Forum Discussion
GDAP and not allowing global admin to auto renew
All the roles were added a few months ago and we were able to move away from requesting the global admin role and enable autorenew without any significant loss in access.
Hello LicensingConcierge1, thank you for the reply and posting the links, those are some excelent resources. I apologize for not being more clear, I wasn't able to find the feedback I'm looking for in those articles.
You can create multiple GDAP relationships with different customers at one time using APIs.
The challenge I am facing is not how to create the relationships, but the number of roles needed to have the same level of access as a global admin.
The customer experience of seeing a relationship with that many roles makes the relationship appear more complicated than it is. We sell our services by saying "we are your administrators", not "we are your administrator for these 43 roles in M365 and some other set of roles for another vendor."
The support professional then needs to decided which of the 43 roles they need to accomplish a requested task. It's easy to enable the global admin role and do the work and close a ticket. It's more difficult to determine which of the 43 roles that they need.
I would love for someone at Microsoft to show us how many users have the different roles in their tenant 
.
You do not need to create a GDAP relationship with all of your customers. GDAP is an optional capability for partners who want to manage their customer's services in a more granular and time-bound way. You can choose which customers you want to create a GDAP relationship with.
As a managed service provider, all our customers rely on us to make changes for them in all Microsoft portals. While I appreciate the information on how GDAP works, and the reminder that it is optional, it is not optional for us or our clients.
I’m not sure that you mean by “sign-in branding” but I can confirm that the Organizational Branding Administrator role is the minimum role required to customize company branding.
To confirm, are you familiar with a GDAP role other than global administrator that we can use?
Microsoft recommends that the limit of Global Admin's is no more than 5.
Are you saying that Microsoft and not the customer is behind this decision? Please elaborate, I'm not sure what you wanted me to take away.
This was answered in my previous reply where I provided you with a link that lists all of the roles so that you can decide the best option for your customer. Please review the link for Microsoft Entra built-in role in my previous reply. 
Your question asking how many Global Admin's are recommended was answered and the recommendation is a maximum of 5.
Microsoft is only making a recommendation (suggestion)...they are not setting a strict limit.
This is one of the topics being discussed on the Partner Community Q&A Call - CSP - AMER/APAC - English that's taking place right now....they've opened the floor for questions. If you miss the call, place your question(s) in the chat. To register for more Events, click HERE.
(JW) From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. Since I have never met a customer that shared this view, I can't comment on the accuracy of that statement, but that what I've heard.
(LC1) Microsoft recommends that the limit of Global Admin's is no more than 5.
Next message
Your question asking how many Global Admin's are recommended was answered and the recommendation is a maximum of 5:
Microsoft is only making a recommendation (suggestion).
Gotcha, apologies for the misunderstanding. You're thinking the decision to not allow relationships with the global admin role in them may have been because of the recommendation to have less than 5 global administrators.
I agree, that would make more sense to me, but it's not what I've heard. I was looking to see if anyone else has heard the same thing, or know of customers who have expressed that sort of thing.
Thanks!
This is one of the topics being discussed on the Partner Community Q&A Call - CSP - AMER/APAC - English that's taking place right now....they've opened the floor for questions. If you miss the call, place your question(s) in the chat.
I planned to, but my sense was that wasn't the right audience. Maybe the CSP Technical Training or Security calls would be a better place for this topic.
For anyone that missed the call, we can remove the global admin role from an existing relationship to make it eligible for auto-renew. I expect this is targeted at partners who created a relationship with all available roles.
For reference, this is the list of built-in roles with access similar to global admin. 34 of the 43 roles are available through GDAP today.
I say similar because some of the granular roles have access to basic properties while the global admin role has access to all properties. Most likely properties that are not essential common tasks.
Organizational Branding Administrator Coming (no eta) Organizational Messages Approver Coming (no eta) Viva Goals Administrator Coming (no eta) Viva Pulse Administrator Coming (no eta) Permissions Management Administrator Coming (no eta) Edge Administrator Coming (no eta) Yammer Administrator Coming (no eta) Virtual Visits Administrator Coming (no eta) Lifecycle Workflows Administrator Coming (no eta) Application Administrator Yes Application Administrator Yes Authentication policy administrator Yes Azure Information Protection Administrator Yes Billing Administrator Yes Cloud app security administrator Yes cloud device administrator Yes Compliance Administrator Yes Compliance Data Administrator Yes Conditional Access Administrator Yes Customer LockBox Access Approver Yes Desktop Analytics Administrator Yes Directory Writers Yes Domain Name Administrator Yes Exchange Administrator Yes Fabric Administrator Yes Global Reader Yes Hybrid Identity Administrator Yes Identity Governance Administrator Yes Insights Administrator Yes Intune Administrator Yes Knowledge Administrator Yes Knowledge Manager Yes Office Apps Administrator Yes Power Platform Administrator Yes Privileged Authentication Administrator Yes Privileged Role Administrator Yes Search Administrator Yes Security Administrator Yes Security Operator Yes SharePoint Administrator Yes Teams Administrator Yes User Administrator Yes Windows Update Deployment Administrator Yes
All the roles were added a few months ago and we were able to move away from requesting the global admin role and enable autorenew without any significant loss in access.