Share via

Extend granular delegated admin privileges

  • Article

Appropriate roles: Admin agent

Partners can identify granular delegated admin privileges (GDAP) relationships that are expired or about to expire and automatically extend the privileges.

Prerequisites

To manage GDAP Autoextend, you must:

  • Have the role: Admin agent

Identify expired granular relationships with filters

Use filters to find expired or about to expire GDAP relationships in different timeframes.

  • Partner Admin agents can view active GDAPs expiring within 30 days, seven days, one day, and after 30 days. They can also view GDAPs that expired within the last one year.
  • GDAP relationships that are going to expire tiles (the first four) represent the count and percentage of Active GDAPs and GDAP relationships. The expired tile (the last tile) represents the count and percentage of overall GDAPs.
  • Each tile represents a count and percentage of the overall GDAPs.
  • Each tile is represented as a filter to only display the respective GDAPs.
  • Use Search to search by Customer Name, Admin Relationship Name.
  • Use the Download option to download GDAPs.

Screenshot of the customer's Expiring Granular Relationships page.

Note

You can't restore expired GDAPs or make them active.

Manage GDAP Autoextend

Partners can now select one or more GDAPs (up to 25) to enable or disable Autoextend. When you enable Autoextend against a GDAP, the Autoextended duration is set to Yes (six months). A GDAP with autoextend doesn't expire on the last day of the GDAP. It rolls forward by six months, so the Partner doesn't need to request a new GDAP, get customer consent, or perform access assignments. When Autoextend is disabled against a GDAP, the partner is notified 30 days, seven days, and one day before the expiration.

  • Partner can select a GDAP and choose Enable auto-extend to turn on autoextend.

  • Partner can select a GDAP and choose Disable auto-extend to turn off autoextend.

  • Partner can select multiple GDAPs at a time to enable or disable autoextend.

    Screenshot of the Expiring Granular Relationships page. Multiple customers are selected at once.

Don't autoextend GDAP with Global Administrator

To align with Zero Trust and least privilege access, you can't automatically extend a GDAP that has the Microsoft Entra role of Global Administrator.

  • GDAP with Global Administrator role displays NA under the column auto-extend duration.

Remove Global Administrator role

Partners can use the new filter Having Global Administrator to display GDAPs that have the Global Administrator role.

Use these steps to remove the Global Administrator role from a GDAP.

  1. Select one or more GDAP roles. The Remove Global Administrator Role button activates.

  2. Select Remove Global Administrator Role.

    Once you remove the Global Administrator role, the respective Admin Relationship becomes eligible for Auto extend.
    Access assignments associated with the Global Administrator role are removed.

    Screenshot of the Expiring Granular Relationships page. The Remove Global Administrator Role button is highlighted.

Related content