Use GDAP to set up least privilege access in Microsoft 365 Lighthouse
We’ve updated how granular delegated administrative privileges (GDAP) are managed in Lighthouse by adding a new Delegated access page that lets you manage GDAP templates and see GDAP relationship details.
This post explains these improvements and guides you on how to use the Delegated access page to establish GDAP relationships with your customers.
Why GDAP is important for your organization
GDAP is a security feature that provides managed service providers (MSPs) with least privilege access following the Zero Trust security strategy. With GDAP, you request granular and time-bound access to customer workloads, and the customer provides consent for the requested access. By setting up GDAP for the customer tenants that you manage, you help keep your customers secure while ensuring users in your partner organization have the permissions necessary to do their work. To learn more about GDAP, see Introduction to granular delegated admin privileges (GDAP).
Enhanced GDAP management experience
Our new GDAP management experience allows you to set up GDAP in the manner you’re familiar with. However, based on feedback from MSPs, we made several updates to give you more flexibility in how you set up GDAP and made it easier to manage existing GDAP relationships. We also made performance enhancements so that the new experience is faster, especially when it comes to assigning GDAP templates to multiple tenants at a time.
With our Lighthouse GDAP templates, you can now:
Assign any Microsoft Entra role to each support role (previously, you could only select the Microsoft-recommended setup for each support role).
Add existing security groups to a GDAP template (previously, you had to create a new security group).
Create just-in-time (JIT) access policies for new security groups (previously, you could only create a JIT access policy for the Administrator support role).
We also updated the
View the status of GDAP relationships with customers.
Identify the next expiration date for each GDAP relationship.
Set up GDAP with GDAP templates
From the GDAP templates tab of the Delegated access page, you can create, edit, and assign GDAP templates to customer tenants.
For each GDAP template, you can:
Define the name and description of the template.
Use the Microsoft-recommended selection of Microsoft Entra roles for each support role, or customize the Microsoft Entra roles to align with your organization’s needs.
Add security groups to each support role. We recommend setting up a JIT access policy
After you create a GDAP template, assign the template to your desired customers by selecting the three dots (more actions) and following the prompts.
View GDAP relationships
To view details about your GDAP relationships, regardless of whether the relationships were created in Lighthouse or not, select the Relationships tab on the Delegated access page. You can use this tab to see which relationships are expiring soon. If you need to create a new GDAP relationship with a customer, go to the GDAP templates tab to assign a GDAP template to a customer tenant. When you select a GDAP relationship with an Active status, you can also view and edit security group membership and view the Microsoft Entra roles associated with each security group.
The following details are provided:
GDAP relationship status (Pending or Active)
Microsoft Entra roles associated with the selected tenant
Security groups and members associated with the selected tenant
Start date and expiration date of each GDAP relationship
Benefits of using Lighthouse to manage GDAP
Using Lighthouse to manage GDAP provides several benefits to MSPs who are already using Lighthouse to actively manage and secure customer tenants:
Centralized management: Lighthouse provides a centralized platform to manage GDAP relationships across all of your customer tenants. This allows you to streamline administrative tasks and ensure consistency in managing permissions and access.
Efficiency and scalability: Lighthouse lets you create and assign GDAP templates to customer tenants in bulk or individually. This makes it easier to manage permissions at scale, especially for MSPs who manage multiple customers.
Visibility and control: The Delegated access page in Lighthouse provides detailed insights into your GDAP relationships, including the status and expiration dates of each relationship. This helps you maintain control and stay informed about your administrative privileges.
Customizable roles: You can customize Microsoft Entra roles to align with your organization’s needs, ensuring that the right permissions are assigned to the right users. This flexibility allows you to tailor GDAP setup to fit your specific requirements.
JIT access: Implementing JIT access policies for security groups ensures that permissions are time-bound and limited to when they are needed. This further enhances security by reducing the window of opportunity for potential misuse.
By using Lighthouse to manage GDAP, you can achieve a higher level of security, efficiency, and control over your administrative tasks, ultimately benefiting both your organization and your customers.
Try out our enhanced GDAP management experience today by signing in to Lighthouse and following the steps in Set up GDAP in Microsoft 365 Lighthouse.
To learn more about Lighthouse and GDAP, check out the following resources:
Overview of Microsoft 365 Lighthouse
Sign up for Microsoft 365 Lighthouse
GDAP frequently asked questions – Partner Center
We want to hear from you! Select Give feedback in the lower-right corner of any page in Lighthouse to provide feedback, or go to the feedback portal now and let us know what’s on your mind. We’re committed to making Lighthouse your one-stop shop for managing customer health and security.
Microsoft Tech Community – Latest Blogs –Read More