GDAP Overview: Sync 365 Consent Requirements

Granular Delegated Admin Permissions - GDAP Overview

This article explains how Granular Delegated Admin Permissions (GDAP) impact access to customer tenants and the requirements for full functionality in Sync 365.

Microsoft Resources for GDAP


GDAP requirements for full functionality

To ensure full functionality in Sync 365, the account used to grant consent must meet these requirements:

  1. Partner Center Access: The account must have access to your customers in the Partner Center.
  2. GDAP Group Membership: The account must belong to a GDAP security group with these permissions:
    1. Application Administrator or Cloud Application Administrator (required for consenting the application in customer tenants).
    2. Global Reader (minimum required role unless using Global Administrator).
    3. Alternatively, Global Administrator may be used to satisfy both requirements.

Note: If you cannot assign the Application Administrator role or similar, you must manually consent to the app in each customer tenant using their Global Administrator account.


Prerequisites

Before proceeding, ensure:

  • MFA is Enabled: The account must have Multi-Factor Authentication (MFA) enabled and enforced.
  • Correct GDAP Group Membership:The account is part of the GDAP security group with the appropriate permissions.
  • GDAP Relationships Are Established: Client tenants must have an established GDAP relationship with the security group assigned.
  • Minimum Permissions: The account being used must have both:
    • Global Reader
    • Application Administrator


If these conditions are met, you are ready to configure Sync 365!


===============================================================================

===============================================================================

===============================================================================

===============================================================================


The below steps will generally not be required and are here for information or if someone specifically wants to use this method.


If you are unable or unwilling to assign one of the required roles (e.g., Application Administrator, Cloud Application Administrator, or Global Administrator), you can manually consent to the application in each customer tenant with the global administrator of their tenant.


Sync 365 Grant Partner Consent

  1. Replace<tenantID> in the following URLs with the customer tenant ID: 
    https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_type=code&response_mode=form_post&scope=https://graph.microsoft.com/directory.read.all&redirect_uri=https%3A%2F%2Fsync.s365l.com&prompt=select_account
    https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_type=code&response_mode=form_post&scope=https://outlook.office365.com/exchange.manage&redirect_uri=https%3A%2F%2Fsync.s365l.com&prompt=select_account
    https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_type=code&response_mode=form_post&scope=https%3A%2F%2Fmanagement.azure.com%2Fuser_impersonation&redirect_uri=https%3A%2F%2Fsync.s365l.com&prompt=select_account
  2. Access the URL using the Global Administrator account of the customer tenant.
  3. Accept each of the permissions
  4. Log in to grant directory read permissions, enabling advanced features such as filters, usernames, and contact synchronization.

Your own Azure AD application

To do this, simply replace the <tenantID>  in the following url with the customer tenant id and <clientID> with your azure ad application client ID and access the url with the tenant global administrator: 

Log in with the tenant Global Administrator account to allow the directory read permissions needed for advanced functions, such as filters, usernames, and contact sync.


Azure AD Application (Avoid using this method unless required)

Sync 365 offers an option to connect by creating your own Azure AD Application in your Azure tenant. The benefit of this method is that the application resides in your tenant rather than under Sync 365 as the Control Panel Vendor.

This does mean that you will need to ensure your app secret does not expire.


With GDAP, we only require “Global Reader” and  one of the following to be able to consent the app in the customer tenant:


• Global Administrator

• Privileged Role Administrator

• Cloud Application Administrator

• Application Administrator


We recommend creating a dedicated Sync 365 License user account, ensuring MFA is setup (required for partner center access), giving it access to the partner center and adding it to the relevant GDAP group for all of your customers.


We have provided an easy powershell script for you to create the application and grant consent.

    • Related Articles

    • GDAP relationship missing, expired or not working

      GDAP relationship missing, expired or not working This article explains what to check when Sync 365 cannot access a customer tenant because the Microsoft GDAP relationship is missing, expired, incomplete, or does not include the required roles. When ...
    • Using the Sync 365 Free GDAP Builder

      The Sync 365 GDAP Builder helps Microsoft partners create GDAP approval links and assign approved GDAP roles to partner security groups. Link: GDAP Builder Use this tool when you need to create a GDAP relationship request, generate a customer ...
    • Adding an AzureAD Application

      NOTE: Preferred method is using Grant Partner Center Consent To access your customer tenants and automate your license billing, we need to create an AzureAD Application in your Partner tenant. This is compatible with Delegated Admin Permissions and ...
    • Conditional Access Policies

      Conditional access policies can block partner accounts and apps from accessing the customer tenant. If you have a restrictive conditional access policy on a customer tenant, you need to ensure you have excluded the service providers or the service ...
    • Direct CSP and Indirect CSP feature differences

      Direct CSP and Indirect CSP feature differences This article explains the main differences between Direct CSP and Indirect CSP workflows in Sync 365. Sync 365 supports both Direct CSP and Indirect CSP partners, but some Microsoft data and billing ...