Granular Delegated Admin Privileges (GDAP) is a Microsoft security feature that enables managed service providers (MSPs) to manage customer environments following the principle of least privilege access.
Think of GDAP like giving someone a spare key to your house but only for certain rooms and only for a limited time.
In this blog, we’ll outline the prerequisites for full GDAP adoption, explain why it matters for security and compliance, and provide a step-by-step guide to proper configuration and best practices.
Why GDAP Matters in Modern Partner-Customer Relationships
Under the previous model of Delegated Admin Privileges (DAP), partners often had broad and indefinite administrative rights to customer tenants. While convenient, this exposed customers to serious risks, including over-privilege, audit blind spots, and supply chain vulnerabilities.
Beyond security, the old model created gaps in trust, transparency, and operational clarity. Broad access increased the attack surface and left many organizations non-compliant with modern security and regulatory frameworks. Customers lacked visibility into who had access to their environment, and for MSPs, defining clear scopes, roles, and durations was overly complex.
Partners who failed to transition to GDAP often faced challenges when dealing with security-conscious customers, particularly large enterprises in regulated industries such as finance and healthcare.
As the demand for stronger security, regulatory compliance and supply-chain protection grows, GDAP has become a clear differentiator in securing partner relationships.
For partners, GDAP provides a structured way to request and manage customer access without overreaching. For enterprises, it ensures that access is controlled, time-limited and auditable — reducing exposure while maintaining operational efficiency.
Regardless of an organization’s size, GDAP improves security, visibility, and compliance through:
- Granular role assignment: Partners receive only the permissions required for specific workloads such as Exchange, Microsoft Teams, or SharePoint.
- Time-bound access: Relationships are temporary and expire automatically unless renewed.
- Customer approval: Administrators explicitly approve MSP access, increasing transparency and trust.
- Alignment with Zero Trust: GDAP enforces least-privilege principles, helping both partners and enterprises meet today’s security and compliance standards.
How to Set up a GDAP Relationship: Step-by-Step Guide
Before setting up a GDAP relationship, a few foundational steps must be in place.
Your Microsoft partner must have an active Partner Center account with the correct administrative rights. Create dedicated security groups for partners managing customer tenants to sandbox access and apply the principle of least privilege. Using an Admin Agents security group helps organize partner users responsible for managing customer environments.
Only authorized users, typically those with Global Administrator or GDAP-specific roles, should initiate relationships. Enforce multifactor authentication (MFA) and anti-phishing policies to verify that the partner tenant complies with Microsoft security requirements. For additional protection, consider implementing Privileged Identity Management (PIM) to control and monitor administrative access.
As the customer, your responsibilities in establishing a secure GDAP relationship include:
- Global Admin requirement: A Global Administrator in your tenant must review and approve GDAP requests to ensure oversight and security.
- Role verification: Confirm that the roles and scopes requested by the partner align with your operational and security policies.
- Access control: Approve access only for essential workloads included in the request.
- Consent awareness: Inform internal teams that GDAP access is time-limited and must be renewed explicitly, unlike the indefinite access model under DAP.
Once both parties are ready, follow these steps to establish the relationship:
Step 1: Sign in to Microsoft Partner Center and navigate to Customer → Relationships → GDAP.
Step 2: Select Microsoft’s predefined least-privileged roles relevant to the service your partner will manage, such as Helpdesk Administrator or Intune Administrator.
Step 3: Set the duration of the relationship, typically between 30 and 730 days. Microsoft recommends shorter durations for high-privilege roles.
Step 4: Share the GDAP invitation link with the customer’s Global Administrator.
Step 5: Wait for the customer to approve. The relationship becomes active only after consent is granted.
After approval, continuous monitoring ensures the relationship remains secure and compliant. Review expiry dates, renew or auto-extend access as necessary, and maintain regular audits. Automated notifications help partners and customers stay ahead of upcoming expirations.
Each relationship automatically expires at the end of its defined period. To avoid service disruptions, renew before expiry or configure auto-extension if applicable. When a relationship ends, or if staff roles change, revoke access immediately to maintain least-privilege principles.
Roles and Permissions in GDAP
The strength of GDAP lies in its ability to assign specific, task-based permissions that reduce the risk of over-provisioned access. Your service provider should always align access requests with the principle of least privilege, selecting roles that reflect operational requirements rather than convenience.
Below is a summary of common partner activities and their recommended built-in roles:
| Task/Activity | Recommended Role | Scope |
| User and license management | User Administrator | Manage user accounts, assign licenses |
| Email and mailbox support | Exchange Administrator | Manage mailboxes and policies in Exchange Online |
| Device and endpoint management | Intune Administrator | Configure and manage devices via Intune |
| Collaboration site issues | SharePoint Administrator | Manage SharePoint sites, sharing settings |
| Teams provisioning and policies | Teams Administrator | Configure Teams settings and policies |
| Directory tasks and security group changes | Directory Reader / Security Administrator | Read basic directory information, manage security groups |
| Service health monitoring | Service Support Administrator | View service health information and manage support tickets |
| Conditional Access or MFA policy checks | Conditional Access Administrator | Review and manage conditional access policies under supervision |
At all times, opt for workload-specific roles and not the Global Administrator or Privileged Role Administrator. Grant temporary elevation only when required for specific tasks.
Related Resource – What is Endpoint Security? | Protect Devices, Stop Threats
Supported Workloads and Limitations
GDAP supports multiple workloads across Microsoft 365 and the Microsoft Azure ecosystem.
