man and woman shaking hands

Important changes to Microsoft partner administrator privileges

Reading time: 2 - 4 minutes

Historically when an organisation chose a Microsoft Partner to resell a product/subscription or help implement a solution, that partner would be given Delegated Administrator Privileges (DAP). This meant that the partner had full admin access to an organisation’s entire Azure Active Directory.

For partners and customers alike, this raised many concerns. In situations where an organisation has several partners (typically providing different subscriptions and services), each partner has complete control over all Microsoft cloud services, creating opportunities for confusion and increased risk for the customer.

To mitigate this Microsoft introduced Granular Delegated Admin Privileges (GDAP) to replace DAP. GDAP allows the customer to delegate only the roles and permissions that the partner actually needs to provide their specific services and subscriptions. It also works on the principle of least privilege, i.e., each partner is granted the minimum system authorisations needed, to perform its role.

In regards to our customers, Tecman has been preparing for this more secure way of working for a while now. Every new customer-partner relationship has been set up with GDAP. However, if you are an older customer you will have been originally set up with DAP, and we have full admin privileges. This now needs to be changed before Microsoft starts rolling out the changes automatically over the coming months.

We will shortly begin to remove our DAP roles based on the following criteria:

  • If we have DAP and we do not resell any subscriptions to you, or the relationship has been inactive for 90 days or more, DAP will be removed. This means Tecman will no longer be a delegated admin in any capacity.
  • If we have DAP and we do resell any Microsoft 365 (aka Office) subscriptions to you, we will still go ahead and remove our DAP access but will create a new GDAP relationship, with the least privileges, to be able to, as a minimum, continue to resell the license and log a support ticket with Microsoft on your behalf. If you wish Tecman to continue as a Microsoft 365 admin and offer any level of helpdesk support, create users, or assign licenses, please contact your Customer Engagement Manager as soon as possible to discuss this further.
  • If you have an active Dynamics 365 Business Central or Dynamics 365 CRM SaaS subscription with the legacy DAP, we will migrate this to GDAP with only the roles necessary to support Business Central and/or CRM.

What happens next and what do you need to do?

Setting up the new GDAP relationship does not involve any interaction from you as a customer. Your partner can migrate this role to GDAP, using their current DAP access.

HOWEVER, you must make sure that you have access to a Global Admin account or, at the very least, ensure that your preferred Microsoft support partner has that access. When migrating from DAP to GDAP your partner will lose the ability to carry out any admin tasks in your Azure Active Directory Tenant. If they later determine that they do need access, they can create a time-specific GDAP invite to include Global Admin, but this would require someone at your end to approve them as a global admin.

Finally, on an additional point of systems security, we also strongly recommend that you work with your Azure Tenant Admin to enforce multi-factor authentication (MFA) for all your Azure Active Directory user accounts. Without MFA, all your key business systems are at a significantly higher risk of cyber-attack.

If you are a Tecman customer and have any additional questions or would like Tecman to continue as your preferred Microsoft 365/Azure Active Directory Tenant Administrator, please contact your Customer Engagement Manager.

If you aren’t a Tecman customer please contact your partner to see what their plans are for these important changes.

Publish modules to the "off-canvas" position.