Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Granular Delegated Admin Permissions - GDAP Overview

            Created by Leon leon.b@sync365.app, Modified on Fri, 27 Oct 2023 at 01:16 PM by Leon leon.b@sync365.app

            This page contains information around how GDAP will impact access to tenants and what is required for full functionality

            Microsofts overview: Granular delegated admin privileges (GDAP) introduction - Partner Center | Microsoft Learn 

            Microsofts FAQ: GDAP frequently asked questions - Partner Center | Microsoft Learn 


            GDAP requirements for full functionality

            • Consent granted to the Sync 365 application by a user account that has Partner Center access to your customers and is in a GDAP group with the following permissions:
              • One of the following: Global Administrator, Cloud Application Administrator, Application Administrator
                • NOTE: This is required to consent the application in customer tenants. This can be added temporarily and removed after the tenant has the application consented. The application is consented only with the “Directory.readall” permission in customer tenants.
                • Additionally we can also provide a manual process to authenticate the application in each customer tenant instead. (See below)
            • And “Global Reader” as minimum (not required if using global administrator)
            • Optional: Create an AzureAD app in your tenant and use that.

            Grant Partner Center Consent (Recommended Method)

            As you transition your customers from Delegated Admin Permissions (DAP) to Granular Delegated Admin Permissions (GDAP), as long as you have kept the user account that was used to grant consent and that user is in a GDAP group that has the right permissions, things will continue to work as normal.


            If you created a new user account to assign to your customers, you will need to grant consent with that user account (if the domain name is the same it will update the existing account, if it is different i.e. your .onmicrosoft account, it will create an additional admin account. We can move your tenants in bulk to look at the new account if required.


            Manually consent to the Azure AD Application in customer tenants.

            If for some reason you are not able to add One of the following permissions: Global Administrator, Privileged Role Administrator,Cloud Application Administrator, Application Administrator, or you do not want to have this permission on the customer tenant you can manually consent to the application in each tenant with their global administrator.


            Sync 365 Grant Partner Consent

            To do this, simply replace the <tenantID> with the customer tenant id and access the following url: https://login.microsoftonline.com/<tenantID>/oauth2/authorize?client_id=3efeacdc-560a-41a1-b337-e302923082ea&response_mode=form_post&response_type=code&scope=https://graph.microsoft.com/directory.read.all%20%https://outlook.office365.com/exchange.manage&redirect_uri=https://sync.s365l.com&prompt=select_account


            Your own Azure AD application

            To do this, simply replace the <tenantID> with the customer tenant id and <clientID> with your azure ad application client ID and access the following url: https://login.microsoftonline.com/<tenantID>/oauth2/authorize?client_id=<clientID>&response_mode=form_post&response_type=code&scope=https://graph.microsoft.com/directory.read.all%20%https://outlook.office365.com/exchange.manage&redirect_uri=https://sync.s365l.com&prompt=select_account 


            And log in with the tenant global administrator. This will allow the directory read permission with the app so you can use the advanced functions (like filters, usernames, contact sync etc)


            Azure AD Application

            There is a new option to connect up with Sync 365 by creating your own Azure AD Application in your azure tenant. This is our new method of partner consent. The only added benefit of this is the application that is consented sits in your tenant instead of ours as the “Control Panel Vendor”.


            When changing to GDAP, we only require “Global Reader” and one of the following to be able to consent the app in the customer tenant:


            • Global Administrator

            • Privileged Role Administrator

            • Cloud Application Administrator

            • Application Administrator


            We recommend creating a dedicated Sync 365 License user account, ensuring MFA is setup (required for partner center access), giving it access to the partner center and adding it to the relevant GDAP group for all of your customers.


            We have provided an easy powershell script for you to create the application and grant consent.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0