Supported workloads include:
- Microsoft 365 services: Exchange Online, SharePoint Online, Teams, and Intune
- Azure Active Directory (Microsoft Entra ID): Directory and identity management
- Security and compliance workloads: Microsoft Defender, Purview, and Compliance Center
- Licensing and billing administration: Through Partner Center
However, certain Azure resource-level activities, such as resource group management, may still require delegated Azure RBAC permissions configured outside GDAP. In addition, GDAP access typically does not extend to all third-party or legacy services integrated into the tenant.
Effective GDAP implementation depends on strong role governance and structured access grouping. Managed service providers should define clear security groups and administrative relationships from the start.
Best practices include:
- Segment partner roles by function.
- Document every role assignment and admin relationship.
- Use dynamic security groups and Admin Agents group configurations.
- Schedule quarterly audits to review partner access and remove unused roles.
- Enforce MFA and monitor sign-ins regularly.
A well-structured setup that enforces least-privilege access while maintaining operational agility might look like this:
- Tier 1 support group: Helpdesk Administrator, Service Support Administrator
- Tier 2 technical group: Exchange Administrator, SharePoint Administrator, Intune Administrator
- Security operations group: Security Reader, Conditional Access Administrator
This layered approach ensures each role has a clear scope, improves visibility across relationships, and reduces the likelihood of privilege misuse.
Migration from DAP to GDAP and Governance Checklist
To help existing customers transition from Delegated Admin Privileges (DAP) to GDAP, Microsoft provides automation tools that simplify large-scale migrations. The GDAP Migration Tool, a PowerShell-based utility, automates the creation of GDAP relationship requests for multiple customer tenants. This is especially useful for managed service providers supporting many clients or enterprises with several tenants.
Once GDAP relationships are established, it is essential to remove all legacy DAP connections to eliminate security gaps and maintain compliance with Microsoft’s partner security requirements. This includes reviewing and removing outdated Admin Agents security group assignments that were configured under the old DAP model.
To stay compliant, implement a monitoring framework that ensures strong governance and keeps GDAP relationships secure, transparent, and aligned with organizational policies. Regularly reviewing security groups and administrative configurations helps detect and address potential risks early.
A structured governance process minimizes risk and improves auditability. The following checklist provides a foundation for effective GDAP governance:
Governance Checklist:
- Monitor partner access on a regular basis.
- Track GDAP renewals and expiration dates.
- Log all administrative actions for accountability.
- Automate reporting to simplify audits and compliance tracking.
- Conduct periodic security reviews to validate configurations and permissions.
A disciplined governance model ensures your GDAP environment remains compliant, reduces the risk of over-privilege, and upholds transparency between partners and customers.
Related Resource – How to Build a Comprehensive Microsoft 365 Governance Framework
Best Practices and Pitfalls to Avoid
The success of GDAP depends on how well all parties understand and align with access expectations. Overprivileged access or unplanned expirations can lead to operational misalignment and potential compliance issues.
Before configuring GDAP relationships, partners and customers should agree on the required roles, access duration, and scope of workloads. Document these agreements to maintain a shared record of roles, durations, and renewal dependencies. For high-privilege roles, use shorter access durations, while lower-privilege support roles can be assigned longer periods. Ensure that security groups are configured correctly to reflect your organization’s business and compliance needs.
Drawing from the experiences of our past engagements, below are common pitfalls and recommendations to avoid them:
Common Pitfalls and How to Fix Them
1. Not Assigning the Right People
Sometimes, customers forget to link the right people to the right roles. This means your partner might not be able to help you when needed.
Fix: Ensure your partner organization has access to the necessary tools, but only the ones they truly need for specific resources.
2. Letting Access Expire
GDAP access doesn’t last forever. If it expires and isn’t renewed, your partner might suddenly lose access and you’ll be waiting for help.
Fix: Ask your partner to turn on “Auto Extend” so access doesn’t suddenly disappear.
3. Using Guest Accounts
GDAP doesn’t work with guest accounts (like someone using a different company’s login). This can lead to errors and delays.
Fix: Ensure your partner is using their official company account when assisting you.
4. Giving Too Much Access
Some customers still grant full access to everything to make things easier. But this can be risky if something goes wrong.
Fix: Only grant access to what is needed. It’s safer and smarter to follow granular permissions.
5. Not Checking the Setup
Sometimes, customers assume GDAP is set up correctly, but it’s not. If you see something like “MLT_” in your system, it means Microsoft has configured it automatically, and your partner may not have full access.
Fix: Double-check your GDAP settings with your partner to confirm that everything is configured correctly during initial setup.
Conclusion
GDAP is a great tool to help you stay in control of your Microsoft environment. It’s all about giving the right access to the right people, at the right time.
To ensure full compliance and maintain customer trust, it is advisable to implement a structured GDAP adoption plan by auditing existing access, mapping roles, enforcing MFA, using automation tools and establishing renewal workflows.
At CrucialLogics, we help you position yourself ahead of compliance mandates and audit requirements for secure collaboration in the Microsoft ecosystem. If you need help auditing your current DAP setup or planning your GDAP migration, our principal consultants can guide you through every step. Contact us today to get started.
Frequently Asked Questions
Can I make GDAP access permanent?
Access to GDAP is designed to be temporary for safety reasons. The maximum tenure is 2 years, then renew it when needed.
Do I need to approve access every time?
Not always. If you’ve already approved it once, your partner can renew it without needing to bother you again.
Why can’t my partner access my system?
It could be because:
- Their access expired
- They’re using the wrong account
- They weren’t assigned the right role
What happens when GDAP access ends?
Your partner won’t be able to help until you approve access again. It’s therefore advisable to keep an eye on expiration dates.
