Azure GDAP (Granular Delegated Admin Privileges) allows Microsoft partners to manage customers’ Azure or Microsoft 365 environments with finely tuned permissions. In MSPControl, the Azure GDAP page provides an overview of these admin relationships, letting you check compliance, view assigned roles, and terminate outdated or non-compliant privileges.
The main Azure GDAP (or Admin Relationships) page lists all active and expired GDAP links between your partner account and customer tenants. Common columns include:
Admin Relationship Name – A descriptive label (e.g., Contoso-GDAP-relationship) for the GDAP relationship.
Customer – The tenant or customer name (e.g., Contoso) linked to the GDAP relationship.
Status – Indicates whether the relationship is Active, Expired, or Pending.
Start Date – The date when the GDAP relationship began.
End Date – When the relationship is set to expire (if any).
Compliance Status – Shows if the relationship meets your organization’s policy requirements (e.g., Policy Compliant or Non-Compliant).
Terminate – A button or icon (e.g., “Terminate Admin Relationship”) to end the GDAP privileges for that customer.
Filters like Only Active, Only Created in Crom Portal, or Only Not Compliant help you narrow the list and find specific relationships quickly.
Clicking the Admin Relationship Name opens a panel showing in-depth info:
Status – Reiterates whether it’s Active or Expired.
Start / End Dates – The official date range for the GDAP privileges.
Roles & Permissions – A list of Azure or M365 admin roles granted (e.g., Azure Information Protection Administrator, Billing Administrator, Global Administrator).
Security Groups – Any groups or security-based memberships tied to the relationship.
This panel helps confirm which privileges are assigned and when they expire, ensuring you have a clear record of delegated access.
If a relationship is no longer needed or is found to be non-compliant, click Terminate Admin Relationship in the table. MSPControl prompts you to confirm the action. Once terminated, the partner account loses the associated privileges for that customer tenant.
Review Regularly – Periodically check End Dates and Compliance Status to ensure privileges aren’t overextended or misaligned with policy.
Use Filters – Focus on Only Not Compliant or Only Active to quickly address relationships needing attention.
Maintain Documentation – Note reasons for each relationship, especially for high-privilege roles like Global Administrator.
Terminate Unused Access – End relationships that are no longer necessary to reduce your security footprint.
By using Azure GDAP in MSPControl, partners gain a clear overview of delegated admin privileges, ensuring each customer’s environment remains secure, compliant, and properly governed.
GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers’ workloads in production and sandbox environments. Customers must explicitly grant the least-privileged access to their partners.
You can partition partners’ access per customer. With GDAP, partners no longer have access to all customer tenants across Azure subscriptions through Admin agents by default. Instead, partners who manage Azure are part of a separate security group, which is a member of the Admin agent group. This group grants owner role-based access control (RBAC) access on all Azure subscriptions for that customer.
Partners who manage Azure no longer receive the Global Admin role on their customer’s tenant but rather, receive lower permissions to read a customer directory by default.
Partners can transition from DAP to GDAP and eventually remove DAP (Global Admin) on customers’ tenants without any effect to partner earned credit (PEC).
No credit card required for free, limited license.