แชร์ผ่าน


GDAP role guidance

Appropriate roles: Admin agent

This article gives guidance about which least-privileged Microsoft Entra built-in role can be used for each granular delegated admin privileges (GDAP) capability. For example, to submit support requests on behalf of a customer requires the Service support administrator role, which is the least-privileged Microsoft Entra built-in role on your customer's tenant.

Creating support requests

Indirect resellers can't create support requests for Azure. Instead, they must work with their indirect providers.

To create a support request for: Direct-bill partners and indirect providers must have the following least privileged role:
Microsoft 365 in the Microsoft 365 admin center GDAP role assignment to a role that has Microsoft.office365.supportTickets/allEntities/allTasks permissions, such as Service support administrator
Dynamics 365 in Power Platform Admin Center GDAP role assignment to a role that has Microsoft.office365.supportTickets/allEntities/allTasks permissions, such as Service support administrator
Azure subscription resource in the Azure portal Prerequisite: To create requests on behalf of customers using a customer's Azure subscription, partners must have a reseller relationship with the customer as explained in CSP regional authorization. For more information, see Steps to setup Azure GDAP.

Any GDAP assignment to a Microsoft Entra role, such as Directory readers,

- AND -

Azure role-based access control (RBAC) role assignment to a role with Microsoft.Support/supportTickets/write permissions, such as Support request contributor
Microsoft Entra ID in the Azure portal Alternative 1: If a customer doesn't have Microsoft Entra ID P1 or P2

Prerequisite: To create requests on behalf of customers using a customer's Azure subscription, partners must have a reseller relationship with the customer per CSP regional authorization. For more information, see Steps to setup Azure GDAP.

Any GDAP assignment to a Microsoft Entra role, such as Directory readers,

- AND -

Azure RBAC role assignment to a role with Microsoft.Support/supportTickets/write permissions, such as Support request contributor

Alternative 2: If customer has Microsoft Entra ID P1 or P2 Any GDAP assignment to a Microsoft Entra role that has: microsoft.azure.supportTickets/allEntities/allTasks permissions, such as Service support administrator

GDAP roles by partner types

Indirect providers

The following roles are recommended for indirect providers to transact and manage:

  • New customer tenant creation
  • Reseller relationship setup
  • Purchase
  • Subscription management
  • Upgrades
  • Conversions
  • Customer user creation and license assignment
  • Customer service requests (requests creation on behalf of customer)
Role Description
Reader roles:
Directory readers Can read basic directory information. Commonly used to grant directory read access to applications and guests
Directory writers Can read and write basic directory information. For granting access to applications, not intended for users.
Global reader Can read everything that a Global administrator can, but can't update anything
User management and license management:
User administrator Can manage all aspects of users and groups, including resetting passwords for limited admins
License administrator Can manage product licenses on users and groups
Service support administrator Can read service health information and manage support requests
Help Desk:
Help Desk administrator Can reset passwords for non-administrators and Help Desk administrators

Direct-bill partners, indirect resellers, and advisors

The following roles are recommended for indirect resellers, advisors, and direct-bill partners who also play the role of MSPs. They're all categorized as specialized managed service providers (MSPs) who completely manage customer's environment as outsourced IT department. This section is categorized roles required by tasks and functions.

