Introduction to granular delegated admin privileges (GDAP)

Appropriate roles: All partners interested in Partner Center

GDAP capabilities help partners control access to their customers' workloads in order to better address their concerns. Partners can offer more services to customers who might be uncomfortable with the current levels of partner access. They can also offer services to customers with regulatory needs that require least-privileged access to partners.

What is GDAP in Partner Center?

GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. Customers must explicitly grant the least-privileged access to their partners.

You can partition partners' access per customer. With GDAP, partners no longer have access to all customer tenants across Azure subscriptions through Admin agents by default. Instead, partners who manage Azure are part of a separate security group, which is a member of the Admin agent group. This group grants owner role-based access control (RBAC) access on all Azure subscriptions for that customer.

Image of GDAP diagram.

Partners who manage Azure no longer receive the Global Admin role on their customer's tenant but rather, receive lower permissions to read a customer directory by default.

Partners can transition from DAP to GDAP and eventually remove DAP (Global Admin) on customers' tenants without any effect to partner earned credit (PEC).