GDAP: Roles required for conditional access?

Question

HiI've been evaluating the minimal roles required for GDAP relationships so we can help customers with issues regarding to locked tenants.&nbsp;Based on this FAQ the role privileged authentication administrator is required to unlock accounts, however if a customer has messed up conditional access at the tenant level, this role isn't sufficient. A tenant-internal account needs at least the role conditional access administrator to gain access to that part and have the possibility of fixing or disabling erroneously configured rules (I've tested that). However the same privileges are given to a partner technician, they can't access that part of Entra Admin, nor the AAD Admin UI.&nbsp;I've tested this a couple of times with different users from the CSP / partner side, however no luck yet. Any Ideas where I could poke further?(I'd like to avoid simply requesting global admin to all our customers, that's the main point)&nbsp;Looking forward to some inputs or ideas

licensingconcierge1 · Answer

ise-ms&nbsp;
&nbsp;
&nbsp;
The MPC communities are designed for partners to ask questions, and/or share their thoughts &amp; suggestions, so I'm not sure if you're sharing your opinion about GDAP.&nbsp;
&nbsp;
If you'd like to submit a suggestion to improve the GDAP access process, you might consider joining the next Partner Hour and bringing up that topic.
&nbsp;
If you have a specific question, please let me know. Otherwise, I'm sure others will reply to your post if they have input.&nbsp;
&nbsp;
Regards,
Microsoft CSP Licensing Concierge

licensingconcierge1 · Answer

Hi&nbsp;ise-ms&nbsp;
&nbsp;
Thank you for posting on the CSP community.&nbsp;
&nbsp;
I'm not sure what the question is, therefore, would you mind clarifying please?
&nbsp;
Regards,
Microsoft CSP Licensing Concierge

ise-ms · Answer

LicensingConcierge1&nbsp;&nbsp;I hope this helps: granular delegated admin privilege or GDAP has been introduced as a replacement for the broader DAP partner relationships between (at least) Microsoft CSPs and their customers.&nbsp;The idea of granular privileges is (as I understood id) to follow principles of least privilege. I've been able to identify the roles required for a user account within a customer-tenant to obtain just enough privileges to access and modify conditional access rules.&nbsp;However if I grant just the same roles to a technician that is allowed to access a customer tenant via GDAP relationship, they are unable to even see the conditional access rules.&nbsp;If I grant a technician wider permissions (global admin), they can access that part, so it's not that delegated CSP technicians are completely unable to see and modify conditional access rules - however with roles assigned that grant them much more access.See also the built-in Azure AD / Entra ID roles here: Azure AD built-in roles - Microsoft Entra | Microsoft Learn.

licensingconcierge1 · Answer

hmmm...I still not seeing a specific question and it looks like you have access to the applicable Microsoft Learn documentation. Since I certainly cannot provide technical support, I'm not sure how I can assist.&nbsp; 
&nbsp;
Let me know if you have a licensing question and I'm happy to help.&nbsp;
&nbsp;
Regards,
Microsoft CSP Licensing Concierge

ise-ms · Answer

LicensingConcierge1&nbsp;are you a bot?&nbsp;It seems unfortunately, that we will have to request more and more privileged GDAP roles from our customers. While it goes against the idea of GDAP and "just enough privileges", it seems like roles assigned to users within a tenant and partner delegated connections don't work out the same.&nbsp;Maybe this will change in the future? - We'll have to see.

Forum Discussion

GDAP: Roles required for conditional access?

Share

Resources