Global Delegated Admin Privileges (GDAP) - A Guide
Granular Delegated Administration Privileges, or GDAP, is standard method for service providers and license resellers like SoftwareOne to provide support for Microsoft cloud products. When you buy licenses from SoftwareOne through the Cloud Solution Provider (CSP) program, you also get access to 24x7 technical support.
By granting SoftwareOne GDAP access, you are giving us the ability to resolve your technical incidents quickly as well as carry out service requests.
Microsoft publish guidance and an FAQ about GDAP here. Access to your cloud workloads like Azure or Microsoft365 is granular and timebound. This means SoftwareOne’s access is least privileged and you can control how long we have access for. You are free to revoke access at any time.
GDAP Access is a requirement for us to resolve technical issues on your behalf or carry out service requests and administration changes.
Admin Controls
There are Standard Operating Procedures (SOPs) for access and clear rules about undertaking such access.
Tooling is in place to support this access.
Procedures and controls are in place to limit access to authorized consultants only.
Segregation of duty exists in the access approval and implementation across multiple teams
Access to clients' environments is based on lowest permission level mapped to the service catalogue for the service and consultant role.
Access is reviewed regularly.
GDAP Process
During onboarding SoftwareOne will send one or more GDAPs link to the Customer, requesting you allow SoftwareOne the access required to provide the Services. Each link provides a segregated and least-privileged level of access to your cloud services. This ensures that SoftwareOne support engineers only have access to the services that they directly support.
Separate GDAP links are sent for:
· Microsoft 365
· Azure
· Dynamics 365 and Power Platform
The initial duration of the GDAP relationship will be mutually agreed between the Customer and SoftwareOne during Onboarding, however the maximum duration allowed by Microsoft is 730 days. The default duration SoftwareOne requests is the longer of the contract term or 730 days. The Customer may terminate the GDAP relationship at any time.
The following levels of access are available:
Azure
For Azure, the following standard access will be requested by SoftwareOne:
Directory Reader
Global Reader
Service Support Administrator
Billing Administrator
Microsoft 365
The following standard access will be requested by SoftwareOne:
Attack Simulation Administrator
Authentication Administrator
Billing Administrator
Compliance Administrator
Conditional access administrator
Directory readers
Domain name administrator
Exchange administrator
Global reader
Groups administrator
Hybrid identity administrator
Intune administrator
License administrator
Network administrator
Fabric administrator (Power BI)
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
Teams administrator
User administrator
Cloud Application Administrator
Microsoft Dynamics 365
Authentication Administrator
Billing Administrator
Directory readers
Dynamics 365 Administrator
Global reader
Groups administrator
License administrator
Fabric administrator (PowerBI)
Power Platform Administrator
Service support administrator
User administrator
Cloud Application Administrator