Use GDAP to set up least privilege access in Microsoft 365 Lighthouse

Set up least-privilege access in Microsoft 365 Lighthouse using GDAP

We’ve updated the way you manage granular delegated administration permissions (GDAP) in Lighthouse by adding new features. delegated access This page allows you to manage GDAP templates and view GDAP relationship details.

This post explains these improvements and guides you on how to use them. delegated access This is a page that builds GDAP relationships with customers.

Why GDAP is important to your organization

GDAP is a security feature that provides Managed Service Providers (MSPs) with least privilege access. Zero Trust Security Strategy. GDAP allows you to request granular, time-limited access to customer workloads and the customer consents to the requested access. Setting up GDAP for the customer tenants you manage helps keep your customers secure while ensuring users in partner organizations have the necessary permissions to perform their tasks. To learn more about GDAP, see: Introducing Granular Delegated Administrator Permissions (GDAP).

Improved GDAP management experience

The new GDAP management experience lets you set up GDAP in a familiar way. However, based on feedback from MSPs, we’ve made several updates to provide more flexibility in how you set up GDAP and make it easier to manage your existing GDAP relationships. We’ve also improved performance to make the new experience faster, especially when assigning GDAP templates to multiple tenants at once.

With the Lighthouse GDAP template, you can now:

• Assign the Microsoft Entra role to each support role (previously, you could only select Microsoft recommended settings for each support role).
• Add an existing security group to the GDAP template (previously you had to create a new security group).
• make In a timely manner (JIT access policies for new security groups (previously you could only create JIT access policies for administrator support roles)

We also

• View the status of your GDAP relationship with a customer.
• Identifies the next expiration date for each GDAP relationship.

Setting up GDAP using a GDAP template

at GDAP template of tab delegated access The page allows you to create, edit, and assign GDAP templates to customer tenants.

Screenshot showing the GDAP Templates tab on the Delegated Access page in Lighthouse.

For each GDAP template, you can:

• Define a name and description for the template.
• Use Microsoft’s recommended selection of Microsoft Entra roles for each support role, or customize Microsoft Entra roles to fit your organization’s needs.
• Add security groups to each support role. We recommend setting up a JIT access policy.

Screenshot showing the Create Template window on the Delegated Access page in Lighthouse.

After creating a GDAP template, select the three dots (More Actions) and follow the prompts to assign the template to the desired customers.

Screenshot showing how to assign a template to a customer tenant in Lighthouse’s delegated access page.

View GDAP relationships

To view details about a GDAP relationship, regardless of whether the relationship was created in Lighthouse, relationship tab delegated access page. You can use this tab to see which relationships are expiring soon. If you need to create a new GDAP relationship with a customer, go to: GDAP template Click the tab to assign the GDAP template to your customer tenant. When you select an active GDAP relationship, you can view and edit security group membership and also view the Microsoft Entra roles associated with each security group.

The following details are provided:

• GDAP relationship status (pending or active)
• Microsoft Entra role associated with the selected tenant
• Security groups and members associated with the selected tenant
• Start date and expiration date for each GDPP relationship

Screenshot showing the Relationships tab on the Delegated Access page in Lighthouse.

Benefits of using a lighthouse To manage GDAP

Managing GDAP using Lighthouse offers several benefits to MSPs who already use Lighthouse to actively manage and secure their customer tenants.

• Centralized Management: Lighthouse provides a centralized platform to manage GDAP relationships for all customer tenants. This simplifies management tasks and ensures consistency in permissions and access management.
• Efficiency and Scalability: Lighthouse allows you to create GDAP templates in bulk or individually and assign them to customer tenants. This makes it easier to manage permissions at scale, especially for MSPs managing multiple customers.
• Visibility and Control: delegated access Lighthouse’s page provides detailed insight into GDAP relationships, including the status and expiration date of each relationship. This helps you maintain control and keep your management informed.
• Customizable Roles: You can customize Microsoft Entra roles to fit your organization’s needs to ensure the right users are assigned the right permissions. This flexibility allows you to customize your GDAP setup to fit your specific needs.
• JIT access: Implementing a JIT access policy for security groups ensures that permissions are time-limited and restricted only when needed. This further enhances security by reducing potential misuse.

Using Lighthouse to manage GDAP can help you achieve greater levels of security, efficiency, and control over your management tasks, ultimately benefiting both your organization and your customers.

Log in now to try the improved GDAP management experience. lighthouse Please follow these steps: Set up GDAP in Microsoft 365 Lighthouse.

To learn more about Lighthouse and GDAP, check out these resources:

Microsoft 365 Lighthouse Overview

Sign up for Microsoft 365 Lighthouse

GDAP Frequently Asked Questions – Partner Center

We’d love to hear from you! choose Send Feedback To provide feedback, go to the bottom right of any Lighthouse page. feedback portal Now let me know what you think. We are committed to making Lighthouse your one-stop shop for customer health and security management.