GDAP and not allowing global admin to auto renew

Brass Contributor

Hi all,

The relationships we created two years ago are quickly approaching their expiration date, and I'm interested in how other people are handling the creation of new relationships.

 

With the introduction of relationships that auto renew, have you found this to be a viable path? We are a Managed Service Provider and our customers expect us to turn ALL the knobs for them in the Microsoft portals.

 

I want to have the flexibility of techs only enabling the roles they need, but there are a LOT of roles. Creating a relationship with 34 roles is a bit extreme. Plus, it looks like we need 43 built-in roles to have the same level as access as Global Admin, and some of those roles are not available via GDAP today.

 

The role that stands out the most is "Organizational Branding Administrator." Am I missing something, or is the only way to change sign-in branding to use the Global Administrator role (which prevents auto-renewal) or use a local tenant admin account?

 

What would partners think if Microsoft allowed the Global Admin role to auto-renew until Microsoft adds all the built in roles to GDAP roles needed to replace Global Admin? Maybe put some sort of extra warning on the role acceptance side advising the client this is not recommended and let the client make that informed choice themselves?

 

What do you think customers opinion of this move would be?

 

From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. Since I have never met a customer that shared this view, I can't comment on the accuracy of that statement, but that what I've heard.

8 Replies

I reposted over here. I'm not sure which community is the best one to put this topic.

Hi @jonwbstr24

 

I want to have the flexibility of techs only enabling the roles they need, but there are a LOT of roles. Creating a relationship with 34 roles is a bit extreme. Plus, it looks like we need 43 built-in roles to have the same level as access as Global Admin, and some of those roles are not available via GDAP today.

Granular delegated admin permissions (GDAP) give partners access to their customers' workloads in a way that is more granular and time-bound, which can help to address customer security concerns.

With GDAP, partners can provide more services to customers who might be uncomfortable with the high levels of partner access.

GDAP also helps with customers who have regulatory requirements to provide only least-privileged access to partners.

Someone with the Admin agent role at a partner organization can create a GDAP relationship request.

You do not need to create a GDAP relationship with all of your customers.  GDAP is an optional capability for partners who want to manage their customer's services in a more granular and time-bound way. You can choose which customers you want to create a GDAP relationship with.

 

You can create multiple GDAP relationships with different customers at one time using APIs.  For information about APIs and GDAP, see the Partner Center developer documentation.

 

Also, you may already have this link, but if you don't, for general information on GDAP, go here - Granular delegated admin privileges (GDAP) introduction - Partner Center | Microsoft Learn

 

The role that stands out the most is "Organizational Branding Administrator." Am I missing something, or is the only way to change sign-in branding to use the Global Administrator role (which prevents auto-renewal) or use a local tenant admin account?

I’m not sure that you mean by “sign-in branding” but I can confirm that the Organizational Branding Administrator role is the minimum role required to customize company branding.

Organizational Branding Administrator role manages all aspects of organizational branding in a tenant.  Assign the Organizational Branding Administrator role to users who need to do the following tasks:

  • Manage all aspects of organizational branding in a tenant
  • Read, create, update, and delete branding themes
  • Manage the default branding theme and all branding localization themes

The Global Administrator can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.  For more details about the Global Admin, please review the information on the following page under the Global Administrator section - Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn.

 

Learn about each Microsoft Entra built-in role - Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn

 

Learn about the least privileged roles - Least privileged roles by task - Microsoft Entra ID | Microsoft Learn

 

Also reviewAdd company branding to your organization's sign-in page - Microsoft Entra | Microsoft Learn

 

 

 

 

From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. Since I have never met a customer that shared this view, I can't comment on the accuracy of that statement, but that what I've heard.

 

Microsoft recommends that the limit of Global Admin's is no more than 5.

 

 

 

What would partners think if Microsoft allowed the Global Admin role to auto-renew until Microsoft adds all the built in roles to GDAP roles needed to replace Global Admin? Maybe put some sort of extra warning on the role acceptance side advising the client this is not recommended and let the client make that informed choice themselves?

What do you think customers opinion of this move would be?

 

For auto renew, please review the following FAQ GDAP frequently asked questions - Partner Center | Microsoft Learn

 

 

 

 

If this reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, if after reviewing the information you have additional questions, please let me know.


Regards,

Microsoft CSP Licensing Concierge

@jonwbstr24 

 

 

LicensingConcierge1_0-1716388511906.png

 

Thanks Jon!:smile:

 

I don't think it's recommended to post the same question on multiple communities.

 

I'm able to answer this type of question, however, someone on the Partner-led community may have additional information. 

 

 

Hello @LicensingConcierge1, thank you for the reply and posting the links, those are some excelent resources. I apologize for not being more clear, I wasn't able to find the feedback I'm looking for in those articles.

 

You can create multiple GDAP relationships with different customers at one time using APIs.

The challenge I am facing is not how to create the relationships, but the number of roles needed to have the same level of access as a global admin.

The customer experience of seeing a relationship with that many roles makes the relationship appear more complicated than it is. We sell our services by saying "we are your administrators", not "we are your administrator for these 43 roles in M365 and some other set of roles for another vendor."

