In order to provide greater security control for customers, Microsoft introduced GDAP to replace DAP. We detail what is involved in this change.
What is DAP?
Delegated Administration Privileges (DAP) were a feature provided by Microsoft to allow partners to manage their customers’ Microsoft services on their behalf. When a customer grants delegated administration privileges to a partner, it means that the partner can perform administrative tasks and manage various aspects of the customer’s Microsoft services without needing to have the customer’s account credentials.
What are the downsides of DAP?
Although DAP has helped Microsoft Partners to support their clients for a number of years, there are two main drawbacks:
- Granting a Partner DAP access gives them Global Administrator access to a tenant, giving them full access to virtually everything.
- A DAP relationship never expires, meaning that if a client’s relationship with a partner ends, this access needs to be manually revoked and this step can be easily overlooked.
To counter these drawbacks, Microsoft decided to retire DAP and introduce GDAP.
What is GDAP?
Granular Delegated Admin Privileges (GDAP) give partners access to their customers’ services in a way that is more granular and time-bound, helping to address any customer security concerns. As permissions are granted on an individual role basis, GDAP helps with customers who have regulatory requirements to provide only least-privileged access to partners.
Unlike DAP, a GDAP relationship is for a fixed time period of up to two years, after which, access needs to be regranted.
How do I move from DAP to GDAP within my organisation?
The first step for an administrator to take would be to look at their existing partner DAP relationships in the Microsoft 365 Admin Portal, which can be accessed here. It’s worth checking to see if any legacy DAP relationships exist that are no longer required. If you have DAP partner relationships still in place and not GDAP, then you will need to contact each partner and agree new roles for the partner and have them request access. Once the GDAP permissions are in place, then the old DAP permissions can be removed.
As DAP is being retired, Microsoft Partners will be getting in touch with their customers to ensure they are all migrated over to ensure continued service, but if your partner has not yet been in touch, it is worth reaching out to them to clarify the migration with them.
Summary
The introduction of GDAP is a big positive for security-conscious organisations who may have extra regulatory pressures upon them to ensure data security and want to ensure they are doing all they can to prevent unnecessary risks. For Strategy 365 clients, this process is already well underway, but if you have any questions about the process, get in touch with one of our experts who can help guide you through the process.
