Checkout my latest article on this topic here!: Vendor Integrations Break with GDAP: The Fix! – (tminus365.com)
If you have a vendor that leverages an app registration or are using an app registration to perform some automation across your customers, the integration will break when moving to GDAP (removing DAP)
- App registrations leverage DAP relationships as a form of pre-consent across you customer tenants. Meaning, as long as you have DAP relationships in place, it can create access tokens for the customer environments and make API request based on the API permissions granted to the app registration
- GDAP does not have this pre-consent in place which means you will have to consent App registrations on a PER customer basis.
Who uses app registrations? To name a few:
- IT Glue
- CIPP
- Immy Bot
- Lionguard
- Cloud Radial
- HaloPSA
If you are using Microsoft Graph API internally across your customers, you are also using an app registration.
Timelines:
These are subject to change but right now here are Microsoft’s timeline on GDAP
Starting January 17, 2023
- Microsoft will stop creating DAP relationships when a new customer or reseller relationship is created.
- Microsoft will start removing inactive DAP relationships that haven’t been used in 90 days.
Starting March 1, 2023
- The Bulk Migration Tool to upgrade existing DAP connections that were granted by customers to GDAP will no longer be available.
- Microsoft will begin to transition remaining active DAP relationships to GDAP with limited Azure Active Directory (Azure AD) roles to perform least-privilege customer management activities. Partners will be required to perform more steps to continue to have access to Azure subscriptions after the limited roles are granted, as documented.
The key thing to note here is that when DAP relationships are removed or can no longer be established, app registrations will no longer be able to read/write information in these customer tenants. Unless Microsoft changes timelines, we will start to see these app registrations break early 2023
How this will work with GDAP
Since we need consent for the app registrations on a per customer basis, there are really only two ways to go about doing this currently:
- Consent to app registrations on a per customer basis with customer GA creds
- Create a GDAP Relationship with the Application Administrator/ Global Admin roles with customers and consent on their behalf
The second option is more favorable to MSPs since you can use existing users in your Partner Center environment to accept the app registration on behalf of customers. Once you add the GDAP relationship and assign it to a security group, you can use a user part of that security group to consent to the application. The consent link would be formatted as follows:
https://login.microsoftonline.com/<customerTenantID>/adminconsent?client_id=<AppID>
You will then get prompted to sign in and accepted the app registration permissions:
Conclusion
If you are a vendor that uses an app registration today, you need to be educating your partners on these changes as you will likely get tons of support calls once DAP relationships go away.