Forum Discussion

ise-ms's avatar
ise-ms
Copper Contributor
Aug 21, 2023

GDAP: Roles required for conditional access?

Hi I've been evaluating the minimal roles required for GDAP relationships so we can help customers with issues regarding to locked tenants.   Based on this FAQ the role privileged authentication...
CSP
Partner question
LicensingConcierge1's avatar
LicensingConcierge1
Former Employee
Aug 22, 2023

Hi ise-ms 

 

Thank you for posting on the CSP community. 

 

I'm not sure what the question is, therefore, would you mind clarifying please?

 

Regards,

Microsoft CSP Licensing Concierge

  • ise-ms's avatar
    ise-ms
    Copper Contributor
    Aug 23, 2023

    LicensingConcierge1 

     

    I hope this helps: granular delegated admin privilege or GDAP has been introduced as a replacement for the broader DAP partner relationships between (at least) Microsoft CSPs and their customers.

     

    The idea of granular privileges is (as I understood id) to follow principles of least privilege. I've been able to identify the roles required for a user account within a customer-tenant to obtain just enough privileges to access and modify conditional access rules.

     

    However if I grant just the same roles to a technician that is allowed to access a customer tenant via GDAP relationship, they are unable to even see the conditional access rules.

     

    If I grant a technician wider permissions (global admin), they can access that part, so it's not that delegated CSP technicians are completely unable to see and modify conditional access rules - however with roles assigned that grant them much more access.

    See also the built-in Azure AD / Entra ID roles here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles.

    • Gavin_Wickens's avatar
      Gavin_Wickens
      Copper Contributor
      Feb 22, 2024
      We too are experiencing the same. We have allocated Security Admin role to technicians via GDAP and they are unable to modify conditional access policies.
    • LicensingConcierge1's avatar
      LicensingConcierge1
      Former Employee
      Aug 23, 2023

      hmmm...I still not seeing a specific question and it looks like you have access to the applicable Microsoft Learn documentation.

      Since I certainly cannot provide technical support, I'm not sure how I can assist. 

       

      Let me know if you have a licensing question and I'm happy to help. :smile:

       

      Regards,

      Microsoft CSP Licensing Concierge

      • ise-ms's avatar
        ise-ms
        Copper Contributor
        Aug 28, 2023

        LicensingConcierge1 are you a bot?

         

        It seems unfortunately, that we will have to request more and more privileged GDAP roles from our customers. While it goes against the idea of GDAP and "just enough privileges", it seems like roles assigned to users within a tenant and partner delegated connections don't work out the same.

         

        Maybe this will change in the future? - We'll have to see.

Resources