 

The support professional then needs to decided which of the 43 roles they need to accomplish a requested task. It's easy to enable the global admin role and do the work and close a ticket. It's more difficult to determine which of the 43 roles that they need.

 

I would love for someone at Microsoft to show us how many users have the different roles in their  tenant :lol:.

 

You do not need to create a GDAP relationship with all of your customers.  GDAP is an optional capability for partners who want to manage their customer's services in a more granular and time-bound way. You can choose which customers you want to create a GDAP relationship with.

As a managed service provider, all our customers rely on us to make changes for them in all Microsoft portals. While I appreciate the information on how GDAP works, and the reminder that it is optional, it is not optional for us or our clients.

 

I’m not sure that you mean by “sign-in branding” but I can confirm that the Organizational Branding Administrator role is the minimum role required to customize company branding.

To confirm, are you familiar with a GDAP role other than global administrator that we can use?

Microsoft recommends that the limit of Global Admin's is no more than 5.

Are you saying that Microsoft and not the customer is behind this decision? Please elaborate, I'm not sure what you wanted me to take away.

Microsoft Verified Best Answer

@jonwbstr24 

 

LicensingConcierge1_0-1716557383075.png

This was answered in my previous reply where I provided you with a link that lists all of the roles so that you can decide the best option for your customer.  Please review the link for Microsoft Entra built-in role in my previous reply. :smile:

 

 

 

 

LicensingConcierge1_0-1716407743847.png

Your question asking how many Global Admin's are recommended was answered and the recommendation is a maximum of 5.

 

 

 

 

 

LicensingConcierge1_1-1716407900743.png

Microsoft is only making a recommendation (suggestion)...they are not setting a strict limit.

 

This is one of the topics being discussed on the Partner Community Q&A Call - CSP - AMER/APAC - English that's taking place right now....they've opened the floor for questions. If you miss the call, place your question(s) in the chat. To register for more Events, click HERE.

 

 

 

 

@LicensingConcierge1 

(JW) From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. Since I have never met a customer that shared this view, I can't comment on the accuracy of that statement, but that what I've heard.

 

(LC1) Microsoft recommends that the limit of Global Admin's is no more than 5.

Next message

Your question asking how many Global Admin's are recommended was answered and the recommendation is a maximum of 5:

 

JonWebster_0-1716470878626.png

 

Microsoft is only making a recommendation (suggestion). 

Gotcha, apologies for the misunderstanding. You're thinking the decision to not allow relationships with the global admin role in them may have been because of the recommendation to have less than 5 global administrators.

 

I agree, that would make more sense to me, but it's not what I've heard. I was looking to see if anyone else has heard the same thing, or know of customers who have expressed that sort of thing.

 

Thanks!

 

This is one of the topics being discussed on the Partner Community Q&A Call - CSP - AMER/APAC - English that's taking place right now....they've opened the floor for questions. If you miss the call, place your question(s) in the chat.

I planned to, but my sense was that wasn't the right audience. Maybe the CSP Technical Training or Security calls would be a better place for this topic.

 

For anyone that missed the call, we can remove the global admin role from an existing relationship to make it eligible for auto-renew. I expect this is targeted at partners who created a relationship with all available roles.

For reference, this is the list of built-in roles with access similar to global admin. 34 of the 43 roles are available through GDAP today.

 

I say similar because some of the granular roles have access to basic properties while the global admin role has access to all properties. Most likely properties that are not essential common tasks.

 

Organizational Branding AdministratorComing (no eta)
Organizational Messages ApproverComing (no eta)
Viva Goals AdministratorComing (no eta)
Viva Pulse AdministratorComing (no eta)
Permissions Management AdministratorComing (no eta)
Edge AdministratorComing (no eta)
Yammer AdministratorComing  (no eta)
Virtual Visits AdministratorComing (no eta)
Lifecycle Workflows AdministratorComing (no eta)
Application AdministratorYes
Application AdministratorYes
Authentication policy administratorYes
Azure Information Protection AdministratorYes
Billing AdministratorYes
Cloud app security administratorYes
cloud device administratorYes
Compliance AdministratorYes
Compliance Data AdministratorYes
Conditional Access AdministratorYes
Customer LockBox Access ApproverYes
Desktop Analytics AdministratorYes
Directory WritersYes
Domain Name AdministratorYes
Exchange AdministratorYes
Fabric AdministratorYes
Global ReaderYes
Hybrid Identity AdministratorYes
Identity Governance AdministratorYes
Insights AdministratorYes
Intune AdministratorYes
Knowledge AdministratorYes
Knowledge ManagerYes
Office Apps AdministratorYes
Power Platform AdministratorYes
Privileged Authentication AdministratorYes
Privileged Role AdministratorYes
Search AdministratorYes
Security AdministratorYes
Security OperatorYes
SharePoint AdministratorYes
Teams AdministratorYes
User AdministratorYes
Windows Update Deployment Administrator

Yes

@jonwbstr24 

 

I see that you're actively engaging here in the community as well as directly with Microsoft on the Teams chat from the Partner Call, where you're discussing GDAP at this moment with Katherine.  

 

I also see that Microsoft is responding to you on the Partner Call chat. 

 

I'm happy to see that you were able to join the call yesterday and open this discussion.

 

I'll stop engaging here on the community.

 

Have a great day! :smile: