the displayed data with the latest status.
  • Export: Enables exporting the GDAP data for record-keeping.
  • Search Bar: Helps users search for specific customers name.

• Filters & Dropdowns

  • Country Dropdown: Filters GDAP accounts by country.
  • Expiring in Dropdown: Allows users to filter accounts expiring within a selected timeframe.
  • Active/Inactive Toggle: Filters GDAP accounts based on their current status.

• GDAP Status Grid:

  • Customer: Displays the name of the customer associated with GDAP.
  • CSP Domain: Lists the Microsoft CSP domain of the customer.
  • Name: Shows the GDAP request name or identifier.
  • Start Date: The date when the GDAP request was approved and became active.
  • End Date: The expiration date of the GDAP access.
  • Status: Indicates whether the GDAP request is active, pending, or expired.
  • Duration: Displays the duration for which GDAP access has been granted.

Click the New Request Button.

• CSP Account: Select the Cloud Solution Provider (CSP) account for which you are requesting GDAP access.

• Admin Relationship Name: Enter a name to identify the GDAP relationship. This helps distinguish multiple relationships within the system, making it easier to manage and track access permissions.

• Duration in Days: Specify the number of days for which the access will be valid (default: 730 days).

• Requested Azure AD Roles: Select the specific admin roles needed for this GDAP relationship.

  • Select individual or all roles as required.
  • Roles include Global Administrator, Security Administrator, Helpdesk Administrator, and more.

Action Buttons

Cancel: Discards the request and closes the form. Finalize Request: Submits the GDAP request for approval.

Click New Request to open the Request for new relationship form. Here, enter the required details, select the necessary Azure AD roles, and click Finalize Request to submit.

You will then get a preview of the roles, which you can either "Copy to Clipboard" or "Open in Email" to send the request to the associated user.

The submitted request appears in the grid page with its details, and its status is set to Active once approved. Until then, it remains Approval Pending.

Getting Approval of Your GDAP Request

After you invite your customer to grant granular delegated admin privileges (GDAP), they can approve your request by following these steps:

Open the link from your GDAP invitation email.

Click Accept on the Approve Partner Roles page that opens in the Microsoft 365 Admin Center.

You will receive a confirmation email notification after your customer approves your GDAP request. Your customer will also receive a confirmation.

Note

GDAP Status Information: The GDAP Status Information section provides updates on the CSP account's GDAP setup. It includes actionable links for setting up new GDAP accounts, lists account not yet configured for GDAP, and notifies users of accounts with imminent GDAP expirations.
The GDAP Status Information section provides updates on the status of CSP (Cloud Solution Provider) accounts about GDAP (Granular Delegated Admin Privileges).
1. CSP Accounts Not Set Up for GDAP:
The section lists CSP accounts that have not been configured for GDAP. For example, the account "srktest002" with the domain "srktest002.onmicrosoft.com" is currently not set up for GDAP. Users can click on the account name to initiate the GDAP setup process.
2. CSP Accounts with Imminent GDAP Expiration:
This section notifies users of any CSP accounts for which GDAP will expire within the next 30 days. For instance, the account "Microsoft" with the domain "monthlypricetest.onmicrosoft.com" has a GDAP setup that is about to expire. Users should click on the account name to set up a new GDAP account to avoid any service interruptions.