GDAP stands for Granular Delegated Admin Privileges. It is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' environments. This least-privileged access needs to be explicitly granted to partners by their customers.
GDAP capabilities allow Microsoft partners to control access to their customers' workloads to better address their security concerns. Customers may be uncomfortable with the current levels of partner access or have regulatory needs that require least-privileged access to partners.
Logicom will gradually migrate all existing DAP relationships to GDAP until 21 May 2023, before Microsoft’s transition enforcement date of 22 May 2023. Transition will be seamless and will have no impact on Logicom Cloud Marketplace (LCMP) operations.
Indirect Resellers with existing DAP relationships with their end-customers will be automatically transitioned to GDAP by Microsoft after 22 May 2023.
For new customers created after 22 May 2023 indirect Resellers must use Partner Center to request and obtain GDAP permissions to manage their services.
Default roles will be automatically assigned to corresponding predefined CSP security groups, which could fall under either admin agents or help desk agents.
After a new customer tenant has been created, the GDAP URL will be available in the created tenant service. Field name will be called GDAP invitation, and it will contain relevant information about GDAP status like below:
Once customer has approved the GDAP URL the status in LCMP will change. It may take ~15 minutes from the moment the customer has approved the GDAP invitation until the status is updated in LCMP.
Existing customers going forward still will need to accept the commerce relationship with the CSP provider. Additionally, customers may accept the GDAP invitation to grant permissions to the CSP provider. In UI the experience will look like below:
During new Azure Plan and/or additional Azure Subscription creation one of the steps involved relates to permission granting to the newly created Azure Plans.
To grant those permissions the CSP provider needs to be able to list the customer users. In case the customer has removed the permissions to list the users, the below message will be shown to ensure that the needed access is granted to the CSP provider. Part of the message will be the GDAP URL.
When attempting to view the license analytics within the tenant service a message like below is given in case no permissions were granted to load the report.
