GDAP relationships don’t scale themselves. What works fine for five customer tenants becomes an operational bottleneck at fifty, and a genuine risk at two hundred when expiring relationships start slipping through the cracks.
Microsoft’s Partner Center handles GDAP setup well enough for individual relationships, but it wasn’t built for MSPs managing sprawling multi-tenant environments. This guide covers the mechanics of GDAP relationships, the challenges that compound at scale, and the practices that turn GDAP from administrative overhead into a repeatable, secure foundation for your managed services.
What is GDAP and why MSPs need it
Managing Granular Delegated Admin Privileges (GDAP) across multiple CSP environments comes down to three things: creating standardized role-based access templates, mapping those templates to security groups in your partner tenant, and using Partner Center to handle customer approvals. Instead of granting blanket admin access, you assign only the specific Microsoft Entra roles each technician actually uses—and those assignments expire after a set period.
GDAP replaced Delegated Admin Privileges (DAP), which Microsoft fully deprecated in 2023. The old model gave CSP partners standing Global Administrator access to every customer tenant, indefinitely. GDAP flips that approach entirely.
- GDAP: Time-bound, role-specific access where partners request only the Entra roles they need, with relationships that expire and require renewal
- DAP (deprecated): The legacy model that automatically granted Global Administrator rights to CSP partners with no expiration
- Zero Trust alignment: GDAP enforces least privilege, meaning partners receive the minimum access required for their work—nothing more
How GDAP relationships work in Microsoft Partner Center
A GDAP relationship is essentially a formal agreement between your CSP partner tenant and a customer’s Microsoft 365 tenant. It spells out which roles your team can use, how long the access lasts, and which security groups can exercise those permissions.
GDAP roles and security group assignments
Here’s where GDAP differs from what you might expect: it assigns Microsoft Entra roles to security groups, not individual users. You create groups in your partner tenant—something like “Helpdesk Tier 1” or “Security Admins”—and then assign those groups to the GDAP relationship.
The roles MSPs typically request include Exchange Administrator for mailbox work, Intune Administrator for device policies, User Administrator for account provisioning, and Security Reader for monitoring. Global Administrator? Rarely necessary when you scope roles properly.
Least privilege access and role scoping
Least privilege means requesting only the roles your technicians actually use day-to-day. A helpdesk tech resetting passwords doesn’t need Exchange Administrator rights. A security analyst reviewing sign-in logs doesn’t need User Administrator access.
The practical benefit is straightforward: if a technician’s credentials get compromised, the attacker only gains access to that user’s limited role assignments—not full administrative control over customer tenants.
Cross-tenant access settings for CSP partners
Cross-tenant access settings control how external organizations, including CSP partners, interact with a customer’s tenant. When a customer approves a GDAP relationship, they’re trusting your partner tenant to authenticate users who will access their environment.
Customers can configure inbound access policies to require specific authentication methods from partner users. This explains why enforcing MFA on your partner tenant matters—some customers configure their tenants to reject access from partners without strong authentication.
How to set up a GDAP relationship step by step
The GDAP setup workflow stays consistent, though you’ll repeat it for each customer tenant. Once you understand the process, you can spot where automation and standardization save the most time.
1. Request a GDAP relationship in Partner Center
In Partner Center, go to Customers, select the customer, and choose “Request admin relationship.” You’ll pick the specific Entra roles you want and set a duration—up to 730 days, or roughly two years. Each customer tenant requires its own separate request.
2. Customer approval and admin consent
Partner Center generates a unique approval link that you send to your customer. A Global Administrator in the customer’s tenant clicks the link and approves the relationship. If nobody approves within 90 days, the link expires.
3. Assign Microsoft Entra roles to security groups
After approval, you map the granted roles to your internal security groups. This step determines which technicians can actually use the access. You might assign User Administrator to your “Helpdesk” group and Security Reader to your “SOC Analysts” group.
4. Configure GDAP expiration and auto-extension
GDAP relationships expire based on the duration you set during the request. Auto-extend, when enabled, automatically renews the relationship before expiration with the same role assignments—no customer re-approval required. Without auto-extend, you’ll request a new relationship and get customer approval all over again.
5. Audit GDAP activity logs
Partner Center logs GDAP relationship changes, and customer tenants log administrative actions taken by partner users. Reviewing these logs helps verify that technicians are using appropriate access and surfaces any unusual activity.
GDAP challenges MSPs face in multi-CSP environments
The GDAP model works fine for individual relationships. But MSPs managing dozens or hundreds of customer tenants run into operational friction that compounds quickly.
Manual and repetitive setup across tenants
Each GDAP relationship requires individual configuration. Partner Center doesn’t offer native bulk setup, so onboarding 50 new customers means repeating the same workflow 50 times. The manual process introduces inconsistency and eats up technician hours.
No bulk role assignment in Partner Center
After customers approve relationships, you still assign security groups to roles one relationship at a time. For MSPs with large customer bases, this step alone can take hours during onboarding or when adjusting role assignments across your portfolio.
Tracking expirations across hundreds of relationships
GDAP relationships expire. Without centralized tracking, you risk losing access to customer tenants unexpectedly—often discovering the problem only when a technician can’t complete a support ticket. Microsoft doesn’t send proactive expiration warnings to partners.
Inconsistent role scoping between CSP partners
When customers work with multiple CSPs—perhaps one for licensing and another for managed services—each partner has independent GDAP relationships with potentially overlapping or conflicting role assignments. This creates confusion about who has what access and complicates security audits.
| Challenge | Under DAP | Under GDAP |
|---|---|---|
| Access scope | All-or-nothing Global Admin | Granular role selection |
| Duration | Indefinite | Time-limited (requires renewal) |
| Multi-CSP visibility | Limited | Per-relationship tracking required |
| Bulk management | Not applicable | Not natively supported |
GDAP security best practices for multi-tenant MSPs
Standardizing your GDAP approach across all customer tenants reduces risk and makes your security posture auditable. The following practices work whether you manage 20 tenants or 200.
