Microsoft GDAP Pilot Launched

Microsoft GDAP Pilot Launched

Late last year Microsoft introduced GDAP (granular delegated admin privileges), which allows cloud solution providers, like SkyTerra,  to control more granular and time-bound access to their customers’ workloads.

Background

The Microsoft Threat Intelligence Center (MSTIC) continues to detect nation-state (Nobelium) activity that exploits partner trusted relationships and admin privileges to gain access to downstream customers. To learn more on how to protect yourself and your customers, read the following:

Microsoft GDAP Key Features

  1. When creating a GDAP invitation:
    • SkyTerra can select a GDAP relationship duration.
    • SkyTerra can choose from any Azure AD roles that are supported by GDAP for granularity.
    • SkyTerra is discouraged from selecting a global administrator role for GDAP invitation requests.
    • SkyTerra can send the invitation URL to their customer for approval. Only the global admin on your tenant can approve the GDAP request.
  2. SkyTerra can use GDAP reporting analytics in the Partner Center to track invitations pending approval.
  3. SkyTerra can create security groups in your tenant to organize your employees, which allows them to restrict their access per customer per Microsoft 365 workload level.
  4. SkyTerra can organize and make ongoing updates to Azure AD role assignments to security groups in their tenant without requiring customer reapproval (because access has already been approved at the partner tenant level).
  5. Either SkyTerra or you can terminate access granted through GDAP.
  6. After the GDAP relationship duration has been reached, access automatically expires. SkyTerra will no longer have access to your tenant.
  7. SkyTerra can use GDAP reporting analytics in the  Partner Center to track which relationships across their customers are expiring, and download the data in an exportable format.
  8. Microsoft recommends subscribing to email notifications to receive proactive email notifications one month, seven days, and one day before access expires so that you can create another GDAP relationship with the same permissions for the next term duration and get approval from you  to ensure continuity of access.
  9. SkyTerra can track our user activity in several ways.
  10. You can also track SkyTerra’s  activity in Azure AD sign-in logs in the customer’s tenant.

Next Steps

Stay tuned for more updates from us about GDAP. As always, if you’d like more information, book a consultation with SkyTerra.

Avatar photo

Darren Schriever

Darren oversees the Modern Data Center efforts at SkyTerra Technologies, as well as the company’s technology infrastructure.