Microsoft Entra ID · Identity Governance

Customer Delegated Admin Relationship Administrator

Manage all aspects of Granular Delegated Admin Privileges (GDAP) relationships in a customer tenant. Used by Microsoft Cloud Solution Provider (CSP) partners and their delegated administrators to manage the lifecycle of customer access relationships.

Scope: GDAP relationship lifecycle administration within the customer tenant

Permissions

  • Create and manage GDAP customer relationships
  • Approve or terminate delegated admin relationships
  • Configure granular permission scopes within GDAP
  • Manage relationship requests from partners
  • Read directory and policy information needed for GDAP administration
  • Audit GDAP relationship changes

Common use cases

  • Onboarding a new Microsoft Cloud Solution Provider (CSP) partner
  • Granting time-bound, role-scoped access to partner administrators
  • Reviewing and renewing existing GDAP relationships
  • Terminating a partner relationship at end of contract
  • Migrating from legacy DAP (delegated admin privileges) to GDAP

Best practices

  • Apply principle of least privilege when approving GDAP role requests
  • Use time-bound relationships (max 2 years) rather than indefinite access
  • Require Conditional Access policies that scope partner access (e.g., MFA, named locations)
  • Review active GDAP relationships quarterly
  • Document the business justification for each partner relationship
  • Prefer GDAP over legacy DAP — Microsoft is deprecating DAP

Security considerations

  • Partners with GDAP can perform admin actions in your tenant — vet partners carefully
  • Compromised partner credentials can be used to access your tenant
  • Audit all partner activity through GDAP-specific audit logs
  • Conditional Access policies should treat partner accounts as untrusted by default
  • Use sign-in risk policies to detect anomalous partner sign-ins

Common questions

When should I assign the Customer Delegated Admin Relationship Administrator role?

Assign Customer Delegated Admin Relationship Administrator when you need to: Onboarding a new Microsoft Cloud Solution Provider (CSP) partner; Granting time-bound, role-scoped access to partner administrators; Reviewing and renewing existing GDAP relationships; Terminating a partner relationship at end of contract; and Migrating from legacy DAP (delegated admin privileges) to GDAP. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Customer Delegated Admin Relationship Administrator role do?

The Customer Delegated Admin Relationship Administrator role grants permissions including: Create and manage GDAP customer relationships; Approve or terminate delegated admin relationships; Configure granular permission scopes within GDAP; Manage relationship requests from partners; Read directory and policy information needed for GDAP administration; and Audit GDAP relationship changes. See the Permissions section above for the full list.

What are the security risks of the Customer Delegated Admin Relationship Administrator role?

Key considerations when assigning Customer Delegated Admin Relationship Administrator: Partners with GDAP can perform admin actions in your tenant — vet partners carefully; Compromised partner credentials can be used to access your tenant; Audit all partner activity through GDAP-specific audit logs; and Conditional Access policies should treat partner accounts as untrusted by default. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →