Microsoft Granular Delegated Administration

Granular Delegated Administration Privileges (GDAP) is a Microsoft security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It allows a partner to configure granular and time-bound access to Customer workloads in both production and sandbox environments. This least-privileged access must be explicitly granted to the partner by the Customer.

Granular Delegated Administration Privileges are required to create the necessary linkage between a Customer’s Microsoft 365 tenant and the partner’s Microsoft support contract. GDAP is accepted via a reseller relationship link that SHI will provide. The Customer must accept the reseller relationship link using a Global Admin account. Once accepted, the partner has access to the Customer’s Tenant via Microsoft Partner Center. The partner will have the ability to open Microsoft cloud cases on behalf of the Customer. Note that even though the partner has access to the Customer’s tenant, they do not have access to Customer information or data, including, but not limited to, email, Teams, OneDrive, and SharePoint data.

To deliver SHI Expert Support for Microsoft, SHI will request two security roles through GDAP and an Azure Lighthouse delegation through an Azure Marketplace offer called SHI Azure Managed Services - Support Only. The “Service Support Administrator” and “Global Reader” roles are the least privileged roles that will allow your SHI Support Engineers and Technical Account Managers to support your environment, and to escalate tickets to Microsoft on your behalf, from within your tenant.

If Granular Delegated Administration Privileges and/or Lighthouse delegations are removed, Azure AD role assignments are also removed, and SHI will no longer be able to view your environment to provide asynchronous troubleshooting and/or manage Customer support requests.