Blog - Channel Partner
Addressing GDAP rights: How to manage your customers' tenants and apps
What is GDAP and why do you need it?
We have taken note of the frustration around GDAP and the errors on Microsoft Partner Center when the GDAP association is not fully set up on a partner’s Partner Center portal resulting in delays in assisting end-customers. Why? That is because the error says you do not have the Admin Rights to enter the customer's Microsoft portal.
GDAP stands for Granular Delegated Admin Privilege, and it is a feature of Microsoft that allows partners to access and manage their customers' Microsoft 365 tenants and applications without requiring global admin rights. GDAP enables partners to perform tasks such as creating users, resetting passwords, assigning licenses, configuring policies, and troubleshooting issues while respecting the customers' privacy and security.
GDAP is necessary because global admin rights are not always available or appropriate for partners who need to service multiple customers. Global admin rights give full access to all the data and settings in a tenant, which can pose a risk of data leakage, unauthorized changes, or compliance violations. Moreover, global admin rights are often limited by the customers, who may not want to share them with external parties or may have already reached the maximum number of global admins allowed by Microsoft.
With GDAP, partners can have granular and flexible access to the customers' tenants and apps, without compromising the customers' control and ownership. GDAP also simplifies the process of switching between different customers and apps, as partners can use a single login and a single portal to access them all. The error that has been causing frustration is that partners would pick the GDAP roles but eliminate the step of assigning the security groups.
How to use GDAP rights to access and manage your customers' tenants and apps
The process of using GDAP rights consists of two steps: selecting the roles and assigning the security groups. Both steps are done through the Partner Center portal, and they require the partner to have a Partner Center account and the appropriate Partner Center roles to manage customers.
- Selecting the roles: The roles are the sets of permissions that define what actions a partner can perform on a customer's tenant or app. For example, a partner can select the User Management role to create and manage users, or the Exchange Online role to configure and troubleshoot email settings. The roles are based on the Microsoft 365 admin roles, and they are specific to each tenant and app. To select the roles, the partner needs to go to the Partner Center portal, click on the Customers tab, and then click on the customer’s name. The partner will see a menu on the left hands side, with one of the options as “Admin Relationships”. Under this tab, you may request a new GDAP relationship or find a Default GDAP relationship that your CSP Provider has set up for all customer associations. Do the necessary action (create a new one or click into the default GDAP in place). If you are creating a new GDAP relationship you can select multiple roles, but they should only be the ones you need, and not all of them at once. Selecting unnecessary roles can cause confusion, errors, or security issues.
- Assigning the security groups: The security groups are the groups of users that the partner can access and manage within a customer's tenant or app. For example, a partner can assign the Helpdesk Admin group to access and manage customers. The partner can assign multiple security groups for each tenant and app, but they should only assign the ones they need, and not all of them at once. Assigning unnecessary security groups can cause privacy, security, or compliance issues.
Once the partner has selected the GDAP roles and assigned the security groups, they can access and manage the customers' tenants and apps through their Microsoft Partner Center. The partner will only see and access the rights and settings that correspond to the roles and security groups they have selected and assigned to each customer tenant, and they will not need to enter any credentials or switch accounts.
How to get help and support for GDAP rights
If you have any questions or issues regarding GDAP rights, you can reach out to our support team at This email address is being protected from spambots. You need JavaScript enabled to view it.. We will be happy to assist you and provide you with the best guidance and solutions for your needs.