Forum Discussion
GDAP: Roles required for conditional access?
Hi ise-ms
Thank you for posting on the CSP community.
I'm not sure what the question is, therefore, would you mind clarifying please?
Regards,
Microsoft CSP Licensing Concierge
- ise-msAug 23, 2023Copper Contributor
I hope this helps: granular delegated admin privilege or GDAP has been introduced as a replacement for the broader DAP partner relationships between (at least) Microsoft CSPs and their customers.
The idea of granular privileges is (as I understood id) to follow principles of least privilege. I've been able to identify the roles required for a user account within a customer-tenant to obtain just enough privileges to access and modify conditional access rules.
However if I grant just the same roles to a technician that is allowed to access a customer tenant via GDAP relationship, they are unable to even see the conditional access rules.
If I grant a technician wider permissions (global admin), they can access that part, so it's not that delegated CSP technicians are completely unable to see and modify conditional access rules - however with roles assigned that grant them much more access.
See also the built-in Azure AD / Entra ID roles here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles.
- Gavin_WickensFeb 22, 2024Copper ContributorWe too are experiencing the same. We have allocated Security Admin role to technicians via GDAP and they are unable to modify conditional access policies.
- LicensingConcierge1Aug 23, 2023Former Employee
hmmm...I still not seeing a specific question and it looks like you have access to the applicable Microsoft Learn documentation.
Since I certainly cannot provide technical support, I'm not sure how I can assist.Let me know if you have a licensing question and I'm happy to help.
Regards,
Microsoft CSP Licensing Concierge
- ise-msAug 28, 2023Copper Contributor
LicensingConcierge1 are you a bot?
It seems unfortunately, that we will have to request more and more privileged GDAP roles from our customers. While it goes against the idea of GDAP and "just enough privileges", it seems like roles assigned to users within a tenant and partner delegated connections don't work out the same.
Maybe this will change in the future? - We'll have to see.