Opting in/out of GDAP default roles

Microsoft is deprecating the use of Delegated Admin Privileges (DAP) for all partners on October 31, 2023, in favor of Granular Delegated Admin Privileges (GDAP) because of a security risk. With GDAP, Microsoft has implemented a zero-trust model whereby admin privileges are granted explicitly through a relationship request for specific roles given to partners. From November 1, 2023 partners will no longer be able to use Partner Centre APIs or the Partner Centre to manage DAP.

What should partners know about GDAP and this transition?

All Microsoft partners must use GDAP roles to manage their customers by requesting them or granting default roles when creating customers. Default roles are a set of pre-defined roles that are implicitly granted to a partner to manage a customer for most scenarios.

For more information on GDAP and default roles, see related Microsoft documentation.

Opting in/out of GDAP default roles

There has been feedback from various partners that by removing DAP, some friction is introduced into creating new customers, as it is no longer possible to grant admin privileges to manage customers with GDAP automatically. There is also the risk of new customers not responding to GDAP relationship request emails.

To address these issues, Microsoft has launched support for GDAP Default Roles and the ability to opt in/out of default roles when creating new customers.

To opt for GDAP default roles in an AppDirect Marketplace:

1. Go to Manage > Marketplace > Settings > Settings | Marketplace Functionality. Scroll to the Company Details section.

2. Ensure that the Opt in to GDAP default roles check box is selected.

   

This capability is controlled by a setting. Contact your AppDirect technical representative on how to enable it. If partners do not enable this setting, they will not be provided with GDAP Default Roles when creating new customers. Also, unless partners explicitly request a GDAP relationship with the customer and it is accepted, a partner will not have any GDAP roles assigned and will be severely limited in how they can manage a new customer.

📝 Note: It is recommended that partners enable the feature for sending explicit GDAP relationship requests from a marketplace.

FAQs

Let’s look at some of the scenarios that could potentially arise from this change:

• What happens if a customer doesn't have DAP and has yet to approve the GDAP request?
  The associated partner will not have admin privileges and therefore will not be able to manage services for the customer. However, the partner will still be able to purchase products, manage Microsoft Azure budget, and other related tasks as GDAP is not required for these.
• What happens if a customer has DAP but still needs to approve GDAP?
  This situation may vary depending on the Microsoft-led DAP to GDAP transitions. Many customers will already have transitioned to GDAP default roles. It is up to the partner to check whether they have been granted GDAP Default Roles by Microsoft and whether their existing DAP relationship has been removed.
• What happens if a customer doesn't have DAP but has approved GDAP?
  The partner is able to manage customers within the scope of GDAP roles they have been granted by the customer.
• What happens if a customer has DAP and approved GDAP?
  DAP relationships will be removed for customers and partners as part of the Microsoft-led DAP to GDAP transitions. GDAP should provide the adequate roles as part of the GDAP relationship requested from the customer.