How to Build a Clean Delegated Access Model for Client Tenant Management

This guide explains how to build a clean delegated access model for client tenant management. Setting up granular delegated admin privileges (GDAP) in Microsoft 365 is a necessity for IT teams and managed service providers (MSPs) that manage multiple tenants. GDAP helps mitigate the risks present in legacy delegated administrative privileges (DAP) by avoiding blanket global admin access to customer tenants, instead using least-privilege access that recognizes zero trust best practices.

This guide explains privileged tenant access using DAP vs. GDAP for Microsoft Partners managing Microsoft 365 deployments on behalf of their MSP customers, and gives you a practical, repeatable framework for implementing GDAP across tenants.

DAP vs. GDAP: How does delegated access work?

DAP is the former mechanism used for Microsoft Partners to manage their customers’ tenants from their own accounts. This involved the ability to grant full Global Admin privileges to the customer tenant, without expiry. This was susceptible to exploitation, making it a cybersecurity concern.

As of 2023, Microsoft has discontinued DAP in favour of GDAP, which provides MSPs with granular time-scoped access to their customers’ environments that is explicitly approved by the customer. They will receive a request for delegated access to specific roles for a set duration from their partner, and can approve or deny access to these requests.

Prerequisites for Microsoft Partners moving from DAP to GDAP

You’ll need the following to start using GDAP to access client Microsoft 365 tenants:

• Partner Center Administrative access
• Microsoft 365 Lighthouse setup for centralized GDAP management (Partner Center is also capable of this, but becomes cumbersome for larger deployments)
• Working knowledge of Entra ID (formerly Azure AD) and Conditional Access
• Optional PowerShell and/or Microsoft Graph API access for automation

Transitioning from DAP to GDAP

DAP has been discontinued, and no new DAP relationships can be established; GDAP is now the only option. At this stage, MSPs with existing clients that require delegated access to their tenants will have already migrated from DAP to GDAP.

Building your GDAP access model

A clean granular delegated access model reduces exposure to cybersecurity threats by supporting zero trust principles, and demonstrates security awareness and operational maturity to your clients.

For this, you’ll need to establish what tasks you need to perform on your clients’ behalf and define time-bound delegate roles with appropriate permissions. These roles must be scoped to the least possible privilege, and when granted, for a sensible duration that allows the completion of the necessary work without leaving behind long-lived elevated sessions.

These roles should make it clear what they are intended for so that the client fully understands what permissions they are granting when the request arrives.

Apply role-based access controls (RBAC)

You should use Entra ID built-in roles where possible, while advanced users with more complex requirements may find it necessary to define more granular custom roles for least-privilege RBAC. To fully realize the advantages granted by GDAP, you should avoid overuse of Global Administrator or equivalent accounts, and instead use Lighthouse to assign roles by partner-side support team groupings.

Delegate with templates and expiry policies

Pre-define the expected duration that delegated sessions should last and use GDAP templates in Lighthouse to standardize access configurations. You can apply longer expiration dates for certain tasks (e.g. 90 days for long-term delegated tasks like managing user details), and leverage just-in-time access workflows for emergencies that require more sensitive privileges.

Automate tracking and governance

You should maintain oversight over all delegated access requests and sessions by exporting this data to CSV using Microsoft Graph or PowerShell. You can then create dashboard views for all of your tenants and delegated roles, including permissions and dates. Automated alerts can also be created from this data, so that you can be alerted if a GDAP link is due to expire and needs to be renewed.

These kinds of custom automations can be achieved using a remote monitoring and management (RMM) tool that integrates with Microsoft 365 and supports custom scripting, dashboards, and notifications.

Review and audit your delegated access model regularly

You should regularly review your GDAP model, confirming the following for each delegated role/relationship:

• That roles/relationship are still in use
• That each role is aligned with a current scope of work
• That each is recorded and reviewed by the relevant stakeholders

Unused or stale relationships should be proactively removed. Reviewing your GDAP strategy can be performed as part of your MSP’s quarterly business reviews (QBRs) with clients.

Maintaining visibility over GDAP delegated access with NinjaOne

Securing multi-tenant environments requires full oversight of all delegated privileges and ensuring that delegated access cannot be used as a vector for attack. This is best done using granular, scoped permissions that recognize the principle of least privilege, combined with time-limits.

NinjaOne assists MSPs with the security and visibility of delegated access with its monitoring and reporting tools as part of its unified RMM, mobile device management (MDM), and endpoint management tools. You can monitor delegate actions, enforce policies, and optionally integrate with endpoint detection like CrowdStrike for AI-powered advanced threat detection and remediation if suspicious activity is detected.

By taking a considered, structured approach to delegate access in Microsoft 365, you can uphold and enhance client trust, as well as ensure administrative sessions are only used for their intended purpose