Admin relationships

A Microsoft admin relationships is a trust connection between your MSP tenant and a customer tenant that allows you to perform administrative tasks on their behalf. When used with Cloud Commander, this relationship is established through Granular Delegated Admin Privileges (GDAP), and it's essential for securely managing your customers' Microsoft 365 tenants.

What is a GDAP admin relationship?

A GDAP admin relationship is a type of admin relationship that gives your MSP tenant granular, role-based access to a customer tenant. It allows you to define:

  • Which roles your users or apps can assume.
  • Which users or groups in your partner tenant get those roles.
  • How long the access lasts (e.g., 30, 60, 90 days).

A GDAP admin relationship is more secure and customizable than a generic admin relationship.

GDAP admin relationships: Reuse or create new?

When setting up a customer tenant in Cloud Commander, you decide whether to use an existing GDAP admin relationship or create a new one. The comparison below outlines key technical considerations, benefits, and trade-offs of each approach to help you make an informed access strategy decision.

Using an existing GDAP admin relationship

Benefits

  • Faster setup: No need to repeat the approval and configuration process.
  • Simplified management: Fewer GDAP admin relationships to track and maintain.
  • Immediate access: If the existing relationship includes the required roles, monitoring can begin right away.
  • Cost-effective: Reduces the overhead of managing multiple GDAP admin relationships.

Limitations

  • Security risk: Permissions may be over-provisioned for Cloud Commander needs, potentially violating the principle of least privilege.
  • Audit complexity: Harder to isolate Cloud Commander-specific activity from other administrative actions.
  • Dependency on existing structure: Changes to the existing GDAP relationship (such as role removal) could disrupt Cloud Commander’s functionality.

Creating a new GDAP admin relationship

Benefits

  • Least privilege access: Assign only the roles required for Cloud Commander, improving security.
  • Clear audit trail: Makes it easier to distinguish between Cloud Commander activity and other administrator actions.
  • Scoped permissions: Reduces the risk of accidental or unauthorized use of elevated privileges.
  • Future-proofing: Simplifies lifecycle management and updates by isolating Cloud Commander’s access from other admin relationships.

Limitations

  • Longer setup time: Requires customer approval and configuration for each tenant.
  • Customer confusion: Customers may question the need for a separate GDAP admin relationship.
  • Increased overhead: More relationships to manage and renew (GDAPs expire after two years).
  • Potential redundancy: May duplicate roles already granted in an existing GDAP admin relationship.

 

Updated: Jul 30, 2025