Microsoft Entra ID · Identity Governance
Customer Delegated Admin Relationship Administrator
Manage all aspects of Granular Delegated Admin Privileges (GDAP) relationships in a customer tenant. Used by Microsoft Cloud Solution Provider (CSP) partners and their delegated administrators to manage the lifecycle of customer access relationships.
Scope: GDAP relationship lifecycle administration within the customer tenant
Permissions
- Create and manage GDAP customer relationships
- Approve or terminate delegated admin relationships
- Configure granular permission scopes within GDAP
- Manage relationship requests from partners
- Read directory and policy information needed for GDAP administration
- Audit GDAP relationship changes
Common use cases
- Onboarding a new Microsoft Cloud Solution Provider (CSP) partner
- Granting time-bound, role-scoped access to partner administrators
- Reviewing and renewing existing GDAP relationships
- Terminating a partner relationship at end of contract
- Migrating from legacy DAP (delegated admin privileges) to GDAP
Best practices
- Apply principle of least privilege when approving GDAP role requests
- Use time-bound relationships (max 2 years) rather than indefinite access
- Require Conditional Access policies that scope partner access (e.g., MFA, named locations)
- Review active GDAP relationships quarterly
- Document the business justification for each partner relationship
- Prefer GDAP over legacy DAP — Microsoft is deprecating DAP
Security considerations
- Partners with GDAP can perform admin actions in your tenant — vet partners carefully
- Compromised partner credentials can be used to access your tenant
- Audit all partner activity through GDAP-specific audit logs
- Conditional Access policies should treat partner accounts as untrusted by default
- Use sign-in risk policies to detect anomalous partner sign-ins