Granular Delegated Admin Permissions - GDAP Overview

Modified on Fri, 1 Nov at 10:36 AM

This page provides information on how Granular Delegated Admin Permissions (GDAP) impact access to customer tenants and the requirements for full functionality in Sync 365.

Microsoft Resources for GDAP

GDAP requirements for full functionality

To enable full Sync 365 functionality, you must grant consent to the Sync 365 application by a user account that:

Has Partner Center access to your customers.
Belongs to a GDAP group with the following permissions:
- Application Administrator, Global Administrator or Cloud Application Administrator (required for consenting the application in customer tenants).
- Global Reader (as a minimum requirement, unless using Global Administrator).

Note: If you cannot add Application Administrator (or similar) you can manually consent the app in each customer tenant.

Grant Partner Center Consent (Recommended Method)

Requirements:

Account has MFA enabled and enforced
Account is in the security group used with GDAP to grant the correct permissions
GDAP relationship established with client tenants and security group added to the relationship with the minimum permissions
- Global Reader and Application Administrator as a minimum

If you have the above then you are ready to get started with Sync 365!

===============================================================================

The below steps will generally not be required and are here for information or if someone specifically wants to use this method.

Manually consent to the Azure AD Application in customer tenants.

If for some reason you are not able to add One of the following permissions: Global Administrator, Privileged Role Administrator,Cloud Application Administrator, Application Administrator, or you do not want to have this permission on the customer tenant you can manually consent to the application in each tenant with their global administrator.

Sync 365 Grant Partner Consent

To do this, simply replace the <tenantID> in the following url with the customer tenant id and access the url with the tenant global administrator :

https://login.microsoftonline.com/<tenantID>/oauth2/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_mode=form_post&response_type=code&scope=https://graph.microsoft.com/directory.read.all%20%https://outlook.office365.com/exchange.manage&redirect_uri=https://sync.s365l.com&prompt=select_account

Your own Azure AD application

To do this, simply replace the <tenantID> in the following url with the customer tenant id and <clientID> with your azure ad application client ID and access the url with the tenant global administrator:

https://login.microsoftonline.com/<tenantID>/oauth2/authorize?client_id=<clientID>&response_mode=form_post&response_type=code&scope=https://graph.microsoft.com/directory.read.all%20%https://outlook.office365.com/exchange.manage&redirect_uri=https://sync.s365l.com&prompt=select_account

Log in with the tenant Global Administrator account to allow the directory read permissions needed for advanced functions, such as filters, usernames, and contact sync.

Azure AD Application

Sync 365 offers an option to connect by creating your own Azure AD Application in your Azure tenant. The benefit of this method is that the application resides in your tenant rather than under Sync 365 as the Control Panel Vendor.

This does mean that you will need to ensure your app secret does not expire.

With GDAP, we only require “Global Reader” and one of the following to be able to consent the app in the customer tenant:

• Global Administrator

• Privileged Role Administrator

• Cloud Application Administrator

• Application Administrator

We recommend creating a dedicated Sync 365 License user account, ensuring MFA is setup (required for partner center access), giving it access to the partner center and adding it to the relevant GDAP group for all of your customers.

We have provided an easy powershell script for you to create the application and grant consent.