Granular Delegated Admin Permissions - GDAP Overview

Created by Leon, Modified on Fri, 27 Oct 2023 at 01:16 PM by Leon

This page contains information around how GDAP will impact access to tenants and what is required for full functionality

Microsofts overview: Granular delegated admin privileges (GDAP) introduction - Partner Center | Microsoft Learn 

Microsofts FAQ: GDAP frequently asked questions - Partner Center | Microsoft Learn 

GDAP requirements for full functionality

  • Consent granted to the Sync 365 application by a user account that has Partner Center access to your customers and is in a GDAP group with the following permissions:
    • One of the following: Global Administrator, Cloud Application Administrator, Application Administrator
      • NOTE: This is required to consent the application in customer tenants. This can be added temporarily and removed after the tenant has the application consented. The application is consented only with the “Directory.readall” permission in customer tenants.
      • Additionally we can also provide a manual process to authenticate the application in each customer tenant instead. (See below)
  • And “Global Reader” as minimum (not required if using global administrator)
  • Optional: Create an AzureAD app in your tenant and use that.

Grant Partner Center Consent (Recommended Method)

As you transition your customers from Delegated Admin Permissions (DAP) to Granular Delegated Admin Permissions (GDAP), as long as you have kept the user account that was used to grant consent and that user is in a GDAP group that has the right permissions, things will continue to work as normal.

If you created a new user account to assign to your customers, you will need to grant consent with that user account (if the domain name is the same it will update the existing account, if it is different i.e. your .onmicrosoft account, it will create an additional admin account. We can move your tenants in bulk to look at the new account if required.

Manually consent to the Azure AD Application in customer tenants.

If for some reason you are not able to add One of the following permissions: Global Administrator, Privileged Role Administrator,Cloud Application Administrator, Application Administrator, or you do not want to have this permission on the customer tenant you can manually consent to the application in each tenant with their global administrator.

Sync 365 Grant Partner Consent

To do this, simply replace the <tenantID> with the customer tenant id and access the following url:<tenantID>/oauth2/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_mode=form_post&response_type=code&scope=

Your own Azure AD application

To do this, simply replace the <tenantID> with the customer tenant id and <clientID> with your azure ad application client ID and access the following url:<tenantID>/oauth2/authorize?client_id=<clientID>&response_mode=form_post&response_type=code&scope= 

And log in with the tenant global administrator. This will allow the directory read permission with the app so you can use the advanced functions (like filters, usernames, contact sync etc)

Azure AD Application

There is a new option to connect up with Sync 365 by creating your own Azure AD Application in your azure tenant. This is our new method of partner consent. The only added benefit of this is the application that is consented sits in your tenant instead of ours as the “Control Panel Vendor”.

When changing to GDAP, we only require “Global Reader” and one of the following to be able to consent the app in the customer tenant:

• Global Administrator

• Privileged Role Administrator

• Cloud Application Administrator

• Application Administrator

We recommend creating a dedicated Sync 365 License user account, ensuring MFA is setup (required for partner center access), giving it access to the partner center and adding it to the relevant GDAP group for all of your customers.

We have provided an easy powershell script for you to create the application and grant consent.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article