Typical tasks of a tier-1 technician in managed services

Role Task Function
Service support administrator Submit support requests on behalf of the customer. Help Desk creates and manages support requests.
Security reader View security-related policies across Microsoft 365 services. Help Desk collects discovery on customer tenant to troubleshoot or update security and compliance portal policies, such as data loss prevention policies.
Intune administrator Can manage all aspects of the Intune product. Help Desk handles customer device enrollment and troubleshooting.
SharePoint administrator Can manage all aspects of the SharePoint service. Help Desk manages SharePoint site permissions.
Teams communications support specialist Can manage the Microsoft Teams service. Help Desk troubleshoots call quality issues.
Help Desk administrator Can reset passwords for non-administrators and these admins: Directory Readers Guest Inviter Help Desk administrator Message Center Reader Password administrator Reports Reader. Help Desk resets passwords.
Desktop analytics administrator Can access and manage desktop management tools and services. Help Desk can manage the desktop analytics service by viewing asset inventory and reading standard properties of authorization policies.
Authentication administrator Has access to view, set, and reset authentication method information for any non-admin user. Help Desk can access to view, set, and reset authentication method information for any non-admin user (for example, MFA and conditional access).
Exchange administrator Users with this role have global permissions within Microsoft Exchange Online when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support requests, and monitor service health; can send OBO and manage inboxes. Help Desk manages shared mailboxes, helps solve mailbox quota issues, and creates and manages transport rules.
License administrator Can assign, remove, and update license assignments. During troubleshooting, Help Desk assesses and remediates if there's a licensing issue with the support request.
User administrator Can manage all aspects of users and groups, including resetting passwords for limited admins; can block user sign-in. Help Desk manages all aspects of users and groups, including resetting passwords for limited admins and blocking a former customer employee's access to Microsoft 365 services.
Groups administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. Help Desk adds owners to groups and adds members to groups.
Directory reader Users in this role can read basic directory information. Help Desk can read basic directory information as part of troubleshooting.
Message center reader Can read messages and updates for their organization in Office 365 Message Center only. Help Desk reads Message Center to troubleshoot support issues.
Printer administration Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer administrators also have access to print reports. Help Desk would manage printer configurations and troubleshoot printer issues.
Guest inviter Users in this role can manage Microsoft Entra B2B guest user invitations. Help Desk can invite guest users independent of the Members can invite guests setting.

Least-privileged role by task

The following table displays tasks within each GDAP capability, along with the least-privileged role required to perform each task.

GDAP capability Task Least-privileged role
Support Submit support ticket Service support administrator
Users Add user to directory role Privileged role administrator
Add user to group User administrator
Assign license License administrator
Create guest user Guest inviter
Reset guest user invitation User administrator
Create user User administrator
Delete user User administrator
Invalidate refresh tokens of limited admin User administrator
Invalidate refresh tokens of nonadmin Password administrator
Invalidate refresh tokens of privileged admin Privileged authentication administrator
Read basic configuration Default user role
Reset password for limited admin User administrator
Reset password for nonadmin Password administrator
Reset password for privileged admin Privileged authentication administrator
Revoke license License administrator
Update all properties except user principal name User administrator
Update user principal name for limited admin User administrator
Update user principal name for privileged admin Global administrator
Update user settings Global administrator
Update authentication methods Authentication administrator
Groups Assign license User administrator
Create group Groups administrator
Create, update, or delete access review of a group or app User administrator
Manage group expiration User administrator
Manage group settings Groups administrator
Read all configuration (except hidden membership) Directory readers
Read hidden membership Group member
Read membership of groups with hidden membership Help Desk administrator
Revoke license License administrator
Update group membership Group owner
Update group owners Group owner
Update group properties Group owner
Delete group Groups administrator
Licenses Assign license License administrator
Read all configuration Directory readers
Revoke license License administrator

Roles by complexity

Role Simple Medium Complex
Application administrator x
Application developer x
Attack payload author x
Attack Simulation administrator x
Authentication administrator x
Microsoft Entra joined device Local administrator x
Azure DevOps administrator x
Azure information protection administrator x
Billing administrator x
Cloud Application administrator x x
Cloud device administrator x
Compliance administrator x
Conditional access administrator x
Desktop analytics administrator x
Directory readers x x x
Directory synchronization accounts x
Domain name administrator x
Dynamics 365 administrator x x
Exchange administrator x x
Exchange recipient administrator x
External identity provider administrator x
Global reader x x x
Groups administrator x
Guest inviter x
Helpdesk administrator x x x
Hybrid identify administrator x
Insights administrator x
Intune administrator x x
License administrator x x x
Message Center privacy Reader x
Message Center reader x
Network administrator x
Office apps administrator x
Password administrator x
Power BI administrator x x
Power Platform administrator x x
Printer administrator x
Printer Technician x
Privileged authentication administrator x
Privileged role administrator x
Reports reader x x
Search administrator x
Search editor x
Security administrator x x
Security reader x x
Service support administrator x x x
SharePoint administrator x x
Skype for Business administrator x
Teams administrator x x
Teams communications administrator x
Teams communications support engineer x
Teams communications support specialist x
Teams devices administrator x
User administrator x x x
Windows 365 administrator x x