Using the Sync 365 GDAP Builder

Using the Sync 365 Free GDAP Builder

The Sync 365 GDAP Builder helps Microsoft partners create GDAP approval links and assign approved GDAP roles to partner security groups.

Use this tool when you need to create a GDAP relationship request, generate a customer approval URL, assign GDAP roles to partner security groups after approval, or reuse saved default roles and groups for future requests.

Important: Do not assign groups until the customer has approved the GDAP relationship. If you assign groups before approval, Microsoft Graph may reject the request.

Before you start

You need a Microsoft partner account with permission to create and manage GDAP relationships. You should also know which partner security groups you want to assign roles to.

Common group examples include:

  • adminAgents
  • HelpdeskAgents
  • A custom security group used by your MSP

The tool runs in your browser. No customer data is stored by Sync 365. Saved defaults are stored only in your browser.

  1. Sign in to your Partner Center account that has permissions to create GDAP relationships
  2. Create the GDAP approval URL.
  3. Send the URL to the customer tenant administrator, or open the URL in a separate/private browser session and sign in as the customer tenant Global Administrator.
  4. Approve the GDAP relationship in the customer tenant.
  5. Return to the GDAP Builder.
  6. Assign the approved roles to the required partner security groups.

If you manage the customer's tenant and have approval to complete the process on their behalf, the easiest option is often to open the approval URL in an incognito/private browser window and sign in using the customer tenant Global Administrator account.


Sign in: 

Sign in

  1. Open the GDAP Builder site.
  2. Select Sign in.
  3. Sign in with your Microsoft partner account.
  4. If prompted, approve the requested Microsoft permissions.

After sign-in, the tool enables the GDAP creation and group selection options.

Option 1: Create a new GDAP relationship

Use this option when you need to create a new GDAP request for a customer.

  1. Enter a Relationship name.
  2. Choose the relationship Duration.
  3. Leave Auto renew 180 days selected unless you do not want auto-renewal.
  4. Review the selected roles.
  5. Select Create URL.

The tool will create the GDAP relationship, lock it for customer approval, and show the customer approval URL.

You can copy the approval URL, send it to the customer, or open it in another browser session to approve it using the customer tenant Global Administrator account.

Approving the GDAP relationship

After the approval URL is created, use one of these methods:

Option A: Send the URL to the customer

  1. Copy the approval URL.
  2. Send it to the customer tenant administrator.
  3. Ask them to open the link and approve the GDAP relationship.
  4. Wait until the approval is completed before assigning groups.

Option B: Approve using the customer tenant Global Administrator

  1. Copy the approval URL.
  2. Open it in an incognito/private browser window or a separate browser profile.
  3. Sign in as the customer tenant Global Administrator.
  4. Accept the GDAP relationship.
  5. Return to the GDAP Builder and assign groups.

Select roles for the GDAP request

The tool starts with a common Sync 365 default role set.

You can:

  • Keep the default selected roles.
  • Select More roles to show the full role list.
  • Search for a role by name or role ID.
  • Select additional roles.
  • Clear roles you do not want.
  • Select all visible roles.
  • Save your preferred role selection as a local default.

Only roles included in the approved GDAP relationship can later be assigned to partner security groups.

Save default roles

If you commonly use the same GDAP role set:

  1. Select the roles you want.
  2. Select Save defaults.

The selected roles are saved in your browser and loaded automatically next time. To return to the Sync 365 common role set, select the reset button beside Save defaults.

Option 2: Use an existing GDAP relationship

Use this option if a GDAP relationship already exists and you only need to assign or update groups.

  1. Find the existing GDAP relationship ID.
  2. Paste it into Use existing relationship ID.
  3. Select the check button.

The tool loads the roles approved for that relationship. After the approved roles are loaded, you can select groups and assign roles.

[Screenshot: Existing relationship ID field]

Assign groups

Only assign groups after the customer has approved the GDAP relationship.

Partner Center roles still matter: Some Microsoft Partner Center operations, such as granting application consent, may require the user to be assigned as an Admin Agent in Partner Center. Having the required GDAP roles alone may not be sufficient if the user is only assigned to Helpdesk Agents or another non-admin Partner Center role. If application consent fails with permission errors, verify the account is assigned to Assist your customers as Admin Agent in Partner Center.

Quick pick: adminAgents

Select adminAgents to search for the standard partner admin group. If multiple matches are returned, choose the correct security group from the picker.

Quick pick: HelpdeskAgents

Select HelpdeskAgents to search for the standard partner helpdesk group. If multiple matches are returned, choose the correct security group from the picker.

