What is GDAP in Partner Center?

GDAP(Granular Delegated Admin Privileges) is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. Customers must explicitly grant the least-privileged access to their partners.



Why Does Manage Protect need GDAP to your Microsoft tenants?

As an IT distributor and indirect Microsoft reseller, we work exclusively with Managed Service Providers(MSPs) and IT companies. In certain scenarios, we need to raise Microsoft support tickets on behalf of our MSP partners' clients. To do this effectively and securely, we require GDAP access to clients' Microsoft tenants.


GDAP enables us to perform specific administrative tasks, such as submitting and managing support requests, without requiring full administrative control. This ensures:

  • Security: Access is limited to only the permissions necessary for support-related tasks.
  • Efficiency: We can act quickly on behalf of our partners to resolve issues directly with Microsoft.
  • Compliance: GDAP aligns with Microsoft's security and compliance standards for partner access.



Why am I receiving GDAP relationship expiry emails?

Microsoft sends GDAP expiry notification emails to inform tenant administrators that a delegated access relationship is approaching its expiration date. Microsoft sends the notification to:

  • Global Administrators of the Microsoft 365 tenant
  • Additional roles with Admin privileges, depending on tenant configuration
  • Designated notification contacts listed in the tenant's profile or service settings


Microsoft sends GDAP expiry notification emails at the following intervals before the relationship expires:

  • 30 days prior
  • 7 days prior
  • 1 day prior



Why do GDAP relationships expire?

Permanent GDAP relationships with customers aren't possible for security reasons. The maximum duration of a GDAP relationship is two years. We can set Auto extend to Enabled to extend an admin relationship by six months. However the relationship will ultimately expire after this time.