Understanding Microsoft GDAP Security

Managing security in cloud environments is more important than ever. For businesses leveraging Microsoft Cloud solutions like Azure, Microsoft 365, or Dynamics, ensuring control over access while enabling efficient support from your CSP provider like SoftwareOne can feel like a balancing act.

This is where Granular Delegated Admin Privileges, or GDAP, steps in. It offers a significant improvement in its approach to cloud security management over the previous DAP permissions model building on important guiding principles such as least privilege and role based access control (RBAC) ensuring that the transformation in how businesses work with trusted service providers like SoftwareOne is better safeguarded.

This blog will explore:

• What GDAP is and why it’s a game-changer.
• The importance of GDAP for securing your cloud environment.
• Why SoftwareOne uses GDAP and how it benefits your organization.

By the end, you’ll understand how GDAP empowers your organization in affording a partner like SoftwareOne access to your environment whilst safeguarding your organization’s security standards within your cloud environment, whilst enjoying our premium support.

What Is GDAP?

GDAP, or Granular Delegated Admin Privileges, is a security feature that provides partners with least-privileged access a follows the Zero Trust cybersecurity protocol and is designed to give your business full control over partner access to your cloud environment(s).

Unlike the previous system from Microsoft, Delegated Admin Privileges (DAP) or other traditional "all-or-nothing" access systems, GDAP empowers organizations like yours to grant highly specific, time-bound permissions to service providers, ensuring they access only what's necessary to provide support.

The evolution from DAP to GDAP

The Delegated Admin Privileges (DAP) program allowed Cloud Solution Providers (CSPs) to gain persistent, high-level access (typically Global Administrator or Helpdesk Administrator) to customer tenants once the customer accepted the reseller relationship. This access was broad and indefinite, and could only be revoked manually by either party.

Microsoft has since retired DAP because it posed significant security risks due to:

1. Overprivileged access: Partners often had more access than necessary, violating the principle of least privilege.
2. Persistent access: DAP relationships did not expire, increasing exposure to long-term threats.
3. Attack surface: Threat actors exploited DAP relationships to launch broader attacks.
4. Compliance concerns: Customers, especially in regulated industries, required time-bound and scoped access to meet internal and external compliance standards.

The improve the security posture, Granular Delegated Admin Privileges (GDAP) was introduced in August of 2022 to address these shortcomings. GDAP more closely aligns with Zero Trust principles and offers Role-based access control (RBAC) so partners like SoftwareOne can be assigned specific Microsoft Entra roles (e.g., Security Reader, License Administrator) instead of blanket Global Administrator permissions.

Furthermore, the customer is required to provide explicit consent for each GDAP relationship request. Each request specifies defined privilege roles and duration, as the GDAP relationship now includes an automatic expiry date ranging from 1 to 730 days, with the option of auto-extension.

Finally, GDAP uses Cross-Tenant Access Policies (XTAP) to enforce scoped access between SoftwareOne as your CSP and your Microsoft 365, Azure, or Dynamics tenant. XTAP leans on Microsoft Entra External ID to govern how organizations collaborate across tenant boundaries with technology built on the same guest access features you probably use daily in your own B2B Guest access scenarios.

So, when SoftwareOne requests access to your tenant XTAP ensures only approved roles (e.g., Security Reader) are granted, be assured that access is time-bound and revocable. You are also able to further reduce access friction with MFA claims enforcement through the SoftwareOne tenant. All this aligns with Zero Trust principles “never trust, always verify”.

Think of GDAP as a delegation framework. It enables role-based access control (RBAC), which limits each user or provider to the minimum of least privileges needed. So, whether you’re dealing with Microsoft 365, Azure, or Dynamics, GDAP ensures that service providers like SoftwareOne can offer efficient support without breaching your organizations security boundaries.

Why is GDAP important?

Security threats continue to rise, and businesses no longer trust vague, all-encompassing admin privileges that leave systems vulnerable. Here’s why GDAP is crucial for modern organizations managing cloud environments:

• Enhanced security practices
  SoftwareOne’s use of GDAP replaces outdated admin access models with a finely tuned approach. By limiting access to only essential resources, GDAP in itself also significantly reduces the likelihood of security breaches, ensuring you meet compliance and industry best practices.
• Greater control
  With GDAP, you set the rules. You can define the scope of access, set time limits, and even revoke permissions at your discretion. This ensures absolute control over your Microsoft Cloud environment at all times.
• Boost operational efficiency
  By implementing GDAP, service providers like SoftwareOne can streamline their own operations and offer faster support to you. Improved access management equals quicker resolutions and less downtime for your business.
• Aligned with modern standards
  GDAP adheres more closely to the principle of least privilege, a key aspect of current cybersecurity protocols that limits access to only what’s necessary and nothing more.

Why does SoftwareOne use GDAP?

At SoftwareOne, we are committed to providing secure, efficient, and transparent support experiences for our clients. GDAP plays a vital role in enabling us to fulfil this promise. Here's why we advocate for GDAP in collaboration with our clients:

• Faster support, tailored to you
  GDAP allows us to address technical issues in your cloud environment quickly and precisely and by granting specific access rather than waiting for manual approvals, we can minimize downtime and keep your business running smoothly.
• Customized access
  Your cloud environment is unique, and with GDAP, you control exactly what we can access. This means we troubleshoot only what’s necessary whilst respecting your organizations security policies.
• Your data, your rules
  GDAP ensures you always have the final say. Want to revoke access after an issue is resolved? With GDAP, it’s as simple as clicking a button.

By using GDAP, we are able to support your operations without compromising security, maintaining the trust and transparency that form the foundation of our partnership.

Remember, you are always in control

A common concern among IT teams and cloud security professionals is whether working with service providers compromises their control over cloud environments. With GDAP, this worry is a thing of the past.

Here’s how GDAP ensures you stay in charge:

• Time-bound access: Grant permissions that expire automatically after a set duration.
• Customized scope: Specify which resources are accessible, down to the granular level.
• Easy privilege revocation: Need to revoke access? GDAP makes it quick and effortless.

Whether you’re managing critical business data in Azure or Microsoft Dynamics, or collaborating across departments through Microsoft 365. If you need our support, GDAP puts you in the driver’s seat. 

The risks of not implementing GDAP

Without GDAP, organizations face several challenges that can hinder productivity and expose security vulnerabilities. These include:

• Delayed support: Each support request requires manual access approval, leading to extended resolution times.
• Higher security risks: Traditional all-or-nothing access models leave sensitive information and systems vulnerable to breaches.
• Reduced efficiency: Time spent approving temporary access requests could be better spent solving operational issues.
• Business continuity risks: Critical incidents may lead to extended downtimes if support teams can’t access what they need promptly.

GDAP solves these issues by creating an ecosystem where security and operational efficiency work hand in hand.