Granular Delegated Admin Privileges (GDAP)
📝 Note: This feature is not enabled by default. Contact your AppDirect technical representative to request it.
Granular Delegated Admin Privileges (GDAP) is a mandatory feature for partners that purchase and sell Microsoft products on their marketplaces.
GDAP is a Microsoft security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers.
We updated our platform to ensure that all Microsoft customers can perform all transitions on the marketplace in compliance with GDAP.
AppDirect partners must configure a number of settings in their Microsoft Partner Center account before they contact us and request that we configure GDAP on their marketplaces.
Then the Marketplace Manager can manage GDAP relationships in their marketplace. They do this on the Companies page located at Manage > Marketplace > Dashboard > Home | Companies.
The Marketplace Manager configures GDAP email notifications.
Prerequisites for AppDirect partners
Regrant admin consent for AppDirect to access the GDAP APIs
You need to grant admin consent to the AppDirect marketplace to access the GDAP APIs from the AppDirect platform on your behalf. These are granular permissions that allow the application to access GDAP APIs and so if these permissions are not assigned the GDAP API calls will fail.
To regrant admin consent to AppDirect,
- Log into your Microsoft Azure Active Directory (Azure AD) reseller account.
- Click Azure Active Directory and then click Enterprise applications.
- Select the application to which you want to grant admin consent, and then click Permissions.
- Click Grant admin consent for AppDirect.
- AppDirect will add the following permissions:
- PartnerCustomerDelegatedAdministration.Read.All
- PartnerCustomerDelegatedAdministration.ReadWrite.All
- Convert DAP relationships to GDAP relationships
If you already have Delegated Admin Privileges (DAP) enabled on your marketplace, you will need to create new GDAP relationships. AppDirect recommends that you use the Microsoft GDAP bulk migration tool to create these new relationships. See GDAP bulk migration tool.
This tool enables the migration to occur without consent from the customer. Microsoft plans to remove the tool from use by partners on March1, 2023. After this tool is removed, any GDAP requests will require consent from the customer.
If you do not perform the transition yourself using this tool, then Microsoft is intending to start transitioning customers automatically from DAP to GDAP in the coming months. Please ensure that, if you wait for this automatic transition, you understand the impact of this as you may find that you do not have certain privileges required to manage your customers until you request the GDAP roles you require.
You are responsible for testing and completing the prerequisite for GDAP activity.
Roles on your Microsoft Partner Center account
To ensure that your marketplace processes all GDAP information correctly, you must regrant admin consent for AppDirect to access the GDAP APIs. See the prerequisite above. We will request the following default roles on your behalf. These roles use standard built-in Azure AD template roles and are described in the table below.
| Role | Description | Template ID |
|---|---|---|
| Cloud application administrator | Can create and manage all aspects of Marketplace setup and configuration such as Application registrations and Enterprise Applications except App Proxy. | 158c047a-c907-4556-b7ef-446551a6b5f7 |
| License Administrator | Can assign, remove and update license assignments for customers. | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
| User administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. | fe930be7-5e62-47db-91af-98c3a49a38b1 |
| Directory readers | Can read basic directory information. Commonly used to grant directory read access to applications and guests. Required for User Sync and Company Sync in the AppDirect platform. | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
- Contact your AppDirect technical representative and request that we enable GDAP on your marketplace
- Configure an email notification on your marketplace
To configure notification content go to Manage > Marketplace > Settings > Custom UI | Notifications and select Granular Delegated Admin Permission approval. In Email Options, select Enable Email Notifications and click Save. For more information, See Work with notification templates and Notification template content.
GDAP is enabled on a marketplace
After GDAP is enabled on a marketplace, Marketplace Managers can:
- Create a GDAP relationship request
- View existing GDAP relationship information
- Send a pending GDAP relationship request reminder
Marketplace Managers can add custom Azure Active Directory (Azure AD) roles and groups to their marketplace. See Custom Azure Active Directory (Azure AD) roles and groups.
Was this page helpful?
Tell us more…
Help us improve our content. Responses are anonymous.
Thanks
We appreciate your feedback!