Use a third-party multi-tenant tool
Native Partner Center workflows weren’t designed for MSP-scale operations. Multi-tenant management platforms centralize GDAP visibility, automate repetitive tasks, and provide the single-pane-of-glass view that Partner Center lacks. Augmentt’s Secure Autopilot, for example, surfaces GDAP status alongside security configurations across all your customer tenants from one dashboard.
Tiered security groups for L1 L2 and L3 technicians
Create separate security groups mapped to different GDAP role sets based on technician tier. Your L1 helpdesk team might get Password Administrator and Helpdesk Administrator, while L3 engineers get broader roles like Exchange Administrator or Security Administrator.
This structure lets junior technicians handle routine tasks without accessing sensitive configurations. It also simplifies onboarding—add a new hire to the appropriate group, and they inherit the correct GDAP access across all customers automatically.
Standardized least privilege role templates
Build reusable role templates for common MSP scenarios rather than selecting roles ad-hoc for each customer. A “Standard Managed Services” template might include User Administrator, Exchange Administrator, and Intune Administrator. A “Security Monitoring Only” template might include just Security Reader and Reports Reader.
MFA enforcement and authentication strength policies
Requiring phishing-resistant MFA for all technicians accessing customer tenants via GDAP is increasingly standard practice. You can configure authentication strength conditional access policies in your partner tenant to enforce this requirement. Customers increasingly audit their CSP partners’ authentication practices, so this protects both sides.
Regular access reviews and attestation workflows
Scheduling quarterly reviews of which security groups have access to which customer tenants helps catch stale assignments. Technicians leave or change roles, and role assignments drift from operational needs over time. Regular reviews support compliance requirements and reduce standing access risk.
How to track GDAP expiration and renewals at scale
Expired GDAP relationships mean lost access at the worst possible time—usually when a customer has an urgent issue. Proactive tracking prevents these disruptions before they happen.
- Partner Center reports: You can export relationship data manually, but this requires regular attention and doesn’t provide alerts
- PowerShell scripts: The Partner Center API supports automated queries, though scripts require maintenance as Microsoft updates the API
- Third-party multi-tenant platforms: Centralized dashboards with automated expiration alerts and PSA integration work well here. Augmentt surfaces expiring relationships alongside other tenant health indicators, creating tickets before access lapses.
How to centralize GDAP visibility across all customer tenants
A unified view of GDAP status across your entire customer base transforms GDAP from an administrative burden into operational intelligence. Instead of checking relationships one by one, you see everything in context.
Unified dashboards for GDAP relationship status
An effective GDAP dashboard shows relationship status, expiration dates, assigned roles, and customer tenant mapping in one view. You can quickly identify which customers have relationships expiring soon, which have non-standard role assignments, and which lack relationships entirely.
Automated alerts for expiring GDAP relationships
Automated alerting prevents access loss by notifying your team before relationships expire. Effective alerts include the customer name, expiration date, and assigned roles so technicians can take action without researching the relationship details first.
PSA integration for GDAP renewal tickets
Integrating GDAP expiration alerts with your PSA creates actionable tickets that fit your existing workflow. A ticket created 30 days before expiration gives your team time to coordinate with the customer if re-approval is needed—rather than scrambling after access disappears.
Turning GDAP into a scalable MSP advantage
MSPs who standardize and automate GDAP management deliver better security outcomes while reducing operational overhead. The discipline GDAP requires—least privilege roles, time-limited access, documented relationships—aligns with the security practices customers increasingly expect from their partners.
Rather than treating GDAP as a compliance checkbox, consider it infrastructure for your managed services. Consistent role templates, tiered technician access, and centralized visibility become competitive differentiators when customers evaluate their CSP partners’ security maturity.
Ready to simplify GDAP management across all your tenants? Augmentt provides centralized GDAP visibility, automated expiration tracking, and one-click security actions—so your team spends less time in Partner Center and more time delivering value to customers.
FAQs about managing GDAP across multiple CSP environments
Can a customer have GDAP relationships with multiple CSP partners at the same time?
Yes, a customer tenant can maintain active GDAP relationships with multiple CSP partners simultaneously. Each relationship has independently scoped roles and expiration dates, so one partner might have Exchange Administrator access while another has only Security Reader permissions.
What happens to GDAP access when a customer switches CSP providers?
GDAP relationships are tied to the specific CSP partner tenant, so switching providers requires the new CSP to request a fresh GDAP relationship and the customer to approve it. The old partner’s relationship remains active until it expires or the customer explicitly removes it.
How do I handle GDAP when working with both direct and indirect CSP models?
Each CSP relationship—whether direct or through a distributor—requires its own GDAP configuration. MSPs operating in both models manage separate relationships per customer, which can mean duplicate setup work for the same tenant.
What is the difference between GDAP auto-extend and creating a new GDAP relationship?
Auto-extend automatically renews an existing GDAP relationship before expiration, preserving the same role assignments without requiring customer re-approval. Creating a new relationship starts fresh, requiring customer approval and manual security group assignment.
Which Microsoft Entra roles are required for common MSP tasks under GDAP?
Common MSP tasks map to specific roles: Exchange Administrator for mailbox management, Intune Administrator for device policies, User Administrator for account provisioning, and Security Reader for monitoring. Global Administrator is rarely necessary when you follow least privilege principles.
