Many MSPs have been scrambling as of late to get up to speed with GDAP (Granular Delegated Admin Privileges) with Microsoft because of impending deadlines. If you are not familiar with GDAP, please go check out my overview article which also has links to other helpful resources.
Microsoft created a tool to bulk migrate traditional DAP relationships to GDAP across all customers. The catch is that this tool/subsequent APIs are only available for a certain period of time. This matters because without the tool, you would have to manually accept a new GDAP relationship on a PER customer basis using a Global Admin within the customer tenant (much like what you do today with DAP relationships). Originally, they were giving you till the end of October to use this tool and now they have pushed it back till March 2023.
When I first investigated this tool from Microsoft, I was expecting some type of UI within Partner Center. What I discovered is that they have you use a CLI and CSVs to get this accomplished which is not exactly user friendly, especially if you are trying to get up to speed with GDAP. The guys over at CIPP recognized this and did a great job of getting their own migration tool in the CIPP app which has 100x better user experience. I wanted to provide insights to both tools so I created a demo video you can check out below which outlines the process.
TLDR:
Summary
- If you want simplicity and ease of use around GDAP, CIPP is a great option
- If you want more granular control on the setup, you may want to use the Microsoft’s bulk migration tool. Some common reasons for wanting more control:
- You want to set different durations
- You want to use different naming conventions
- You want to assign the Azure AD roles to existing Security Groups vs create new Security Groups
- You don’t want the Azure AD roles to be assigned to a Security Group in a 1:1 fashion. You want to be able to assign multiple AD roles to a single security group
- You want to be able to create PIM enabled Security Groups
Microsoft Bulk Migration Tool
- The full guide can be found here
- Prerequisites
- Doing your homework: requires that you know what customers, Azure AD roles, and security groups you are going to configure for GDAP
- Security Groups that you want to use have to be created manually
- Requires an App Registration in Azure AD
- Requires a Global Admin
- Requires a new Service Principal for the GDAP APIs
- Requires .NET Framework to be installed
- Requires the download of a zip file from GitHub
- Doing your homework: requires that you know what customers, Azure AD roles, and security groups you are going to configure for GDAP
- This tool uses a CLI to download and manipulate CSV files
- The customer file is used to determine which customers you want to migrate, allows you to provide a name for the GDAP relationship, and a duration (max 730 days but can be custom)
- The AD roles file allows you to select the Azure AD roles you want to assign to the GDAP relationships by name, description, and GUID
- The Security Groups file allows you to assign the Azure AD Roles to security groups that already exist in your environment
- This tool allows you to move one to many customers to GDAP and there is no limit to how many times you can use it
CIPP
- The migration wizard is built into CIPP
- Prerequisites
- Doing your homework: requires that you know what customers, Azure AD roles, and security groups you are going to configure for GDAP
- Requires a Global Admin
- The tool uses an intuitive wizard to select customers and Azure AD roles
- The tool creates a NEW Security Group in your Partner Center environment per Azure AD role. i.e. Exchange Admin role creates M365 GDAP Exchange Administrator group
- The tool defaults duration to 730 days
- The tool defaults the GDAP relationship name to a GUID
- This tool allows you to move one to many customers to GDAP and there is no limit to how many times you can use it