Describe Microsoft Granular Delegated Admin Privileges (GDAP) Principles
Zero trust principles such as least privilege don’t just apply to your organization. In the context of service providers, it’s important to make sure that they are also following secure administration practices.
This is whereGranular Delegated Admin Privileges (GDAP) comes into play.
GDAP’s capabilities empower partners to exercise precise control over access to their clients’ workloads, thereby enhancing security measures and addressing potential concerns. This not only enables partners to offer a broader range of services to clients uncomfortable with granting global administrator access but also helps organizations with regulatory requirements necessitating a least-privileged approach be compliant.
GDAP serves as an integral security feature aligned with the zero -trust cybersecurity framework. It empowers partners to configure highly specific and time-bound access to their clients’ workloads, whether in production or sandbox environments. Crucially, this least-privileged access must be explicitly granted by clients to their respective partners.
GDAP facilitates the seamless segregation of partners’ access on a per-customer basis. In this arrangement, partners no longer possess default access to all client tenants across Azure subscriptions via admin agents. Instead, partners managing Azure operations are integrated into a distinct security group. This group, in turn, is a member of the Admin agent group and provides owner-level RBAC across all Azure subscriptions associated with that specific customer.
As the roles are granted and managed by the customer, they can also be revoked or terminated at the customer’s discretion—further helping secure the customer organization against threats posed by standing (permanently granted) high-level access.
Summary
Microsoft 365 was built with security features in mind. Administrators should take some time to review the wide range of features and controls that are available to them for delegating and administering the security aspects of tenants.
In this chapter, you learned about the overall principles of zero-trust security and its concepts and controls, including managing identity, endpoints, apps, data, infrastructure, and networking. In addition, you grasped ways to manage access to resources through credentials, network perimeter controls, and Conditional Access, as well as using encryption as a layer to protect against unauthorized access or data modification.
In the next chapter, you will cover identity protection and management.
