How Can We Help?
< Back
You are here:

Granular Delegated Admin Permissions

This page contains information around how GDAP will change the way we can access tenants.

GDAP requirements for full functionality

  • Consent granted to the application by a user account that has Partner Center access to your customers and is in a GDAP group with the following permissions:
    • One of the following: Global Administrator, Privileged Role Administrator,Cloud Application Administrator, Application Administrator
      • NOTE: This is required to consent the application in customer tenants. This can be added temporarily and removed after the tenant has the application consented. The application is consented only with the “Directory.readall” permission.
      • Additionally we can also provide a manual process to authenticate the application in each customer tenant instead.
    • And “Global Reader” as minimum (not required if using global administrator)
    • Optional: Create an AzureAD app in your own tenant instead of using our azuread app

Grant Partner Center Consent

As you transition your customers from Delegated Admin Permissions (DAP) to Granular Delegated Admin Permissions (GDAP), as long as you have kept the user account that was used to grant consent, things will continue to work as normal.

If you created a new user account to assign to your customers, you will need to grant consent with that user account (if the domain name is the same it will update the existing account, if it is different i.e. your .onmicrosoft account, it will create an additional admin account. We can move your tenants in bulk to look at the new account if required.

Azure AD Application

There is a new option to connect up with Sync 365 by creating your own Azure AD Application in your azure tenant.This is our new method of partner consent. The only added benefit of this is the application that is consented sits in your tenant instead of ours as the “Control Panel Vendor”.

When changing to GDAP, we only require “Global Reader” and one of the following to be able to consent the app in the customer:

• Global Administrator
• Privileged Role Administrator
• Cloud Application Administrator
• Application Administrator

We recommend creating a dedicated Sync 365 License user account, ensuring MFA is setup (required for partner center access), giving it access to the partner center and adding it to the relevant GDAP group for all of your customers.

We have provided an easy powershell script for you to create the application and grant consent.

Table of Contents