Expire granular relationships and extend granular delegated admin privileges (GDAP)
Appropriate roles: Admin agent
Partners can identify granular delegated admin privileges (GDAP) relationships that are expired or are close to expiring and take action to automatically extend the privileges.
Prerequisites
To manage GDAP Autoextend, you must:
- Have the role: Admin agent
Expiring granular relationships and filters
Use filters choose a timeframe to find GDAP relationships that are expiring in different timeframes and ones that are expired.
- Partner Admin agents can view active GDAPs expiring within 30 days, seven days, one day, and after 30 days. They can also view GDAPs that expired within the last one year.
- GDAP relationships going to expire tiles (first four) represents the count and percentage of Active GDAPs and GDAP relationships expired tile (last tile) represents the count and percentage of overall GDAPs.
- Each tile represents a count and percentage of the overall GDAPs.
- Each tile is represented as a filter to only display the respective GDAPs
- Use Search to search by Customer Name, Admin Relationship Name
- Use Download option to download GDAPs
Note
You can't restore expired GDAPs or make them active.
Manage GDAP Autoextend
Partners can now select one or more GDAPs (up to 25) to enable or disable Autoextend. When you enable Autoextend against a GDAP, the Autoextended duration is set to Yes (six months). A GDAP with autoextend doesn't expire on the last day of the GDAP. It rolls forward by six months, so the Partner doesn't need to request a new GDAP, get customer consent, or perform access assignments. When Autoextend is disabled against a GDAP, the partner is notified 30 days, seven days, and one day before expiry.
Partner can select a GDAP and choose Enable auto-extend to turn on autoextend.
Partner can select a GDAP and choose Disable auto-extend to turn off autoextend
Partner can select multiple GDAPs at a time to enable or disable autoextend.
GDAP with Global Administrator can't be autoextended
Aligning to Zero Trust and least privilege access, a GDAP that has the Microsoft Entra role of Global Administrator can't be marked for autoextend.
- GDAP with Global Administrator role displays NA under the column auto-extend duration.
Removing Global Administrator role
Partners can use the new filter Having Global Administrator to display GDAPs that have the Global Administrator role.
To remove the Global Administrator role from a GDAP:
Select one or more GDAP roles. The Remove Global Administrator Role button becomes active.
Select Remove Global Administrator Role.
Once the Global Administrator role is removed, the respective Admin Relationship becomes eligible for Auto extend.
Access assignments associated with Global Administrator role are removed.