MSP’s Enable GDAP or lose access to your O365 customers, Microsoft has released a new more secure method for Managed Service Providers to perform administrative tasks against their clients called Granular Delegated Admin Privileges or GDAP for short.
Introduction
GDAP provides a much better Least Privilege Access model as is a core component of many cyber security frameworks including the Australian Signals Directorate Essential 8 and the Zero Trust Network Architecture model to start with.
GDAP makes it possible for MSPs and partners to have just the right level of access to their client tenants, ensuring that clients can be confident that their service providers do not have access where they shouldn’t.
Now instead of having administrative access across all tenants being managed a partner can be delegated just the access rights that are necessary to perform their task.
Better still GDAP permissions expire meaning that after 2 years a client will need to “re-approve” their partners access, this feature alone will help in the situation where a client may have insourced their technology and forgotten to remove the existing Delegated Admin Permissions (DAP was GDAPs predecessor).
GDAP recommendations
Configure GDAP as soon as practical, as the partner you will need to request the client to approve your access to their tenant, so let them know.
Next you will need to set up security groups and grant permissions to those groups, remembering with the Least privilege model, always work with the lowest level of access needed to perform a task. Often this will typically be a “reader” role in Azure Active Directory and then ideally use Just in Time (JIT) access when a staff member needed to elevate their role to perform an admin related task.
GDAP can be configured in several ways but the easiest is below using Microsofts GDAP Migration Tool (catchy name).
Summary
Granular Delegated Admin Permissions or GDAP is the next stage in Microsofts move towards a Zero trust Network Architecture end goal – everything Microsoft publishes is now aligning to ZTNA, it is just a matter of time.
Using GDAP now gives your clients another reason to trust that you as their partner has just the access that you need at just the right time.
Therefore providing additional assurances and enabling you to hunt for new clients to manage who may previously have been wary due to a third party accessing their data.
If you would like assistance on this or anything else related to Microsoft Security then please reach out to me here.
Leave a Reply