GDAP setup
Granular Delegated Admin Privileges (GDAP) is Microsoft's replacement for the legacy DAP / “Partner Admin” model. Every customer tenant you manage through Manage365 connects via GDAP, and you grant only the roles each Manage365 module needs — never Global Admin.
Prerequisites
- Active Microsoft Cloud Solution Provider (CSP) or MPN membership
- The Microsoft partner multi-tenant app registration whose client ID / secret you set in
GRAPH_CLIENT_ID/GRAPH_CLIENT_SECRET(see MSP onboarding) - Global Admin on the customer tenant (one-time, during invite acceptance)
Sending an invite
- In the MSP portal open Customer tenants → Add tenant → GDAP invite.
- Pick the role template. Manage365 ships an 8-group default that covers every module without over-granting. You can edit the group mapping in Settings → GDAP roles if you want tighter scopes.
- Set an invite duration (default 730 days). You can rotate early via Manage365's GDAP surface or the Microsoft Partner Center.
- Copy the invitation URL and send it to the customer's Global Admin.
The minimum-privilege role set
Per-module roles Manage365 requests during GDAP onboarding:
| Module | Role |
|---|---|
| User lifecycle | User Administrator |
| Exchange / email | Exchange Administrator |
| Intune / devices | Intune Administrator |
| Conditional Access | Conditional Access Administrator + Security Reader |
| Compliance scoring | Security Administrator + Compliance Administrator |
| Licences | Licence Administrator |
| Copilot readiness | Global Reader |
| SharePoint | SharePoint Administrator |
| Teams | Teams Administrator |
| Service health | Service Support Administrator |
Global Admin is never requested. If an Essential Eight or APRA scan reports not_assessed for a strategy, the usual cause is a missing GDAP role here — the scan result will name the role that needs granting.
After acceptance
Once the customer Global Admin accepts the invite, the tenant appears in Customer tenants with statusactive. Manage365 runs its first data sync immediately: licences, users, security score, Conditional Access, standards drift. Expect 30–90 seconds for the first sync to complete.
Rotating or revoking
From Customer tenants → [tenant] → GDAPyou can: extend the relationship, rotate the security-group membership, or revoke the relationship entirely. Revoke also clears the cached Graph tokens we hold in Redis.