Transition from delegated administrator privileges (DAP) to granular delegated administrator (GDAP) privileges.

October 4, 2022

Microsoft strengthens the security of its partner community by deploying Microsoft GDAP, which replaces the current delegated administrative privileges (DAP).

If you are part of the CSP program as an indirect reseller, you need to know what Microsoft GDAP is and how to switch from DAP to GDAP.

What is DAP (Delegated Administrator Privileges)?

Delegated administrative (DAP) privileges are used to manage a customer’s service or subscription on their behalf. With DAP, you can have one of two access roles: Global Admin and Helpdesk Agent and the duration of the relationship is indefinite. We immediately see that there is a significant security risk: if your account is compromised (hacked), your customers’ data can also be affected.

What is GDAP (Granular Delegated Administrator Privileges)?

Microsoft’s Granular Delegated Administrator Privileges or GDAP are the new feature that reduces security risks and vulnerabilities for Microsoft customers. It brings new security capabilities, enabling partners to implement granular, time-limited access to their customers’ workloads. With GDAP, customers can now choose to limit access to their data and workloads by granting specific permissions instead of allowing global administrator access.

What should you do?

Microsoft will replace DAP with GDAP. The transition period has begun, and all partners will have to move their clients from DAP to GDAP. As a Microsoft CSP, it is therefore crucial for you to remain compliant and meet new requirements. Microsoft will allow all partners to transition until January 2023.

Steps to make the transition:

Audit existing DAP connections.

In Microsoft Partner Center, you have access to a reporting tool that identifies and displays all active connections with delegated administrative privileges and helps you discover inactive DAP connections.

Remove inactive DAP connections.

Identify inactive DAP connections and delete them as soon as possible.

Start planning for the transition.

Identify what activities your users perform in the customer portal to determine which GDAP roles will be most applicable.

Run the transition to GDAP.

Start your GDAP transition by referring to the step-by-step guide provided by Microsoft.

Disable the DAP.

Once your customer has granted you GDAP and confirmed that you can perform all necessary administrative activities on behalf of your customer, you must disable your existing DAP connection.

Partners who need to move a large number of customers from DAP to GDAP can use the bulk transition tool developed by Microsoft.