☁️
Tminus365 Docs
  • 🚀Welcome to Tminus365 Docs
  • 🔐Security
    • Azure AD (Entra)
      • MFA Shall Be Required for All Users
      • MFA is enforced on accounts with Highly Privileged Roles
      • MFA is enforced for Azure Management
      • MFA registration and usage shall be periodically reviewed
      • Legacy Authentication shall be blocked
      • High Risk Users Shall Be Blocked
      • High Risk Sign-Ins Shall Be Blocked
      • Browser Sessions shall not be persistent for privileged users
      • MFA shall be required to enroll devices to Azure AD
      • Managed Devices shall be required for authentication
      • Guest User Access Shall be restricted
      • The number of users with highly privileged roles shall be limited
      • Users assigned highly privileged roles shall not have permanent permissions
      • Activation of privileged roles should be monitored and require approval
      • Highly privileged accounts shall be cloud-only
      • Highly privileged role assignments shall be periodically reviewed
      • Passwords shall not expire
      • Azure AD Logs shall be collected
      • Only Admins shall be allowed to register 3rd party applications
      • Non-admin users shall be prevented from providing consent to 3rd party applications
      • Authorized Applications shall be configured for Single Sign-On
      • Inactive accounts shall be blocked or deleted
    • Teams
      • Private Channels shall be utilized to restrict access to sensitive information
      • External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meet
      • Anonymous Users SHALL NOT Be Enabled to Start Meetings
      • Automatic Admittance to Meetings SHOULD Be Restricted
      • External User Access SHALL Be Restricted
      • Unmanaged User Access SHALL Be Restricted
      • Contact with Skype Users SHALL Be Blocked
      • Teams Email Integration SHALL Be Disabled
      • Only Approved Apps SHOULD Be Installed
      • File Sharing and File Storage Options shall be blocked
      • Only the Meeting Organizer SHOULD Be Able to Record Live Events
      • Attachments SHOULD Be Scanned for Malware
      • Link Protection SHOULD Be Enabled
      • Restrict Users who can Create Teams Channels
      • Teams Channels shall have an expiration policy
      • Data Loss Prevention Solutions SHALL Be Enabled
    • Exchange
      • Automatic Forwarding to External Domains SHALL Be Disabled
      • Sender Policy Framework SHALL Be Enabled
      • DomainKeys Identified Mail SHOULD Be Enabled
      • Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled
      • Enable Email Encryption
      • Simple Mail Transfer Protocol Authentication SHALL Be Disabled
      • Calendar and Contact Sharing SHALL Be Restricted
      • External Sender Warnings SHALL Be Implemented
      • Data Loss Prevention Solutions SHALL Be Enabled
      • Emails SHALL Be Filtered by Attachment File Type
      • Zero-Hour Auto Purge for Malware SHOULD Be Enabled
      • Phishing Protections SHOULD Be Enabled
      • Inbound Anti-Spam Protections SHALL Be Enabled
      • Safe Link Policies SHOULD Be Enabled
      • Safe Attachments SHALL Be Enabled
      • IP Allow Lists SHOULD NOT be Implemented
      • Mailbox Auditing SHALL Be Enabled
      • Alerts SHALL Be Enabled
      • Audit Logging SHALL Be Enabled
      • Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used
    • SharePoint
      • File and Folder Links Default Sharing Settings SHALL Be Set to Specific People
      • External Sharing SHOULD be Set to “New and Existing Guests”
      • Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings
      • Expiration Times for Guest Access to a Site SHOULD Be Determined by specific needs
      • Users SHALL Be Prevented from Running Custom Scripts
    • OneDrive
      • Anyone Links SHOULD Be Turned Off
      • Expiration Date SHOULD Be Set for Anyone Links
      • Link Permissions SHOULD Be Set to Enabled Anyone Links to View
      • Windows and MacOS devices should be prevented from syncing the OneDrive Client on personal devices
      • Legacy Authentication SHALL Be Blocked
    • Intune
      • Personal Devices should be restricted from enrolling into the MDM solution
      • Devices shall be deleted that haven’t checked in for over 30 days
      • Devices compliance policies shall be configured for every supported device platform
      • Noncompliant devices shall be blocked from accessing corporate resources
      • MFA Shall be required for Intune Enrollment
      • Security Baselines should be configured for Windows Devices
      • Windows Update Rings shall be configured for Windows Devices
      • Update Policies shall be configured for Apple Devices
      • App Protection policies should be created for mobile devices
      • Mobile devices shall only be able to access corporate data through approved client apps
      • Lockout screen and password settings shall be configured for each device
      • Encryption shall be required on all devices
      • Windows Hello for Business should be configured where applicable
      • Authorized Applications should be deployed to managed devices
      • Device Use Shall be restricted until required applications are installed
      • Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen
  • ⚙️Configurations
    • GDAP
      • My Automations Break with GDAP: The Fix!
      • Vendor Integrations Break with GDAP: The Fix!
      • Adding GDAP Relationships
      • Leveraging PIM with GDAP
      • GDAP Migration with Microsoft 365 Lighthouse
    • GoDaddy
      • Defederating GoDaddy 365
  • 🛡️CIS Controls
    • CIS Mapped to M365
  • 🔌Vendor Integrations
    • Pax8
      • Automating NCE subscription renewal notices
      • Leveraging the Pax8 API in Power Automate
    • IT Glue
      • Automating Intune Device Documentation in IT Glue
      • Automating Microsoft Documentation
    • Huntress
      • Leveraging the Huntress API in Power Automate
    • Syncro
      • Automating Microsoft 365 Documentation in Syncro
      • Custom Connector in Power Automate
      • Creating Tickets for Azure AD Risky Users
Powered by GitBook
On this page
  • GDAP Timelines
  • Prerequisites
  • Using the Tool
  • Comparison
  • Conclusion
  1. Configurations
  2. GDAP

