Configure New GDAP Relationship Crate
What does the Configure New GDAP Relationship Crate do?
This Crate is designed to create and assign the 12 roles specified in the document. If you require additional roles, you may need to customize the Crate yourself. The in-workflow documentation will guide you through this process.
To ensure that your GDAP is properly set to allow Rewst automation, you’ll need to unpack this Configure New GDAP Relationship Crate as part of the Microsoft Cloud Integration Bundle setup process. It's designed to create and assign the roles needed for the integration to properly function.
What is GDAP?
In 2024, Microsoft moved away from regular user-based access, where users logged into Microsoft Entra with an individually permissioned account. Instead, they now operate via delegated admin permissions, where permissions are assigned from the top level down, for more secure access management. This is known as Granulated Delegated Admin Permissions, or GDAP.
How the Crate works
Due to limitations with Microsoft's API, this Crate can't fully automate the GDAP setup and configuration process. Specifically, we can't approve the GDAP request in your customer tenant, as this requires manual intervention for security reasons.
The workflow:
The workflow confirms whether it was triggered by the form or webhook.
It ensures that it runs for the parent, top-level organization, not for one of the child organization customers.
It builds a list of roles to check for existing groups.
The workflow uses the group prefix and role list to see if groups already exist. If not, it creates and validates each security group until each of the required 12 groups are done.
During the form submission, we ask which user is used to authenticate the Rewst M365/Exchange integration. Once all the groups are created, we then add that user to each of them. Note that we recommend using a dedicated service account for this authorization.
We then look up the tenant information by the ID to get further details such as the default domain name and display name. We create the admin relationship using the relationship name asked for during the form submission and create an invite link to authorize the relationship. We then create an object which contains the relationship details, tenant details, and pass all this information back to the top-level workflow as a single object.
We send this information via email, including any potential erroneous tenants and the successful ones. For each relationship, we create two links:
Approval Link: This is the manual part. Each relationship needs to be approved by a global administrator in the customer tenant, or the customer themselves.
Approved Link: Once the relationship has been approved, you confirm it has been done. This kicks off the webhook trigger part of the workflow, which takes the relationship ID and then assigns the previously validated groups to the actual relationship. This can only be done once the relationship has been approved.
Crate prerequisites
You must first click through the setup wizard for the bundle and set up the Microsoft Graph integration.
Unpack the Configure New GDAP Relationship Crate
Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.
Search for
Configure New GDAP Relationship.
Click on the Crate tile to begin unpacking.
Click Unpack Crate.
Enter your desired prefix into the field.
Click Continue.
Ensure that both the Form Submission and Webhook trigger configuration accordion menus have their triggers toggled on to Enabled.
Click Unpack Crate.
Continue following the steps here to finish setting up the Microsoft Cloud Integration Bundle.
Last updated
Was this helpful?