Forum Discussion

ise-ms's avatar
ise-ms
Copper Contributor
Aug 21, 2023

GDAP: Roles required for conditional access?

Hi I've been evaluating the minimal roles required for GDAP relationships so we can help customers with issues regarding to locked tenants.   Based on this FAQ the role privileged authentication...
CSP
Partner question
ise-ms's avatar
ise-ms
Copper Contributor
Aug 23, 2023

LicensingConcierge1 

 

I hope this helps: granular delegated admin privilege or GDAP has been introduced as a replacement for the broader DAP partner relationships between (at least) Microsoft CSPs and their customers.

 

The idea of granular privileges is (as I understood id) to follow principles of least privilege. I've been able to identify the roles required for a user account within a customer-tenant to obtain just enough privileges to access and modify conditional access rules.

 

However if I grant just the same roles to a technician that is allowed to access a customer tenant via GDAP relationship, they are unable to even see the conditional access rules.

 

If I grant a technician wider permissions (global admin), they can access that part, so it's not that delegated CSP technicians are completely unable to see and modify conditional access rules - however with roles assigned that grant them much more access.

See also the built-in Azure AD / Entra ID roles here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles.

Gavin_Wickens's avatar
Gavin_Wickens
Copper Contributor
Feb 22, 2024
We too are experiencing the same. We have allocated Security Admin role to technicians via GDAP and they are unable to modify conditional access policies.

Resources