Revised Microsoft GDAP Deadline Comes Soon

‘It’s definitely not as big of a deal as NCE, but still not the easiest task,’ Michael Goldstein, CEO of Microsoft partner LAN Infotech, tells CRN.


On Monday, Microsoft will begin the transition from delegated administration privileges (DAP) to granular delegated admin privileges (GDAP) in an effort to address customer security concerns, with a blackout period in June – the end of Microsoft’s fiscal year – and the transition resuming in July.

While not as drastic an overhaul as Redmond, Wash.-based Microsoft’s new commerce experience (NCE), the GDAP transition still takes time, partners who spoke with CRN warn.

“It’s definitely not as big of a deal as NCE, but still not the easiest task,” Michael Goldstein, CEO of Fort Lauderdale, Fla.-based Microsoft partner LAN Infotech, told CRN in an interview. “Clients get the link and they ask 50 questions. It’s still very time consuming.”

Sponsored post

[RELATED: Deadlines Loom For Microsoft Security Partners’ Granular Delegated Administrator Privileges Transition]

Microsoft GDAP Update

CRN has reached out to Microsoft for comment.

Not switching to GDAP and getting a handle on GDAP can result in some vendor integrations and automations breaking, according to Nick Ross, vice president of product development at Microsoft partner Sourcepass and a partner blogger at T-Minus 365.

Goldstein – whose company is a member of CRN’s 2023 Managed Service Provider 500 – estimates that he’s about halfway to moving all his clients over to the new system, which promises more specific and time-bound access for partners to customer workloads.

The goal of GDAP is to deal with customer security concerns if they are uncomfortable with high levels of partner access. GDAP also promises to help customers with regulatory requirements that mandate partners receive least-privileged access, according to Microsoft.

Zac Paulson, CEO of Fargo, N.D.-based Microsoft partner TrueIT – another CRN MSP 500 member – told CRN in an interview that the shift to GDAP is less of a lift than NCE and he’s glad to see Microsoft taking security seriously.

“Anything to increase security resilience is a good thing, especially as we see things like account takeovers becoming more and more prevalent,” Paulson said.

Bobby Guerra, CEO of Jacksonville, Fla.-based Microsoft partner Axiom, told CRN in an interview that GDAP is still missing features that he wants, including some license and billing changes.

“We will let it switch from DAP to GDAP and just leave it at the most restrictive setting,” he said. “Our plan is to explore alternative options.”

The transition to GDAP is “nowhere close” to as heavy a lift as NCE, Guerra said. This year, he had to dedicate an employee to handling NCE renewals. .

GDAP Transition

The partner and the person within the partner organization who is the administrative agent should request a GDAP relationship with Azure Active Directory (Azure AD) roles if a customer tenant needs admin access, according to Microsoft. Once GDAP is complete, the partner should disable DAP.

If admin access isn’t required, then the partner should review the DAP monitoring report and disable DAP relationships immediately.

On Monday, Microsoft will start moving DAP relationships to GDAP. Corresponding predefined Cloud Solution Provider (CSP) security groups will have default roles automatically assigned.

Microsoft will remove DAP relationships 30 days after a GDAP relationship was established by the vendor.

Tools such as Microsoft 365 Lighthouse, the CyberDrain Improved Partner Portal (CIPP) and the Pax8 GDAP Tool can help partners with the migration.

Revised Timeline

In March, Microsoft revised the GDAP timeline, which had been set for January 2023.

Microsoft delayed the GDAP timeline due to an issue with customer tenant names where a double-byte character prevented GDAP from working. The vendor also worked to design a feature to give partners default Azure Active Directory (Azure AD) roles when creating a new customer tenant.

Microsoft wants partners and customers to move to GDAP because DAP’s longevity and high-privileged access makes it susceptible to security attacks from groups such as Nobelium.