GDAP: Role and rights concept for the administration of Microsoft environments

DAP stands for Delegated Administrator Privileges. With DAP, your Microsoft CSP partner can access your Microsoft environment via the role of a global administrator. This enables the CSP partner to quickly identify problems, qualify solutions and thus provide rapid assistance. 

GDAP stands for Granular Delegated Administrator Privileges. GDAP can be used to restrict access to a Microsoft environment in terms of functionality and time. This means that customer service only has access to the areas required for troubleshooting. This access can also be restricted in terms of time.

If Telekom had booked licences for you via the Telekom Cloud Marketplace, customer service was previously able (until 31 October 2023) to access your customer environment via DAP access. This authorisation made it possible to provide support quickly and efficiently.

With a few exceptions, all existing Telekom customers were switched to GDAP by 1 November 2023, provided that DAP authorisations were in place beforehand. This ensured that your access runs under the best current security concept and that customer service can be there for you with the usual quality.

Existing customers: If Telekom books licences for you via the Telekom Cloud Marketplace, customer service will normally already have a GDAP relationship. Roles are assigned to this GDAP relationship. By default, these roles have fewer and more granular rights than in the past with DAP.

New customers: When Telekom books licences for you via the Telekom Cloud Marketplace for the first time, you will receive an email in addition to the order confirmation, asking you to click on a link to the Admin Centre to approve the granting of GDAP rights. This approval must be carried out via an administrator account. The GDAP relationship is then established.

A wide range of Microsoft Entra ID roles are available for the various activities that can be performed within a Microsoft environment. To enable Telekom customer service to provide you with efficient support, the following GDAP roles are automatically assigned to you when you first book a Microsoft product:

• Service support administrator: This role has the rights to read service health information and manage support tickets.
  
  Only your CSP partner is currently able to create support tickets for Microsoft via your customer environment. To do this, Telekom customer service requires the role of service support administrator. Without this role, customer service cannot address faults that originate within the Microsoft environment. Especially in the case of time-critical errors, it is necessary to address existing problems quickly with Microsoft in order to avoid unnecessary delays in the troubleshooting process.
• User administrator: This role can manage all aspects of users and groups, including password resets for restricted administrators.
• Licence administrator: This role has the ability to assign, remove and update licence assignments. It is important to have
  
  these permissions for bookings made by Telekom customer service via the Telekom Cloud Marketplace (TCMP) on behalf of the customer (sales support role in TCMP). Without these permissions, not all activities can be carried out smoothly via the Telekom Cloud Marketplace. For example, without this role, users could not be automatically assigned to the new licences after an upgrade. 
• Global reader: This role has the same read permissions as a global administrator, but cannot perform updates.
• Directory readers: This role can read basic directory information and is often used to grant directory read access to applications and guests.
  
  The global reader allows read access to your Microsoft 365 or Office 365 environment so that potential causes of malfunctions can be quickly identified. The directory reader is required to view a Microsoft Azure subscription in order to provide quick help with Microsoft Azure issues. This role is also required for smooth integration with the Telekom Cloud Marketplace. As the
  
  name suggests, these read-only roles do not have any write permissions and therefore cannot make any changes to the environment. They also have limited viewing rights. For example, email or OneDrive content cannot be viewed with these permissions.
• Privileged authentication administrator: This role can reset the password of the administrator of the customer environment.
  
  Especially with smaller customers, it often happens that the administrator password is no longer known. This role is required so that customer service can reset it for you. If this role does not exist, it is unfortunately only possible to recover the administrator password via a very lengthy support process. Without access to your admin account, administrative tasks such as creating new users, assigning licences or removing users can no longer be performed.
• Cloud application administrator: This role can create and manage all aspects of app registrations and enterprise apps.

Other roles

In order to set up your customer environment or troubleshoot problems, Telekom Customer Service usually requires temporary elevated privileges on your environment. Customer Service will send you an individual request specifying the required roles and duration. Only after you have agreed to this request will our service be able to access the requested areas and provide the service.

On the linked page, you will find an overview of all available Entra roles. Microsoft also provides another overview in which the tasks are listed according to the corresponding Entra roles.

At present, GDAP rights can be granted for a period of up to 730 days. The "Auto-Extend" function (automatic extension of the GDAP relationship) is automatically activated for GDAP relationships. This extends expiring GDAP relationships by 6 months at a time. GDAP rights can be terminated by you or by customer service. Please be sure to note the section "Can I remove the GDAP relationship?" as removing GDAP relationships or deactivating Auto-Extend will affect the support provided by Telekom.

No, that did not happen. To switch to GDAP, you must provide confirmation in the Microsoft 365 Admin Centre. In the event of a support case, a GDAP relationship must first be established manually together with you. We recommend approving a minimum set of roles to ensure smooth customer service and bookings.

The GDAP relationship is required for the proper operation of the Telekom Cloud Marketplace and for support. If you remove the relationship, customer service will no longer be able to assist you efficiently with any issues that may arise. For example, support tickets could no longer be submitted. 

If you have accidentally deleted or removed the GDAP authorisation, please contact customer service, who will be able to establish a new GDAP relationship with you.

To view the current status of access permissions to your Microsoft environment, log in to the Microsoft 365 Admin Centre with your administrator role.

There, on the left-hand side under the "Settings" > "Partner relationships" tab, you can view and manage your existing access permissions.

Note: Before revoking permissions at this point, please consider the possible consequences this may have for booking options and the provision of our customer service.

Every request for access authorisation is created by your CSP partner; you cannot initiate this yourself. You can approve a new GDAP relationship in your Microsoft 365 admin centre via the link sent by your partner.

Microsoft Entra ID and the security features of Microsoft 365 allow you to enable basic security measures such as multi-factor authentication (MFA) or conditional access policies to better secure your employees' access. In addition, you can purchase additional solutions from Microsoft, such as Microsoft Defender for Business. This offers advanced features for better endpoint security.

You can also support experts at Telekom with all aspects of security in your Microsoft environment, for example with the implementing Microsoft-specific security settings for Microsoft 365 Apps for Business, Basic and Standard, and Office 365 Enterprise based on a regular security report, or with IT policy management for your Enterprise editions.