List groups

Select List groups to load available security groups. Choose the group you want from the list. This is useful if you are not sure of the exact group name or mail nickname.

Add group manually

Use Add group if you know the group name, mail nickname, or object ID.

You can enter one of the following:

  • Display name
  • Mail nickname
  • Object ID

Then select the plus button.

Select roles for a group

After adding a group, select the roles that should be assigned to that group.

The role selector is click-on, click-off:

  • Click a role once to select it.
  • Click it again to remove it.
  • Selecting one role will not clear the other selected roles.

Only roles approved in the GDAP relationship are available for group assignment.

Assign roles to a group

  1. Review the selected group and roles.
  2. Select the assign button for that group.

The tool creates the GDAP access assignment. If the group already has an assignment for that relationship, the tool updates the existing assignment instead.

Save default groups

If you commonly assign the same groups:

  1. Add the groups you want in the Assign groups section.
  2. Select the roles for each group.
  3. Select Save groups.

The saved group defaults include group object ID, group display name, mail nickname, and selected role IDs.

These defaults are stored only in your browser. Next time you open the tool, the saved groups will appear automatically. To clear saved group defaults, select the reset button beside Save groups.

Update existing group assignments

If you assign roles to a group that already has an assignment, Microsoft may return a conflict because the assignment already exists.

The tool handles this by updating the existing assignment.

Use this when:

  • You selected the wrong roles the first time.
  • You need to add more roles to a group.
  • You need to remove roles from a group.
  • You are using an existing GDAP relationship.

Activity log

The Activity panel shows what the tool is doing.

It can show sign-in status, relationship creation status, approval URL creation, group lookup results, assignment success messages, and errors returned by Microsoft Graph.

Use this log when troubleshooting.


Common errors

Customer has not approved the relationship

If group assignment fails, confirm the customer has approved the GDAP approval URL. Group assignment should only be done after approval.

Role was not approved

If you see an error about a non-approved role, the role was not included in the GDAP relationship approved by the customer.

To fix this:

  1. Confirm you are using the correct relationship ID.
  2. Reload the existing relationship in the tool.
  3. Select only roles shown in the group assignment section.

Group already exists

This means the group already has a GDAP access assignment.

The tool should update the existing assignment automatically. If it still fails, confirm your signed-in account has permission to update GDAP access assignments.

Group not found

If a group cannot be found:

  • Use List groups and pick from the returned list.
  • Check that the group is security-enabled.
  • Try the group object ID instead of the display name.
  1. Sign in.
  2. Enter the relationship name.
  3. Review or adjust the roles.
  4. Create the approval URL.
  5. Send the URL to the customer, or open it in a private browser session and sign in as the customer tenant Global Administrator.
  6. Approve the GDAP relationship.
  7. Return to the tool.
  8. Select the required groups.
  9. Select the approved roles for each group.
  10. Assign the roles.
  1. Sign in.
  2. Paste the existing relationship ID.
  3. Load the relationship.
  4. Select or review the groups.
  5. Adjust role selections.
  6. Assign or update group roles.

Privacy notes

The tool does not use a backend database.

The following items may be saved in your browser only:

  • Last relationship ID
  • Approved role IDs for the current relationship
  • Saved default role selections
  • Saved default group selections

Clear browser storage or use the reset buttons in the tool to remove saved defaults.

    • Related Articles

    • GDAP relationship missing, expired or not working

      GDAP relationship missing, expired or not working This article explains what to check when Sync 365 cannot access a customer tenant because the Microsoft GDAP relationship is missing, expired, incomplete, or does not include the required roles. When ...

    • Granular Delegated Admin Permissions - GDAP Overview

      This article explains how Granular Delegated Admin Permissions (GDAP) impact access to customer tenants and the requirements for full functionality in Sync 365. Microsoft Resources for GDAP Granular Delegated Admin Privileges (GDAP) Introduction - ...

    • Conditional Access Policies

      Conditional access policies can block partner accounts and apps from accessing the customer tenant. If you have a restrictive conditional access policy on a customer tenant, you need to ensure you have excluded the service providers or the service ...

    • Direct CSP and Indirect CSP feature differences

      Direct CSP and Indirect CSP feature differences This article explains the main differences between Direct CSP and Indirect CSP workflows in Sync 365. Sync 365 supports both Direct CSP and Indirect CSP partners, but some Microsoft data and billing ...

    • Adding an AzureAD Application

      NOTE: Preferred method is using Grant Partner Center Consent To access your customer tenants and automate your license billing, we need to create an AzureAD Application in your Partner tenant. This is compatible with Delegated Admin Permissions and ...