GDAP Migration with Microsoft 365 Lighthouse

PreviousLeveraging PIM with GDAPNextGoDaddy

Last updated 1 year ago

A few months ago, I showcasing a comparison of the GDAP migration tools available. Since that time, the Microsoft 365 Lighthouse team has introduced a new migration tool for GDAP to help partners streamline the move, in bulk, across customers. If you watched my previous comparison video, you saw how clunky the old solution was using a CLI and CSVs. The lighthouse team has been working behind the scenes to create a tool that is much more user friendly and catered to the MSP space. In this article, I will be covering key highlights of the tool and giving you an overall comparison when it comes to this tool, CIPP, and the previous bulk migration tool.

GDAP Timelines

A couple of key dates are coming up which increases the urgency of you adopting a bulk migration tool for GDAP if you have not already.

Starting January 17, 2023

  • Microsoft will stop creating DAP relationships when a new customer or reseller relationship is created.

  • Microsoft will start removing inactive DAP relationships that haven’t been used in 90 days.

Starting March 1, 2023

  • The Bulk Migration Tool to upgrade existing DAP connections that were granted by customers to GDAP will no longer be available.

  • Microsoft will begin to transition remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles to perform least-privilege customer management activities. Partners will be required to perform more steps to continue to have access to Azure subscriptions after the limited roles are granted, as documented.

A key piece to note here is that the new Lighthouse migration tool will STILL be available after March 1st. The main difference is that you will not be able to automatically transition your active DAP relationships to GDAP. After the March 1st date, if you use the tool, you will get a GDAP relationship link per tenant that you will manually need to accept on a per customer basis. You will want to avoid that to save some time on the initial move.

Prerequisites

  • To run the tool, you need to be a Global Admin

  • There are no customer eligibility requirements. A tenant with any type of licensing will be available to select from in the tool.

  • AAD P2 licensing is required to use the JIT features/functionality

  • Documentation for this tool can be found here:

Using the Tool

In the wizard, you get predefined tiers that are recommendations on partitioning out the various Azure AD roles within your organization. I believe this is one of the best parts of the tool. You are able to rename the tiers to better match your organization and unselect some of the recommendations if it is an Azure AD role you are not going to use.

Next, you are able to create GDAP templates and apply one to many tiers to those templates. For our MSP, we use two templates, License Only and Managed Services, to bucketize our permissions. Our license only customers require significantly less permissions than our managed service customers

Security Group creation is next. You will be creating a new security group for at least each tier you want to use in your environment. The wizard steps you through each of your templates so you can associate the proper security groups. In the example I show below, we also see some additional settings for the JIT tier. Just-in-time access is much like PIM but it allows you to have even more security for higher privileged roles like Global Admins, Application Admins, etc. I believe that a JIT/PIM solution is very important to combine with GDAP. Behind the scenes, Lighthouse will create an Access Package in your Azure AD environment with the settings you define in this wizard

The final section is associating your templates to one or many customers

Once you are done, you will get a summary to review and then a status page with the customers that have successfully added a GDAP relationship

If you go into Partner Center and search for one of the companies you set up a relationship for, you will see the GDAP relationship listed under the Admin Relationships section

Comparison

This diagram is a bit biased towards Lighthouse but I do believe it offers the most comprehensive solution for a migration tool.

  • Templates can be created in the bulk migration tool but it is manual with CSVs

  • Group Creation is done in both CIPP and Lighthouse but in CIPP you are creating one group per Azure AD role. This can make things a little messy in your tenant from the amount of groups that you are creating. Lighthouse allows you to consolidate those groups and reuse them across templates/roles

  • Suggested roles is the #1 feature of Lighthouse in my opinion

  • Native PIM/JIT support is only available in Lighthouse. You can do this with the bulk migration tool,but you would have to manually set up the JIT/PIM groups as a prerequisite

  • CIPP and Lighthouse are both very easy to use

Conclusion

If you haven’t started the move to GDAP today, I would highly recommend leveraging the Lighthouse migration tool. I had the privilege of working with the Lighthouse team during earlier phases of the rollout and was very happy to see their level of attention to the MSP space. They are also working on functionality that will provide for the longer-term management of GDAP relationships which I am very excited about.

⚙️
published a video
Set up GDAP for your customers – Microsoft 365 Lighthouse | Microsoft Learn