Support for opting in/out of GDAP default roles is now in EA

note

Features in EA status are only available in production to a limited number of customers based on fit with specific use cases. For more information about EA status, see Product lifecycle phases. If you would like to use the product capabilities described here during the EA phase, contact your AppDirect technical representative.

Microsoft is deprecating the use of Delegated Admin Privileges (DAP) for all partners on October 31, 2023, in favor of Granular Delegated Admin Privileges (GDAP) because of a security risk. With GDAP, Microsoft has implemented a zero-trust model whereby admin privileges are granted explicitly through a relationship request for specific roles given to partners. From November 1, partners will no longer be able to use Partner Centre APIs or the Partner Centre to manage DAP.

What should partners know about GDAP?

All Microsoft partners must use GDAP roles to manage their customers by requesting them or granting Default Roles when creating customers. Default Roles are a set of pre-defined roles that are implicitly granted to a partner to manage a customer for most scenarios.

Refer to Microsoft documentation for more information on GDAP and GDAP default roles.

What's new in this release?

There has been feedback from various partners that by removing DAP, some friction is introduced into creating new customers, as it is no longer possible to grant admin privileges to manage customers with GDAP automatically. There is also the risk of new customers not responding to GDAP relationship request emails.

To address these issues, Microsoft has launched support for GDAP Default Roles and the ability to opt in/out of default roles when creating new customers. In this release, we are introducing changes for AppDirect marketplaces to support these capabilities.

To opt for GDAP default roles:

1. Go to Manage > Marketplace > Settings > Settings | Marketplace Functionality. Scroll to the Company Details section.
2. Select the Opt in to GDAP default roles check box.
   

If partners do not enable this setting, they will not be provided with GDAP Default Roles when creating new customers. Also, unless partners explicitly request a GDAP relationship with the customer and it is accepted, a partner will not have any GDAP roles assigned and will be severely limited in how they can manage a new customer.

note

We recommend that, as a minimum, partners enable the marketplace feature for sending explicit GDAP relationship requests from the Marketplace.

Limitations:

The following capabilities are not supported in this release:

• Ability to opt in/out on a per-new-customer basis (coming soon)
• Support for assigning GDAP Default Roles when onboarding existing customers
• Assigning security groups to GDAP default roles
• Auto-renew and extend GDAP (coming soon)
• Indirect reseller support for GDAP default roles

Feature enablement

The feature is not enabled by default. Contact your AppDirect technical representative to request it.

Setting enablement

Setting enablement is required. Contact your AppDirect technical representative for more information.

Documentation

Refer to Opting in/out of GDAP default roles.