rhipe Granular Delegated Admin Permissions (GDAP) Policy and Process

rhipe Granular Delegated Admin Permissions (GDAP) Policy and Process

rhipe is committed to the new Granular Delegated Admin Permissions (GDAP) for partners being rolled out by Microsoft. Unfortunately, the implementation by Microsoft requires that each relationship is commenced from a unique and time-limited URL, and that links cannot be reused. The existing Delegated Admin Permissions (DAP) implementation has always allowed a static URL for the invitation, and as such we need to update our systems and processes to handle this change.

We have now released the GDAP functionality into PRISM Portal, and this will allow our indirect resellers to create these unique invitation URLs within PRISM portal to help manage this task. rhipe will also be adding our 'Standard' permissions with a migration process which is provided by Microsoft so we can continue to assist and support you during this changeover to GDAP, as Microsoft will be removing DAP permissions from March 2023.

Under the CSP program, end customers and Indirect Resellers are not able to raise support requests to Microsoft directly. Such requests must be raised through the Indirect Provider, rhipe, through our Partner Support team. If the support team does not have any permissions to access the tenant and raise support cases, it is considered an unsupported tenant and no support or escalation is available until permissions are provided to enable us to raise such cases. 

Connect Tenant:

The existing Connect Tenant function in PRISM will remain, and the process will not change. We will adjust the requested permissions just prior to the required date by Microsoft to no longer request the Global Admin permissions as a part of that process. At that point, GDAP permissions will need to be added as an additional step so that rhipe can access and support the tenant. 

For the time being, customers who do not want to provide Global Admin permissions should accept the relationship regardless or their concerns, then remove the administrative access with their Global Admin account via the Microsoft Admin Center at https://portal.office.com/Adminportal/Home#/partners and click on the rhipe listing, then remove via the button on the fly-in menu from the right.

Create tenant:

The Create Tenant process will remain the same, however rhipe will have no access to the tenant created and will not be able to reset passwords for you if you are not able to sign in. It is therefore critical that you have strong processes to:
  1. Login, set a new password for the initial Global Admin account, and document it;
  2. Add your own GDAP Permissions to the tenant to provide normal administrative access for your team;
  3. Add GDAP permissions for rhipe to provide support on the tenant (either the Minimum or Standard Permissions as listed below, with invitation links created from PRISM Portal.
  4. Understanding of the forced MFA and Self-Service Password Reset (SSPR) being enforced on all tenants by Microsoft as of 30th September 2022, and what that means for shared Global Admin accounts on your customer tenants. Again, rhipe will not be able to reset these Global Admin accounts since our Minimal & Standard GDAP roles do not include the level of access to reset Global Admin passwords.

As your Indirect Provider, rhipe recommends that all Indirect Resellers immediately take the following actions:

  1. Ensure that all customers are added to your Partner Center with an Indirect Reseller role. 
  2. If you hold a Global Admin account for your customers, ensure that MFA and SSPR is registered to a secured mobile phone for that purpose only. The phone should be locked away when not in use, and Microsoft Authenticator backups turned on.
  3. Add your own GDAP permissions to all of your customer tenants so you can manage them. This will allow members of your Admin Agents group to manage your customers with these permissions for 98% of required administrative support.
  4. If Global Admin accounts are required for certain tasks, create user-named accounts and have them register the MFA to their own devices. You will not be able to share a single Global Admin credential across multiple staff members easily due to MFA enforcement. These accounts should be extremely restricted in number and only provided to your most trusted staff. In the event of their resignation or termination, you will need to log in and block/delete each of these accounts to secure your customer's environment so documentation of these is also critical.

Adding rhipe GDAP permissions

GDAP Permissions can be added to the tenant from PRISM Portal, which will generate a URL which needs to be run with a Global Admin account of your tenant. There are four main options for GDAP permissions this time:

No Permissions:

Requests for support on tenants with no DAP/GDAP permissions will be rejected. This may also cause issues with provisioning Azure subscriptions & Reserved Instances.

Minimum Permissions:

Allows rhipe to access the tenant as read-only, and create escalation support cases to Microsoft. May not provide all required functionality for all issues. Permission expiry is 730 days (2yrs) by default unless a different expiry is requested.  

Global reader:
Can read everything that a Global administrator can, but can't update anything.
Service support administrator:
Can read service health information and manage support requests.

Standard Permissions:

Allows rhipe to access the tenant as read-only, reset passwords except for Global Admins, manage and assign licenses applied to users, and create escalation support cases with Microsoft. Permission expiry is 730 days (2yrs) by default unless a different expiry is requested.  

Directory readers: 
Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Global reader:
Can read everything that a Global administrator can, but can't update anything.
User administrator:
Can manage all aspects of users and groups, including resetting passwords for limited admins.
License administrator: 
Can manage product licenses on users and groups.
Service support administrator:
Can read service health information and manage support requests.
Help Desk administrator:
Can reset passwords for non-administrators and Help Desk administrator

Customised Permissions:

Done only for specific cases or needs due to functionality requirements, with a specified expiry in days to a maximum of 730 Days (2 Years).
Must be requested via the rhipe Partner Support team to generate the GDAP invitation.
Roles based on the access required can be found via https://docs.microsoft.com/en-us/partner-center/gdap-least-privileged-roles-by-task#gdap-roles-by-partner-types or can be discussed with the Partner Support team.

    • Related Articles

    • Activate your Partner Center for delegated administration

      Partner Center is the Microsoft tool which allows you to manage your customer tenancies without logging in and out, and using various Global Administrator credentials. Partner Center allows you delegated access via your own Office 365 login and Singe ...
    • Raising a Partner Support case with Microsoft

      There are times where you need to contact Microsoft as a Partner to get things fixed. Generally when this involves your partner agreement with Microsoft, where rhipe is a third party and is unable to assist directly. We can however direct you to the ...
    • Configure the SPAM connection filter policy

      Configure the connection filter policy Exchange Online    Applies to: Exchange Online, Exchange Online Protection Topic Last Modified: 2016-04-05 Most of us have friends and business partners we trust. It can be frustrating to find email from them in ...
    • rhipe CSP Support Guide

      Introduction As a rhipe Limited (ACN 112 452 436) customer, it is our pleasure to welcome you to our Global CSP Support Services. With operations around the globe, we are backed by a team of highly trained and experienced technical support engineers ...
    • Obtaining Microsoft Partner Admin Center

      Please note that Microsoft is looking to actively migrate partners to Microsoft Partner Center instead of Partner Admin Center (PAC) for all the delegated admin and management of end-customer tenancies. To upgrade from PAC to Partner Center, or to ...