GDAP renewal time is approaching

Brass Contributor
Hi all,
 
The relationships we created two years ago are due for renewal soon, and I'm curious how other people are approaching the creation of new relationships.
 
With the introduction of relationships that auto renew, have you found this to be a beneficial alternative? We are a Managed Service Provider and our customers want us to turn ALL the knobs in the Microsoft portals for them.
 
I want to have the flexibility of techs only enabling the roles they need, but there are a LOT of roles. Creating a relationship with 34 roles is a bit extreme. Plus, it looks like we need 43 built-in roles to have the same level as access as Global Admin, and some of those roles are not available via GDAP today.
 
The role that stands out the most is "Organizational Branding Administrator." Can another role that is available through GDAP change sign-in branding? 
 
What would partners think if Microsoft allowed the Global Admin role to auto-renew until Microsoft adds all the built in roles to GDAP roles needed to replace Global Admin? Maybe put some sort of extra warning on the role acceptance side advising the client this is not recommended and let the client make that informed choice themselves?
 
What do you think customers opinion of this move would be?
 
From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. I am curious what the customers were looking to address with this approach and if there is another way. 
 
I look forward to reading your thoughts and experiences!
2 Replies

Hi @jonwbstr24 ,

 

We're looking into GDAP renewals, as they're coming up for us as well. We also selected a lot of Roles (you never know...) including Global Admin (just in case...) only to find out that Auto Renew doesn't work if GA is included 😞

 

I mostly do automation and development so I've not personally run into something I couldn't do with the Roles we have assigned (which is most, but not all -- and NOT Global Admin, that was strictly for "just in case" and I don't believe we've used it). But if you've found things that can't be done - or require many, many roles (which need to be configured for each customer's GDAP Relationship) that would be a drag.

 

If you can convince MS to allow auto-renew this time, until they tweak the Roles -- I'd support it. Like you, our Customers expect us to "entirely manage their infrastructure and services" so there's no real "what do the clients think?" for us, it's more "we need this to do as they ask: manage everything efficiently". However I doubt MS will go for it, but you never know. I believe the reason is simply "fewer permissions is more security".

 

If you CAN live without the Global Admin Role, I just noticed this:

https://learn.microsoft.com/en-us/partner-center/expiring-gdap-relationships-and-auto-extend-gdap#re...

 

You can remove the GA Role from a GDAP Relationship. I've not tried it, but it should allow auto-renew to be enabled (which can be done via API I believe). If we automate creating the GDAP Relationships and Role/Group assignments then perhaps having so many Roles to accomplish what you need (ie. everything but GA) I think it will be fairly painless. We'll see...

 

   --Saul

Just a quote note to say: I noticed today that MS has included "Organizational Branding Administrator" in GDAP now. See"
https://learn.microsoft.com/en-us/partner-center/customers/gdap-faq#which-microsoft-entra-roles-were...