☁️
Tminus365 Docs
  • 🚀Welcome to Tminus365 Docs
  • 🔐Security
    • Azure AD (Entra)
      • MFA Shall Be Required for All Users
      • MFA is enforced on accounts with Highly Privileged Roles
      • MFA is enforced for Azure Management
      • MFA registration and usage shall be periodically reviewed
      • Legacy Authentication shall be blocked
      • High Risk Users Shall Be Blocked
      • High Risk Sign-Ins Shall Be Blocked
      • Browser Sessions shall not be persistent for privileged users
      • MFA shall be required to enroll devices to Azure AD
      • Managed Devices shall be required for authentication
      • Guest User Access Shall be restricted
      • The number of users with highly privileged roles shall be limited
      • Users assigned highly privileged roles shall not have permanent permissions
      • Activation of privileged roles should be monitored and require approval
      • Highly privileged accounts shall be cloud-only
      • Highly privileged role assignments shall be periodically reviewed
      • Passwords shall not expire
      • Azure AD Logs shall be collected
      • Only Admins shall be allowed to register 3rd party applications
      • Non-admin users shall be prevented from providing consent to 3rd party applications
      • Authorized Applications shall be configured for Single Sign-On
      • Inactive accounts shall be blocked or deleted
    • Teams
      • Private Channels shall be utilized to restrict access to sensitive information
      • External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meet
      • Anonymous Users SHALL NOT Be Enabled to Start Meetings
      • Automatic Admittance to Meetings SHOULD Be Restricted
      • External User Access SHALL Be Restricted
      • Unmanaged User Access SHALL Be Restricted
      • Contact with Skype Users SHALL Be Blocked
      • Teams Email Integration SHALL Be Disabled
      • Only Approved Apps SHOULD Be Installed
      • File Sharing and File Storage Options shall be blocked
      • Only the Meeting Organizer SHOULD Be Able to Record Live Events
      • Attachments SHOULD Be Scanned for Malware
      • Link Protection SHOULD Be Enabled
      • Restrict Users who can Create Teams Channels
      • Teams Channels shall have an expiration policy
      • Data Loss Prevention Solutions SHALL Be Enabled
    • Exchange
      • Automatic Forwarding to External Domains SHALL Be Disabled
      • Sender Policy Framework SHALL Be Enabled
      • DomainKeys Identified Mail SHOULD Be Enabled
      • Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled
      • Enable Email Encryption
      • Simple Mail Transfer Protocol Authentication SHALL Be Disabled
      • Calendar and Contact Sharing SHALL Be Restricted
      • External Sender Warnings SHALL Be Implemented
      • Data Loss Prevention Solutions SHALL Be Enabled
      • Emails SHALL Be Filtered by Attachment File Type
      • Zero-Hour Auto Purge for Malware SHOULD Be Enabled
      • Phishing Protections SHOULD Be Enabled
      • Inbound Anti-Spam Protections SHALL Be Enabled
      • Safe Link Policies SHOULD Be Enabled
      • Safe Attachments SHALL Be Enabled
      • IP Allow Lists SHOULD NOT be Implemented
      • Mailbox Auditing SHALL Be Enabled
      • Alerts SHALL Be Enabled
      • Audit Logging SHALL Be Enabled
      • Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used
    • SharePoint
      • File and Folder Links Default Sharing Settings SHALL Be Set to Specific People
      • External Sharing SHOULD be Set to “New and Existing Guests”
      • Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings
      • Expiration Times for Guest Access to a Site SHOULD Be Determined by specific needs
      • Users SHALL Be Prevented from Running Custom Scripts
    • OneDrive
      • Anyone Links SHOULD Be Turned Off
      • Expiration Date SHOULD Be Set for Anyone Links
      • Link Permissions SHOULD Be Set to Enabled Anyone Links to View
      • Windows and MacOS devices should be prevented from syncing the OneDrive Client on personal devices
      • Legacy Authentication SHALL Be Blocked
    • Intune
      • Personal Devices should be restricted from enrolling into the MDM solution
      • Devices shall be deleted that haven’t checked in for over 30 days
      • Devices compliance policies shall be configured for every supported device platform
      • Noncompliant devices shall be blocked from accessing corporate resources
      • MFA Shall be required for Intune Enrollment
      • Security Baselines should be configured for Windows Devices
      • Windows Update Rings shall be configured for Windows Devices
      • Update Policies shall be configured for Apple Devices
      • App Protection policies should be created for mobile devices
      • Mobile devices shall only be able to access corporate data through approved client apps
      • Lockout screen and password settings shall be configured for each device
      • Encryption shall be required on all devices
      • Windows Hello for Business should be configured where applicable
      • Authorized Applications should be deployed to managed devices
      • Device Use Shall be restricted until required applications are installed
      • Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen
  • ⚙️Configurations
    • GDAP
      • My Automations Break with GDAP: The Fix!
      • Vendor Integrations Break with GDAP: The Fix!
      • Adding GDAP Relationships
      • Leveraging PIM with GDAP
      • GDAP Migration with Microsoft 365 Lighthouse
    • GoDaddy
      • Defederating GoDaddy 365
  • 🛡️CIS Controls
    • CIS Mapped to M365
  • 🔌Vendor Integrations
    • Pax8
      • Automating NCE subscription renewal notices
      • Leveraging the Pax8 API in Power Automate
    • IT Glue
      • Automating Intune Device Documentation in IT Glue
      • Automating Microsoft Documentation
    • Huntress
      • Leveraging the Huntress API in Power Automate
    • Syncro
      • Automating Microsoft 365 Documentation in Syncro
      • Custom Connector in Power Automate
      • Creating Tickets for Azure AD Risky Users
Powered by GitBook
On this page
  • Key Feature in GDAP
  • How GDAP Works
  • Steps to Add a GDAP Relationship
  • Add Security Groups to GDAP relationship
  • Final Thoughts
  1. Configurations
  2. GDAP

Adding GDAP Relationships

PreviousVendor Integrations Break with GDAP: The Fix!NextLeveraging PIM with GDAP

Last updated 1 year ago

This month, Microsoft had a technical release of GDAP or Granular Delegated Admin Privileges for M365 workloads (Azure coming later this year). If you checked out , you know that GDAP is going to replacing existing delegated admin relationships with a true model of least privilege access. GDAP is ultimately going to improve security across the channel and reduce supply chain attacks like we saw last year with SolarWinds and Kaseya. In this article, I am going to show you how to establish these GDAP relationships in Partner Center.

Key Feature in GDAP

How GDAP Works

With GDAP, you can create one to many admin relationships with customers. Whenever you set these relationships up, you set a duration (max of 2 years) and you add granular AAD roles for that relationship. In your AAD, you can establish new security groups or leverage the existing ones (like Admin Agent, Helpdesk Agent, etc.). These security groups are assigned to the roles across customers. As you can see in the diagram, you can get as granular as you want here.

Steps to Add a GDAP Relationship

  1. In Partner Center, Navigate to the Customers tab>Administer>Request Admin Relationship

Here you will need to fill out the name, duration, and Azure AD roles. For the name, I would recommend going with a standard naming convention that you use with all customers to keep things organized. In my example here I just have the format of MSA-<customerName>. You can chose whatever you like here, just know that the same name cannot be used more than once in your tenant.

The duration has a maximum for two years but you may want to establish short term relationships for things like contract work.

I think selecting the Azure AD roles is where GDAP can start to get overwhelming since you’ve never likely gone this granular in SMB. As an MSP, you are not going to want to set up a relationship, only to figure out you didn’t add all the necessary permissions to be able to support the customer. I will be doing a separate article with recommendations here as there is a lot to consider.

You can select the roles from the pop-out window.

When you are done selecting roles, you can select Save at the bottom of the pop-up and choose Finalize Request. A template email is generated with a custom invitation link and a description of the duration and roles. This link is what the customer has to accept. It requires a Global Admin in the customer tenant to approve the request.

When a customer uses the link as a Global Admin they will see the following:

In the Settings>Partner Relationships section for this customer tenant, you will see the following after refresh

Keep in mind! GDAP relationships can only be used for 1 customer. If you try to use the same link generated for another customers after one has accepted, it will fail.

Add Security Groups to GDAP relationship

Its important to note that the customer accepting the GDAP link is not the end of the process. You will now need to go in and assign security groups to that relationship in Partner Center.

You can go to the customer page for the customers that have accepted GDAP relationships and click on Admin relationships to view existing GDAP configurations.

Here you can click on the + Add Security Group to bring up a popup of your existing security groups to choose from. If you need to create new security groups, you will need to do that in the AAD.portal.azure.com portal. After you have selected a SG, you can then add one or many of the AAD roles that were part of the relaitonship

Final Thoughts

GDAP takes precedence over DAP

Don’t make the mistake of locking yourself out of certain admin centers because you are testing GDAP.

Transition from DAP to GDAP

Microsoft has a bulk migration tool available now till the end of November. The guys over at CIPP have also developed a migration tool as well. Check out to see more information.

⚙️
this post
my previous article